Palo Alto Networks' Unit 42 threat intelligence team has today published worrying research that reveals how a Nigerian cybercrime group known as SilverTerrier is targeting healthcare organisations critical to the COVID-19 response.
In the "SilverTerrier: New COVID-19 Themed Business Email Compromise Schemes" report, Unit 42 details how Business Email Compromise (BEC) actors are recklessly targeting COVID-related campaigns at government healthcare agencies, large universities with medical programmes as well as medical publishing firms and insurance companies across the United States, Australia, Canada, Italy, and the United Kingdom.
A Nigerian cybercrime group known as SilverTerrier has been tracked launching multiple COVID-19 themed malware attacks between Jan 30 and April 30. Between them, these campaigns have produced 170 distinct phishing emails the researchers say, and have shown "minimal restraint" when it comes to targeting enterprises critical to the pandemic response.
"SilverTerrier actors have begun adapting their phishing campaigns and will likely continue to use COVID-19-themed emails to deliver commodity malware broadly in support of their objectives," the reports states, advising all organisations involved in the COVID-19 response to "apply extra scrutiny to COVID-19-related emails containing attachments."
This all comes hot on the heels of a Mimecast report that saw cyber-attacks increase by 33 percent across the first 100 days of the pandemic. Earlier this week, the National Cyber Security Centre issued a joint advisory with the United States Department of Homeland Security CISA warning of nation-state attacks against organisations involved in the COVID-19 response.
"The NCSC is right to warn healthcare organisations involved in the coronavirus response that they are at huge risk," Zeki Turedi, technology strategist at CrowdStrike says, "adversaries are leveraging Covid-19 lures to launch targeted attacks against an over stretched healthcare industry. We’re in a state of high alert when it comes to information pertaining to Covid-19 and the current situation has created the perfect storm."
"This is great, but sadly depressing and all too familiar, research showing the advancement of social engineering capabilities from the nation that invented the 419 scam," Ian Thornton-Trump, CISO at Cyjax told SC Media UK. "I would argue that this is great evidence the Nigerian Prince has grown up, attended cybercrime university and graduated with full honours."
Targeting healthcare and the related supply chain for healthcare makes a lot of sense right now, according to Thornton-Trump, for two important reasons. "One, folks working in that industry are stressed and have been stressed for many weeks and stressed people make mistakes," he says, continuing "and two, given the sense of urgency to obtain PPE and other items in short supply standard procedures may not be followed." By which Thornton-Trump explains he means the checks and balances as well as authorisation processes may be "streamlined" so creating the perfect situation to convince someone to do something fraudulent. "In the US there was a local government official who had to drive a US$3.5 Million cheque to meet a PPE supplier in a closed McDonald's parking lot," he recounts, "that's not a common situation."
While Thornton-Trump admits it's, "unlikely members of SilverTerrier will donate their proceeds to the government or hospitals," he points towards a motive in that, "the more money you have in a place like Nigeria, the more options you have to save yourself and your family." After all, he says, "if your resume includes 'expert at ripping off people' are we surprised that folks are going to work just as hard as they can right now?"
And it's not just Nigeria, let's not forget. "It's pretty fair to suggest that cybercrime groups in Africa, South America and various Asian nations will follow the lead of top tier cybercrime countries such as China, Russia, Iran & North Korea," Thornton-Trump concludes, "now is the perfect time to launch COVID-19 disinformation and cybercrimes in all forms, and based upon the numbers I've seen, both defenders and attackers are working very hard."