CyberWire Daily - Bonus Recorded Future Podcast: Correlating the COVID-19 Opportunist Money Trail
Episode Date: March 24, 2021The CyberWire partners with Recorded Future's threat intelligence podcast and our Dave Bittner is the host. It's a weekly show that comes out each Monday afternoon. We thought you might want to check ...it out and are adding it to our feed today. We hope you like it and consider subscribing in your favorite podcast app. The COVID-19 global pandemic has, predictably, attracted bad actors intent on using fear and uncertainty as a framework for a variety of actions, from run-of-the-mill money scams to targeting phishing, business email compromise, and even espionage. Recorded Future’s Insikt Group has been following these money trails and correlating them with a spectrum of bad actors around the globe. They recently published their findings in a blog post titled, “Follow the Money: Qualifying Opportunism Behind Cyberattacks During the COVID-19 Pandemic.” On today’s episode we’ve got a pair of Insikt Group analysts joining us to share their expertise. Lindsay Kaye is Director of Operational Outcomes and Charity Wright is a Cyber Threat Intelligence Analyst. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Hey everybody, as you may know, the CyberWire partners with Recorded Futures Threat Intelligence Podcast.
I'm the host of their weekly show that comes out each Monday afternoon.
We thought you might want to check it out, so we're dropping this sample episode in our CyberWire feed today.
This episode features two of Recorded Futures' INSICT group analysts joining us to share their expertise.
Lindsay Kaye is Director of Operational Outcomes, and Charity Wright is a Cyber Threat Intelligence Analyst.
Our conversation focuses on correlating
the COVID-19 opportunist money trail,
highlighting their findings where bad actors
are taking advantage of the COVID-19 pandemic
in a variety of ways.
We hope you like it.
Thanks for checking it out.
This is Recorded Future, inside security intelligence.
Hello, everyone, and welcome to Episode 193 of the Recorded Future podcast. I'm Dave Bittner
from the Cyber Wire. The COVID-19 global pandemic has predictably attracted bad actors intent on using fear and uncertainty as a framework for a variety of actions,
from run-of-the-mill money scams to targeted phishing, business email compromise, and even espionage.
Recorded Futures' Insict Research Group has been following these money trails and correlating them with a spectrum of bad actors around the globe.
They recently published their findings in a blog post titled Follow the Money, Qualifying Opportunism Behind Cyberattacks During the COVID-19 Pandemic.
On today's episode, we've got a pair of Insict Group researchers joining us to share their expertise.
joining us to share their expertise. Lindsay Kaye is Director of Operational Outcomes for the INSIC Group at Recorded Future, and Charity Wright is a Cyber Threat Intelligence Analyst.
Stay with us.
I am Lindsay Kaye, and I'm Director of Operational Outcomes at Recorded Future in Insect Group.
Our team is primarily responsible for developing a lot of the technical detections that go into the product.
So things like VR rules, the Sigma rules, doing also malware analysis and network analysis.
And besides kind of running the team, what I do is a lot of malware analysis and some software.
All right, and Charity, how about you? I'm an expert cyber threat intelligence
analyst within Insicht Group. On a day-to-day basis, I'd say I specialize in really analyzing
various cyber threats, but I focus a lot on Chinese threats and disinformation.
All right. Well, today we're talking about the research that you all recently published. This is Follow the Money, Qualifying Opportunism Behind Cyberattacks During the COVID-19
Pandemic. Lindsay, let me start with you. What prompted the creation of this report?
So in looking back at the last, I believe, nine or 10 months of the COVID-19 pandemic,
one of the things that we wanted to understand really how has opportunism on behalf
of cyber criminals and nation state threat actors really shown itself in the cyber attacks and
cyber incidents that we're seeing. So in order to understand this, what we want to do is look at the
larger socioeconomic climate behind it and see how did threat actors take advantage of different
aspects of the pandemic? Because as you know, it really has evolved over the last 10 months in how they targeted victims, what kinds of attacks were going on, and generally
what sort of the themes a lot of the phishing alerts that we identified were and see how that
all related. Well, let's go through it together. I mean, you've got some really interesting
insights here. Is it useful to go through kind of in a timeline sort of way from
the outset of the pandemic itself? And I think this is something that I don't know if you've
checked out some of the domains that we looked at, but I think that the domain registrations
really kind of speak to a lot of what you're getting at, where there were different occurrences
and then you sort of see upticks in different domains
around different themes. So we could talk about that if you'd like. Yeah, that's a good place to
start. I mean, what were you all tracking here in terms of domain registrations and what sort
of insights does that provide you with? So Recorded Future looked at all the domain registrations that
had to do with COVID-19 and the COVID pandemic. And one of the things that we wanted to understand was,
were these domains being registered under any particular themes?
So what we did was we looked at cleaning-related domains,
economic, ones around PPE, so things like masks
and other sort of protective equipment, the vaccine and testing,
just to kind of see, have we seen any upticks at any point in the pandemic
that would potentially relate to some of the different have we seen any upticks at any point in the pandemic that would
potentially relate to some of the different sort of phases we were in? And one of the things that
we noticed that was really interesting is, as expected in March, when there was a whole kind
of shortage of information, people were scrambling to figure out what is COVID-19? What are the risks?
What is going on? How is government responding? What should I do?
There was the largest amount of registrations of all domains. But interestingly, we saw a couple
different spikes over the course of time in a couple areas. So first related to some of the
vaccine. So around August, when some of the different vaccine candidates were going to some of their
phase three trials or trials were completing, there was a lot of news there.
We saw a second bump of vaccine themed registrations and then starting in October.
And when you probably remember, there was a lot of discussion of at least in the US
and I believe some in the UK of the approval of these vaccines.
Now that a lot of these trials are wrapping up.
We saw a large increase from October through December, which really kind of does match with a lot of the timeline.
So not all of these domains are malicious by any means. But it is interesting to kind of see how the latest themes of the pandemic really play out in some of what we see people registering.
And for sure, some of these are, you know, legitimate sites of people registering vaccine related domains for COVID. But it's particularly
interesting to look at some of the maliciously verdicted ones where we see a, you know, smaller,
but still increase from in those timeframes. And what sort of insights can you gain from the types
of domains that were being registered? And, you know, what registered and what these actors are up to?
What sort of conclusions can you come to
based on the information you gathered here?
So predominantly during the pandemic for cybertechs,
we've seen a lot of phishing occur.
And this is something you probably remember
from sort of the beginning of the pandemic
when people were looking for information.
So different kinds of phishing lures purporting to be from different package delivery companies
or what is the government doing?
Click here to find out or what is my company doing about the pandemic?
So while it's hard to tell how all of these domains were used to some degree,
you could definitely see how a lot of them could be used for phishing campaigns.
So, you know, click here to find out
about the vaccine or as part of different scams. We did observe scams from cyber criminal threat
actors around, you know, get on the early access list for the vaccine or pay this money or provide
your personal information, things around mask delivery scams from earlier in the pandemic when
there were shortages and things
like that. Predominantly, I would suggest that these would be used for phishing.
Charity, I'm interested in your insight from the point of view of being able to
unpack who the various actors were here. I mean, we've got, you know, there are always those
scammers who are chasing the latest news and will wrap their scams around things that are top of mind for people.
And so I don't think it's surprising to see them chase after something like the pandemic.
But at the same time, there are other things going on here, right?
I mean, there was espionage.
There were nation state actors.
Absolutely. You know, one of the interesting findings in this report is that so many different types of threat actors are trying to take advantage of this pandemic.
It's very unfortunate. But one of the things we observed was not just criminals, but also state-sponsored threat actors.
So various nations kind of battling it out for an economic advantage in the distribution supply chain.
And when it comes to vaccines, who's going to release the vaccine first?
But also, we saw an interesting factor where certain nation states were trying to save face,
you know, around the globe, just in front of a global audience. Each government, each government's leader wanted to appear to be the most competent.
So that's really the core motivations that we observed from the state-sponsored threat actors.
What about disinformation? I mean, how did that come into play?
There's certainly been that, that's been, there's been a lot of news stories about that in the past couple of years as well. Right. Disinformation actually played a huge role in gaining advantage
during this pandemic, especially throughout 2020. We observed China and Russia both using it
for their own objectives, including spreading rumors know, spreading rumors about certain vaccines in
other countries. For example, Russia was spreading a rumor that the Oxford AstraZeneca vaccine was
actually derived from monkey DNA. So they were spreading rumors that humans that received this vaccine would turn into monkeys.
As bizarre as that sounds, that narrative was actually disseminated around the world and know, the ignorance of a lot of people that don't know the truth about the vaccine, about how COVID is spread, and about how people can actually protect themselves from COVID-19.
actually protect themselves from COVID-19.
Yeah, I mean, it strikes me that when you talk about something like, you know,
the monkey story, which all of us, you know, would laugh and roll our eyes at,
but it seems to me like that, even something that absurd chips away at people's feelings of trust.
It injects just a little bit of doubt in their minds.
Absolutely.
What they're doing is they're really playing on the fear that people have all over the world. People are scared of this
virus. At the beginning, nobody knew where it came from, how it was spreading, and how to protect
themselves from it. So threat actors jumped in immediately to exploit that fear and start spreading these various rumors that just created confusion and chaos.
own solution and say, oh, here we have the answer. We have the vaccine that you need the most.
And they try to gain an advantage over their adversaries and competitors that way.
Lindsay, I'm curious, did you track any sort of maturation over the course of the past several months, you know, coming up on almost a year now, did the sophistication of these attempts
grow? Were they able to learn from what worked and what didn't along the way?
So we didn't really necessarily observe any sort of maturation, but we observed trends in
kind of what the interest of different adversaries were. So kind of in the beginning,
like Charity alluded alluded to there was sort
of that information aspect and then you saw many many different threat actors even some more kind
of novice types dropping a whole different kind of you know commodity malware and tools that are
you can get on the internet as well as sort of the nation-state actors so really the landscape
was just cluttered is the wrong word,
but there were so many different threat actors involved,
even some of the more novice criminal actors
who kind of saw this as an opportunity, right?
Like Charity had said, there were so many people
who were just like, what is this?
Where did it originate from?
Who are hungry for information?
The people really capitalized on a lot of that.
And then we started to see
some of the more sophisticated threat actors.
So the state sponsored ones trying to get information about vaccine development from some of the vaccine development companies.
And then we sort of saw that shift once, you know, as the vaccine started rolling out, looking to target some of the different aspects of the supply chain.
So some of the kind of cold chain, and this is something that
potentially can keep evolving. So as distribution rolls out, it will be interesting to see how they
continue to target some of this delivery mechanism. And so where do we stand right now? I mean,
we're in the midst of folks being vaccinated. As you say, that rollout is underway. Is there light at the end of this
particular tunnel or have these methods gone on unabated? So most recently, as you said,
the vaccines are rolling out. Now we're seeing threat actors targeting the public in addition
to corporations with the idea of if you pay money name, if you pay money, you can put your
name on this vaccine list. So there probably is a light at the end of the tunnel. But, you know,
while some scams and different sort of cyber attack themes really are we see dwindling. Now
we're seeing new ones emerge. And we've seen that throughout the pandemic and watch how it's changed. So there is a light at the end of the tunnel for some types of cybertech themes, but new ones will emerge.
And this is probably something that will keep happening as the pandemic wears on and changes.
Absolutely. I have to agree with Lindsay on that.
I think it will evolve and we kind of have to evolve with the pandemic.
As new strains of COVID-19 are discovered, there may be new vaccines that come out. And we have to look at what has happened in the past and then use that history to kind of protect ourselves and organizations from these types of criminal attacks.
So well put, Charity.
So what are your recommendations then? I mean, for
organizations and individuals who are looking to best protect themselves against these sorts of
things, what do you recommend? What are the takeaways? So from a technical perspective,
recognizing that phishing is an ever-popular initial access factor, so just being cognizant of
we've seen threat actors use
different kinds of phishing lures to deliver malware. We've seen them target different sort
of remote technologies. So just being cognizant that this is something that will likely not
change. So being cognizant, letting your employees know that this is something that will continue on.
And especially as the pandemic themes change, you know, what is kind of the most current and
relevant issue of the time and just being cognizant of that? You know, for protecting ourselves
against disinformation and false information that may be out there, it's really important for people
to go straight to trusted scientific sources and public health official sources for information.
public health official sources for information.
We found that nearly 40% of misleading statements are in social media.
So when you're seeing, let's say, news or rumors
travel around social media,
be sure to question the authenticity of the information
and always look to see what the source is.
And if you have questions about the vaccine
or the spread of COVID-19 or anything around this pandemic, definitely go to official sources for your information.
Yeah, it's good to have those skeptical thinking tools at your disposal to be able to discern whether or not a source is likely to be good or not.
Absolutely.
and whether or not a source is likely to be good or not.
Absolutely.
Our thanks to Lindsay Kaye and Charity Wright from Recorded Future's Insight Group for joining us.
You can find more about this topic and the Insight Group's research
by checking out the blog section on the Recorded Future website.
Don't forget to sign up for the Recorded Future Cyber Daily email,
where every day you'll receive the top results for trending technical indicators that are crossing the web.
Cyber news, targeted industries, threat actors, exploited vulnerabilities, malware, suspicious IP addresses, and much more.
You can find that at RecordedFuture.com slash Intel.
We hope you've enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online.
enjoyed the show and that you'll subscribe and help spread the word among your colleagues and online. The Recorded Future podcast production team includes coordinating producer Caitlin
Mattingly. The show is produced by The Cyber Wire with executive editor Peter Kilby,
and I'm Dave Bittner. Thanks for listening.