As the COVID-19 pandemic has continued to affect organizations across the United States, officials from the Federal Bureau of Investigation (FBI) and the Department of Justice (DoJ) warned of common trends and attack vectors that are being used by malicious actors for financial or informational gain.
Tonya Ugoretz, deputy assistant director of the FBI’s Cyber Division, reported that the agency’s Internet Crime Complaint Center has seen as many complaints as this point in 2020 as they did in all of 2019. Of those complaints, she said at the June 24 Fal.Con for the Public Sector CrowdStrike Cybersecurity Conference, at least 20,000 have been about COVID-19 related schemes.
During the pandemic, Ugoretz explained that there’s been a large public appetite for information about the state of the coronavirus or the government’s response. Because of this, “profit motivated criminals who rarely miss an opportunity to gain from other people’s misfortune,” and “foreign governments who also have their own urgent demands for information about the pandemic,” have taken advantage of the unplanned and sudden move to life online that’s made individuals more susceptible to cyberattacks, Ugoretz said.
Exploiting possible vulnerabilities, criminal actors motivated by money may attack through vectors such as phishing to steal stimulus funds, while nation-state actors are conducting reconnaissance or attempting to steal data related to COVID-19 response research, Ugoretz explained.
At the beginning of the pandemic, said Adam Hickey, deputy assistant attorney general of DoJ’s National Security Division, cybersecurity wasn’t always the main concern for organizations, leaving them more susceptible to attack.
“Particularly early in the pandemic, and depending on the industry you’re in, just keeping business up took up a lot of bandwidth, so to speak,” Hickey explained. “Cybersecurity, at least in the beginning, took a bit of a backseat because it wasn’t the core of the business.”
To combat this, Ugoretz said that going back to the basic principles of cyber hygiene at all levels can be effective. “We understand that sometimes there are challenges in securely applying patches but focusing on those basic steps in cyber hygiene really can have an impact whether you’re an organization or an individual,” she said.
Ugoretz continued that sharing information when a threat is detected also helps. The FBI shares alerts with the public about threats as they are detected, but opening that line of communication has furthered agency efforts to eradicate threats.
“Our ability to help warn and protect either private citizens, companies, states, municipalities is really strengthened when any of those share information with us,” she said. Ultimately, information sharing can bolster public information to boost resilience for all, per Ugoretz.