SARS-CoV2, the virus behind the COVID-19 pandemic, isn’t the only pathogen that’s been spreading around the world lately. It has spawned a corresponding slew of cyber attacks. Unlike many other cyber actions targeting areas like finance and manufacturing, though, these ones could cost lives. Isn’t there an ethical code for attackers during a global crisis like this? Some kind of honor among thieves?
COVID-19-related attacks break into two types based on motivation. The first are financially driven. They use phishing scams to exploit citizens’ fears over the health crisis, duping them into handing over valuable information or installing malware on their machines. They also infect hospitals and medical research organizations with ransomware. Even without a pandemic, they have a direct impact on operations, and therefore patient health.
The EU has warned that the effect of attacks on cyber attacks against medical facilities amp up during a pandemic, when all health workers are under stress. It made the message clear in an April statement: cut it out. Governments must focus on attackers in their own countries and take them down, it warned.
Some ransomware crooks have agreed not to target health and medical organizations during the pandemic, or say that they never did in the first place. Lawrence Abrams at Bleeping Computer reached out to groups responsible for ransomware including Maze and Ryuk asking them to stop. Responses generally favored hospitals but this still leaves a long list of organizations up for grabs, ranging from UN organizations to pharmaceutical companies.
One group said that it “never attacked” hospitals, nursing homes, or charities, but that it considered commercial pharmaceutical companies fair game unless they were working on a coronavirus vaccine. If they were, then they’d send them a free decryption key. DoppelPaymer said: “But about pharma – they earns lot of extra on panic nowdays, we have no any wish to support them. While doctors do something, those guys earns [sic].”
When states attack
Ransomware groups aren’t the only actors hitting these organizations. They’re also a target for the second attack group. Both the UK and the US warned early in May that state-sponsored hackers have targeted health research organizations, using phishing emails and credential stuffing attacks to try and gain access to accounts.
Unlike cyber criminals, who target accounts and data that they can sell online, the APT groups are after something far more valuable: knowledge.
“CISA and NCSC are currently investigating a number of incidents in which threat actors are targeting pharmaceutical companies, medical research organizations, and universities,” the advisory said. “APT groups frequently target such organizations in order to steal sensitive research data and intellectual property for commercial and state benefit. Organizations involved in COVID-19-related research are attractive targets for APT actors looking to obtain information for their domestic research efforts into COVID-19-related medicine.”
The FBI has also warned about state-backed hackers targeting research companies.
Intellectual property acquisition isn’t the only motive, though. Destabilization also seems to be a focus for unknown groups. In late April, someone leaked login credentials for 25,000 email accounts from the CDC, Gates Foundation, NIH, WHO, and the World Bank online. Within 24 hours, far-right groups were using them to harass employees and spread disinformation. The data thief’s identity is unknown.
Targeting researchers working on coronavirus treatments and organizations trying to inform the public has a negative effect on public health, either diverting funds and attention away from treatment research or muddying the spread of public health information. International law, which definitely forbids wartime cyber attacks on medical facilities, isn’t of much help here. So can we get an official ethical commitment from state actors that goes beyond the shaky, inconsistent one we’ve seen from some cyber criminals?
The Oxford Institute for Ethics, Law, and Armed Conflict is doing its best. The body, along with Microsoft and the Japanese government, sponsored a workshop at the University of Oxford to discuss the problem, and came up with an open statement echoing the call for governments to do more. It supports “the International Committee of the Red Cross’ call on States to protect medical services and medical facilities from harmful cyber operations of any kind.”
It also asks signatories to make several commitments, including:
“When a State is or should be aware of a cyber operation that emanates from its territory or infrastructure under its jurisdiction or control, and which will produce adverse consequences for health-care facilities abroad, the State must take all feasible measures to prevent or stop the operation, and to mitigate any harms threatened or generated by the operation.”
Like the EU statement, this leaves the door open for states to rethink their own activities while also cracking down on cyber criminals not working on their behalf. The problem is plausible deniability. Countries shake hands on this kind of thing all the time, agreeing not to target each other in cyberspace and then reneging. But then, there’s politics, in which words take precedence, and realpolitik, which is governed by action. Under the latter, legal and ethical considerations (not to mention moral ones) take a back seat.