Since the COVID-19 pandemic began to spread throughout much of the world, I’ve covered how this slowly unfolding catastrophe will impact the business climate of information security, why cost-saving reductions in network defense may be deeply undesirable, and how responses to certain actions in a pandemic landscape will be difficult to say the least. One perspective missing, although it has been hinted at in some of the above items, is that of the cyber adversary through a period of uncertainty and crisis.
Two broad schools of thought seem to exist on this matter. First, that offensive actors in the cyber environment are part of societies as much as anyone else, and will need to adhere to declarations of social distancing, “work from home”, and other items. Failing to do so would mean concentrating risk of contagion and erosion of force through illness, which appears to be an undesirable outcome for long-term strategic cyber success. The second, is that cyber operations (whether state-sponsored or -directed, or criminal) will continue as the underlying reasons behind such activity have not evaporated with the pandemic – and some aspects may even accelerate given either intelligence requirements or perceived opportunities.
The truth of the matter lies somewhere in between the extremes above. Cyber operations – whether criminal or state-directed – will continue, but given the scope and severity of current events it would be highly unlikely for there to be no noticeable effect on operations. In the case of operations that are largely remote with primarily “virtual” links between entities, such as may hold in many cybercrime operations, SARS-CoV-19 related impacts may be minimal or nonexistent. For more traditional state-directed or -sponsored operations, “classic” structures such as watchfloors, “remote operations centers”, and similar physical structures (used for purposes ranging from security to infrastructure requirements to coordination and planning) will certainly experience an impact. But as anyone who has driven by the huge parking lots adjacent to various US intelligence community buildings in times of blizzards, government shutdowns, or similar operationally-impacting events has noticed, the number of cars present is far smaller but it is definitely not zero.
Essential, critical operations will continue within the state realm, as the impetus for such activity has not been eliminated. Such operations may occur at a reduced rate or absent typical support personnel due to needs for social distancing or the quarantining of sick staff. But they will continue nonetheless for reasons ranging from necessity to maintain certain types of access and operations for national security reasons, to focused activity relevant to the current crisis, and perhaps most interestingly for opportunistic reasons to take advantage of circumstances.
The Show Must Go On
While it may seem silly or reckless for organizations to continue on roughly “as normal” in times of global crisis such as the present, in many cases this is either unavoidable or necessary. To use an example, while circumstances are bad (and likely getting worse) for many at the time of this writing, modern civilization still demands water flow from the taps and electricity to move over power lines. While there may be some changes in how these operations take place – such as sequestering vital personnel on-site to avoid contact with other people – there is no question that such operations can and must still occur.
Although removed from the “normal” life of many, the same applies to national security and intelligence operations. Although times may be increasingly difficult and challenging – such as maintaining capabilities and readiness in the face of a rapidly-spreading pandemic – the “show” must still go on. Priorities may shift somewhat, but the need to keep an eye on an adversary’s military (or cyber) forces, or ascertain political and strategic decisions of other government leaders will remain – and in some cases may even increase dramatically, as described in the following sections.
Most likely responses to challenges such as a pandemic or similar crisis would be reduction in manning and staffing so that only critical functions take place. Within the context of cyber-nexus espionage operations, which are (relatively) efficient in terms of manpower compared to more classic HUMINT actions, one might expect certain missions to decline in importance or resourcing, while others are boosted to make up for shortfalls in other collection areas.
For example, many governments remain focused on counter-terrorism operations even with the current pandemic. Tracking leadership figures, identifying planning and coordination, and maintaining access to networks of interest all require persistent engagement from multiple intelligence assets. Yet as the pandemic continues to gather steam, the ability to do so given the requirements of social distancing and other disease-focused countermeasures will be significantly curtailed in certain disciplines. Thus, not only will SIGINT-focused efforts (such as cyber) remain a key item of the overall intelligence operation, but they may even increase in resourcing and staffing to make up for shortfalls elsewhere.
Targeted Activity in Healthcare
Related to the above observation on the required continuity of espionage (and other) operations is the emergence of new intelligence requirements as a result of events. The COVID-19 pandemic represents a near-existential threat to every country on the planet, for the obvious health reasons but also in terms of economic activity and potentially regime stability as well. Based on the risks involved, every government on the planet should be expected to allocate resources to understanding not only how circumstances may impact their own state, but also directing efforts to determine how others are responding as well.
Toward this end, we have already seen disclosures of Iranian-linked activity targeting the World Health Organization. While some breathless (and bad) media reporting framed this activity as an “attack”, what little public information exists suggests the operation was limited to email compromise for initial network access. Given that Iran has suffered one of the worst COVID-19 related outbreaks (potentially exacerbated by the regime’s isolation due to US-directed sanctions), Iranian state functionality – if not survival – would appear to be at risk.
In light of such significant potential impacts, I would completely understand the Iranian regime seeking to gather as much information from as many sources as possible on COVID-19 research, responses, and the work of other countries and international bodies. Hell, if I were them, that is exactly what I would do in this situation. And while one could (rightly) caution this as so much mirror imaging, the conclusion appears relatively sound given the circumstances and extent of activity observed to date.
And on this matter, Iran is hardly alone in wanting access to such information for reasons ranging from self-preservation through the continued need to understand real and potential adversaries. I would personally be incredibly shocked if there were no US-directed activity at the People’s Republic of China (PRC) to better understand that country’s response to COVID-19 (and the scope of any potential coverup of the pandemic’s extent and impact). Similarly, if PRC is not actively attempting to penetrate health and government organization networks in the US and Europe, I would not only be surprised but I would also charge the relevant spymasters and cyber operational directors with negligence given the intelligence value of such activities in the present environment.
Note that none of the above extends to activity such as active disruption of responses to COVID-19. That sort of action would be intensely provocative and, given the obvious and direct impact on the lives of civilians, in violation of a host of norms and understandings of international law. Yet intelligence collection to both learn how other countries are coping with the event and to identify best practices to deal with it (or failures of others that are best avoided) seems not just reasonable but necessary in the classic execution of state- and spycraft. Even if other cyberespionage activity were to diminish greatly, one should anticipate COVID-19 focused information gathering to increase dramatically.
Opportunistic Operations in Times of Chaos
Lastly and most interestingly, the COVID-19 pandemic offers opportunities for those looking to expand operations or take advantage of certain circumstances. As one might remember from certain popular television shows, chaos can be viewed as a ladder. While intelligence agencies will likely maintain many aspects of their operations (along with criminal enterprises as well), the COVID-19 pandemic and its subsequent economic earthquakes are dramatically upending operations and security at many organizations.
To cope with the impacts of social distancing while trying to maintain some semblance of functionality, many organizations have moved toward increased remote access and remote work. In the process, relevant infrastructure becomes overtasked, corners are cut, and configurations and devices that once would have been rejected as insecure are pressed into service to meet immediate needs. Thus items that would give many security teams heartburn – from split-tunnel VPNs to use of personal machines for company work to the rapid adoption of untested teleconference platforms for sensitive collaboration – are quickly provisioned or enabled to keep the business afloat in hard times.
Opportunities abound to take advantage of quickly implemented, improperly or minimally hardened remote practices to facilitate intrusion and collection activity. Given the newfound ease of access and expansion of possible weakly defended targets as endpoints migrate from behind corporate security controls to sitting on consumer home networks, any cyberespionage entity paying attention would be foolish or negligent not to take advantage of the situation. Even if operations are limited just to initial access operations (compromising accounts, collecting authentication information, and establishing initial points of access) for future follow-on exploitation, significant scope exists to profoundly improve overall collection posture.
Additionally, adversaries have already learned and shown a willingness to exploit the network infrastructure making remote and distributed work possible. From network infrastructure compromise through “+1 day” VPN exploitation to continuing attacks on DNS and routing protocols, adversaries already know how to operate in this environment. With the increasing movement towards remote and distributed work, the effectiveness and scope of these attack types increases directly with the expansion of organizational attack surface, further facilitating the rapid expansion of access at targets of interest.
Given circumstances and operational dislocation, security teams are ill-placed to respond to these sort of events, let alone prevent them. Furthermore, the migration of traffic, hosts, and other items of interest from company-owned resources to employee-owned devices and networks means the scope for activity and defensive monitoring is also significantly reduced. Adversaries thus find themselves in a uniquely permissive “happy time” where operations are easier to conduct and defenders find themselves significantly limited in response.
Even with reduced manpower and resources to respond to events given the requirements of COVID-19 response, we should expect intrusion sets and espionage activities to take advantage of circumstances to the greatest extent possible. As stated earlier, even if this is simply widespread initial access development without the resources to thoroughly exploit right now, the current period will lay the foundation for future operations in a time of acute defender weakness.
Conclusion
In light of all the above, network operators, business owners, and network defenders must all be aware of and concerned for a combination of at minimum relatively stable adversary activity, while defensive controls and responses are in a degraded state. Although many organizations are reeling at the moment due to both the immediate health impacts of the COVID-19 pandemic and the follow-on economic catastrophe, long-term organizational health and stability will require understanding the cybersecurity concerns of this period and taking all reasonable actions to counter them.
Unfortunately, in a time of unsettled manpower and likely diminishing resources, nearly all organizations will find themselves having to do the same amount of security work (if not more, given the expansion of distributed or remote work) with fewer capabilities. Therefore, since adversaries are not taking a break, the most likely solution for most entities is to try and minimize risk to the extent possible through strategic choices – such as limiting access to certain resources (e.g., source code repositories, sensitive data stores, or links to industrial equipment) from devices or networks where security either cannot be implemented by the organization, or where monitoring is not possible.
Overall, we as network defenders should not anticipate the coming weeks and months to be quiet. Rather, the combination of ongoing requirements (especially for state-directed entities) and unique opportunities means we should expect activity that both continues and targets various organizational weak points that previously did not exist. Understanding and accepting this inevitability will then allow us to begin crafting responses, and make the case to leadership and other stakeholders to maintain some minimum level of investment in security operations.