How Hackers Leverage COVID-19 to Disrupt Supply Chain Operations

The COVID-19 working environment has created new IT vulnerabilities and has accentuated known vulnerabilities for commercial enterprises. .

Once a commercial IT network has been compromised, hackers may be able to steal sensitive information in a data breach or shut down systems operations until a ransom is paid. One can expect exploitation of the pandemic in cyberspace to include, but not be limited to, phishing, exploits with refined lures to either exploit information or install malware, or to exploit vulnerabilities in minimally populated and/or remote workplaces.

Phishing exploits

The most common method utilized by hackers to compromise IT networks is phishing. Phishing involves the impersonation of legitimate governmental, business, or personal entities in order to “fish” for a victim that will enable access to a network. This is often facilitated by tricking the victim into clicking a dubious link with malicious software — malware — embedded. Hackers often include information of public or personal interest to increase open and click rates.

With the emergence of the COVID-19 pandemic, hackers have seized the opportunity to develop “phishing lures” designed to exploit strong public demand for updates on the constantly evolving global health situation, accentuating the risk of attack by this method. In an emerging trend illustrative of the ingenuity of methods, hackers have been utilizing seemingly legitimate email addresses with domains that include a COVID-19 related username preceding the “@” in order to falsely convey authenticity.

Separately, hackers may trick users into downloading malicious attachments which can be circulated unwittingly by legitimate actors (i.e. employees and managers). This method can be paired with a phishing email but may also be used in any other context where a user may download or access files. For example, the emotet trojan, which has successfully hacked several German targets, utilized infrastructure such as Frankfurt municipal IT systems to distribute ransomware.Moreover, hackers have impersonated popular COVID-19 webpages by legitimate entities, either as a means to extract personally-identifiable information (PII), financial information (FI), or other credentials.

While phishing incidents do not initially disturb production activities to the extent of data breaches and ransomware, it is of the utmost importance to be mindful of the danger such campaigns pose. According to the Kill Chain model of cyber threat analysis, phishing campaigns are often the first step toward more sophisticated attacks.

It is by means such as phishing that, if not properly mitigated, ransomware operators can gain access to the intimate details of a company’s corporate network. From there, they can gain access to sensitive supply chain information, including details pertaining to production facilities. Therefore, it is essential that supply chain managers, in conjunction with their IT and physical security teams, understand and apply mechanisms for threat mitigation.

Remote and office workstation security exploits

The rapid transition to remote, digital workstation solutions and the corresponding decrease in activity at office workstations have generated new vulnerabilities for commercial enterprises. In a physical sense, below-average volumes of workers on-site create new opportunities for security breaches. Absences from stationary workstations or server rooms, or even the open display of PII, FI, and credentials around an office, can create an untold number of opportunities for an intruder or unauthorized visitor to compromise business systems. These opportunities even eliminate the need for phishing emails to gain access to such systems. Alternatively, it allows hackers the opportunity to better tailor phishing emails making them more authentic and actionable by referencing veracious details under the guise of a believable party in order to solicit information that can be used either to damage the company in its own right or to gain access to system information. These are called spear phishing lures.

In the digital space, new trends in workplace behavior and tool utilization have also led to innovative hacking techniques. Taking advantage of increased dependence on remote working solutions such as Zoom and Microsoft Teams, hackers have crafted impersonation URLs of the two virtual meeting solutions to trigger malware implantations. These applications comprise two vulnerabilities: UNC path injections, which launch unintended applications, and privilege escalation, which allows hackers to gain permissions to alter systems. This imperils both solutions by allowing hackers to insert their malware anywhere they please on a target’s system.[ii] [iii] An additional risk comes from the collection of PII, FI, or credential information from home virtual assistants. This is due to a voice recording stop fault in many common assistants. If hacked, this could provide a continuous source of critical information if recording continues.[iv] Reports of a broader hack exploiting these vulnerabilities have not yet manifested. Nonetheless, a failure to address individual vulnerabilities can jeopardize broader supply chain networks.

Supply chain professionals can work with supplier contacts to initiate specific measures to ensure that supply chain partners are adequately prepared to minimize exposures to cyber risks. Resilience360 recommends that customers work with their suppliers on the following measures:

Maintain data backups: Supply chain managers can work with suppliers to verify or stipulate that they are maintaining system backups. Regular and thorough backups are the best mitigation against ransomware, regardless of inclination to pay. As a best practice, companies which maintain ongoing, comprehensive backup programs create an effective “mirror” of current operations, enabling them to quickly jump to a parallel system in the event of an attack.

Know your defenses: Mindful that customers will be challenged to assess cybersecurity across the entirety of an organization, firewall and vulnerability mitigation should be prioritized for those with not only the greatest access to the customer’s host network, but also for those with the greatest exposure to threats. This measure of exposure includes factors such as industrial control systems known to be vulnerable, or location or in an industry known to be a frequent target for attacks. Keeping abreast of the latest threats that target backups can further enhance an organization’s defense posture.

Enhance physical security: Verify that suppliers have adequate measures in place to protect office environments from compromise. While offices remain below normal occupancy, customers should ensure that supplier facilities have secured any physical documents with potentially compromising PII, FI, and credentials to reduce exposure.

Synchronize threat preparation and response: Ensure that suppliers have business continuity in place should a cyberattack occur. Such preparation to enhance coordination and minimize confusion in the event that a crisis strikes can allow all parties involved to save time and act in unison to maintain supply chain agility.

Know the systems of your suppliers: Awareness of technological tools, hardware, equipment, and operational systems of suppliers can empower those responsible for information security on your team to anticipate potential disruptions and take a proactive role in helping supply chain managers to mitigate threats amongst suppliers.

Ensure social engineering awareness: Collaborate with IT partners to conduct realistic, frequent, and varied phishing testing at the supplier level and across the supplier network in order to identify vulnerabilities and reduce to the greatest extent possible the threat field that a potential hacker can exploit. Maintain information-sharing relationships with appropriate law-enforcement bodies to further enhance awareness and protection and encourage suppliers to do the same. Supply chain managers must also collaborate with IT teams to determine impact to a disrupted business, obligations to maintain cybersecurity, and standards to maintain, such as ISO/IEC 20071/2.

SC
MR