The ongoing COVID-19 pandemic has resulted in disruptions to everyday life for many, with shelter-in-place and other social distancing requirements implemented throughout the United States and around the world.
Even though many supplies, services and leisure activities have slowed down or come to a screeching halt, the one thing that has remained the same -- or even gained momentum -- is cyberespionage.
From the average citizens who encounter ransomware and malware scams via fraudulent stimulus check scams to the Defense Department-level organizations encountering attempted cyber intrusions and compromises from advanced persistent threat groups, or APT, cyber criminals and APT groups are actively working to exploit the COVID-19 pandemic.
The DoD Cyber Crime Center, located in Linthicum Heights, Maryland, serves as the operational focal point for the Defense Industrial Base Cybersecurity program. DC3 is keeping ahead of APT groups that exploit the COVID-19 pandemic in an attempt to infiltrate and exploit DIB and DOD networks. The center’s DOD-DIB Collaborative Information Sharing Environment, or DCISE, maintains close situational awareness regarding the use of COVID-19-themed social engineering and email phishing scams by cyber actors -- from criminal actors employing ransomware to more sophisticated nation-state operators conducting cyberespionage.
As the operational arm of the DIB Cybersecurity program, DCISE shares relevant information with more than 700 security-cleared defense contractors who participate in the program. It also fosters a cyber-threat information-sharing partnership with DIB participants by performing cyber analysis, offering mitigation and remediation strategies, providing best practices, conducting analyst-to-analyst exchanges and holding cyber threat-sharing meetings and technical exchanges with DIB participants.
"The public-private partnership that exists between the DIB partner companies and the DOD is built upon a foundation of trust, which is vital to critical cyberthreat information sharing," said DCISE Director Krystal Covey. "This crowd-sourced threat-sharing allows for near real-time collaboration, enabling members of the partnership and U.S. government agencies to potentially detect, deter and remediate before an incident occurs or escalates."
The DCISE has processed multiple DIB reports specific to COVID-19-themed schemes during the past month. Domain masquerading is heavily used in these schemes. One partner company reported receiving an email from the Centers for Disease Control and Prevention with a link to a credential-harvesting site.
A DIB cybersecurity program voluntary partner notified DCISE in late March that a U.S. government Central Authentication Service login service was using a web service as an open redirect (proxy) to commit COVID-19 phishing.
The DIB partner requested DCISE alert the government for remediation. DCISE informed government points of contact the same day. The government entity advised March 26 that the asset in question was taken offline and an investigation was underway. The same entity also requested DIB cybersecurity program partner point-of-contact information to engage and ensure they had all relevant technical details.
"This scenario highlights that the DIB cybersecurity voluntary program provides critical communication and benefits beyond its immediate scope and mission, such as identifying issues with government information technology assets and ensuring notification to the correct government contact, even during an unprecedented pandemic," Covey said.
DCISE monitors evolving cyber activities that exploit the pandemic and will ensure the DIB partnership and the U.S. government are fully informed to better protect their respective network environments. The DCISE will continue processing all submissions from its partners and encourage maximum cyber threat collaboration during this challenging time. This type of public-private communication demonstrates DCISE and the DIB cybersecurity program’s role in protecting critical DOD assets.