The Department of Homeland Security has issued a series of intelligence advisories associated with threat actors exploiting COVID-19 to engage in conventional and cyber attacks.  The three separate warnings range from ISIS exploiting the global crisis for violence to extremists intentionally trying to spread COVID-19 through minority populations to cyber attackers exploiting work from home technologies.  All decisions-makers need to be aware of these threats regardless of their organization size or sector.  Here are the details:   

DHS warning on April 1, 2020 – “COVID-19: Violent Extremists’ Social Media Bio Attack Calls – Crudely Viable, Warrants Attention, but Effects Likely Not Measurable”

Recent social media postings by violent extremists called on individuals who have contracted the SARS-CoV-2 virus to seek out and target law enforcement, minority communities, places of worship, and public transportation.

• On 11 March, a White Supremacist Extremist (WSE) Telegram channel administrator posted an image and text stating they were using SARS-CoV-2 virus to infect a synagogue’s rabbi and gas stations owned by a person of Indian descent.
• On 10 March, a separate WSE Telegram channel administrator posted a flyer calling for action by persons affected by the coronavirus to visit local mosques, synagogues, diverse neighborhoods, and utilize public transit. The flyer uses branding for the Centers for Disease Control and Prevention (CDC) and World Health Organization (WHO) with citations from the CDC, WHO, and National Institutes for Health.
• Current public ISIS leadership guidance likely limits the pursuit of BW attacks using SARS-CoV-2 virus. To date, there is no corroborated information to suggest violent extremist interest in obtaining viable SARS- CoV-2 viral cultures.
• On 19 March, ISIS issued its weekly al-Naba newsletter, calling for attacks in Western countries against healthcare systems that are strained by the COVID-19 pandemic. However, ISIS has also adopted a safety-first approach to the coronavirus pandemic and advised its members not travel to Europe. The al-Naba editors, who normally urge followers to carry out attacks in the West also recommended to “stay away from the land of the epidemic” for the time being.

Outlook: Violent extremist calls to intentionally (and almost certainly criminally) transmit the SARS-CoV-2 virus, while crudely viable, are highly unlikely to result in measurable spread of the virus but likely to continue.

• Crude Viability, Measurement Difficulties and Mitigation: Transmitting the SARS-CoV-2 virus is relatively effortless, based on known transmission routes and survivability of the virus outside a host; SARS-CoV-2 virus spreads through close contact and droplets. Fomite transmission (i.e., viral particles left on surfaces and close-contact aerosol) is also plausible, but present gaps in knowledge preclude tangible estimates.6 However, doing so purposefully with measurable success is encumbered by an array of presently unknown virus characteristics as well as transmission mitigation measures currently in place. Violent extremist attempts are unlikely to result in high incidents of intentional self-exposure and resulting transmission.
• SARS-CoV-2 virus replicates in the throat, and infectious virus is detectable in throat and lung tissue for at least 8 days before symptom onset. The number of viable viral particles potentially deposited on surfaces depends on several factors (i.e., type and amount of bodily fluid, changes in viral load linked to disease progression, etc.). Additionally, the human infectious dose of SARS-CoV-2 virus remains to be quantified.
• While initial data on SARS-CoV-2 virus environmental stability suggests persistence on stainless steel or plastic surfaces for at least three days (at 21-23 degrees Celsius with 40 percent relative humidity [RH]), studies of other coronaviruses suggest survival on non-porous materials up to 9 to 10 days, and 3 to 5 days on porous surfaces in air-conditioned environments (20-25 oC, 40-50 percent RH).
• Along with exposure to environmental conditions, non-pharmaceutical interventions (i.e., school closures, isolation, handwashing), currently in effect nationwide, constrain willful spread of the virus.
• Threat Forecast: Whether violent extremists are willing to risk personal health without measurable success is unknown. The lack of quantifiable success and possible violent extremist actors’ concerns for their own health may feed into the decision calculus to seek out exposure to infect others. As many COVID-19 cases are asymptomatic, violent extremist actors would not necessarily know whether or not they carry the virus.
• Even if foreign terrorist leaders were to promote illicit procurement of the virus, the inherent technical challenges related to virus identification, extraction, and scaling almost certainly exceed the expertise of all but the most sophisticated actors.
• To date, there are no corroborated US reports of violent extremists’ intentional self-infection for the purpose of bio attack. While a 24 March Department of Justice memo and subsequent news media reports cautioned that intentional spread could be prosecuted as a terrorist act, violent extremist rhetoric, hoaxes and other incidents related to intentional spread are likely to continue.  Law enforcement and other first responders should exercise caution when interacting with persons claiming to be infected. 

DHS Warning on March 30, 2020 – “Cyber Actors Almost Certainly View Growing Telework During the Novel Coronavirus Pandemic as an Opportunity to Exploit Enterprise Networks”

We assess malicious cyber actors almost certainly view the shift to telework of public and private sector employees during the COVID-19 crisis as an opportunity to gain access to enterprise networks and sensitive information. We base this judgment on the demonstrated ability of malicious cyber actors to access sensitive data or to install malware within internal corporate networks by exploiting remote employees’ personal and business devices, remote access applications and networking protocols, teleconferencing devices, or collaboration software. We also base this assessment on malicious cyber actors conducting COVID-19-themed social engineering that could lead to compromise of user or administrator credentials. We also assume malicious cyber actors believe network defense and mitigation are less robust during the COVID-19 pandemic because of reduced resources and focus on mission critical functions.

• Growing number of teleworking employees: The Office of Management and Budget (OMB) directed federal departments and agencies to maximize telework across the nation for the federal workforce and US corporations asked employees to work remotely as a precaution against COVID-19, according to an OMB memorandum and a US media outlet that covers business news.  A US cybersecurity company vice president noted a surge in queries from companies that anticipated employees will work from home until mid-June, possibly leaving company data more vulnerable, according to a 10 March US media article that describes a spike in malicious online activity capitalizing on growing fears of COVID-19.
• Threats from personal devices: Russian Main Intelligence Directorate of the General Staff (GRU) cyber actors in 2016 compromised a hotel’s Wi-Fi network in Lausanne, Switzerland, to gain access to a Canadian Centre for Ethics in Sports (CCES) official’s laptop and user credentials. The GRU actors used the CCES official’s credentials to pivot into the CCES network in Canada, according to a US Department of Justice indictment of seven GRU actors.
• Threats from remote access applications and networking protocols: An unknown actor in January 2018 used valid TeamViewer credentials to gain access to an entertainment company’s internal network, according to a whitepaper from a US cybersecurity firm with expertise in cyber threat analysis describing observations of adversarial activities during incident response engagements throughout 2018.  The actor moved laterally within and enumerated the network, created malicious scheduled tasks, and installed malware enabling extensive follow-on activity, according to the same source. Cyber threat actors between 2016 and 2018 increasingly leveraged the remote desktop protocol (RDP) as an attack vector from which to steal login credentials, compromise identities, and install ransomware, according to a joint DHS-FBI public service announcement.
• Threats from teleconferencing devices: Cyber actors in late 2018 scanned for and sought to exploit Voice over Internet Protocol (VoIP) phones, video conferencing equipment, conference phones, VoIP routers, and cloud-based communication systems to identify vulnerabilities, which could later be used to gain access and unlawfully acquire information about victim organizations, according to an FBI private industry notification bulletin.
• Threats from collaboration software: Cybercriminals in April 2019 exploited a critical Atlassian Confluence server flaw to install ransomware with native tools to avoid detection, according to a US cybersecurity company’s blog. The source judged that since Confluence potentially holds valuable company information that is possibly not backed up, the actors might have chosen to deploy ransomware because the likelihood of a significant payout was greater than what could have been expected by deploying cryptocurrency mining malware on the host.
• COVID-19-themed social engineering: Cybercriminals and state-sponsored advanced persistent threat groups since January 2020 have used COVID-19-themed lures (specifically requests for donations, updates on virus transmissions, safety measures, tax refunds, and fake vaccines) in spear-phishing messages to deliver commodity and custom malware capable of data exfiltration and downloading secondary payloads, according to a UK advisory and consultancy firm. The South Korean Government also noted short messaging service (SMS) phishing attacks against mobile devices with COVID-19 lures designed to entice victims to click on links that would harvest sensitive information and account credentials, according to the same source.

Mitigation

• The Cybersecurity and Infrastructure Security Agency (CISA) advises organizations to review the recommendations regarding hardware and software solutions that enable remote access to enterprise networks, phishing attempts, log review, attack detection, incident response and recovery, multifactor authentication, and virtual private network (VPN) capabilities.  
• The National Institute of Standards and Technology (NIST) recommends that organization-issued and personally owned devices be secured against expected threats. NIST provides information security considerations for several types of remote access solutions, and it makes recommendations for securing a variety of telework, remote access, and personally owned device technologies.  For more information, see https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-46r2.pdf.
• NIST has developed a comprehensive telework resource guide that provides information on security enterprise telework, remote access, and bring-your-own-device solutions. Some key concepts in the guide include development and enforcement of telework security policy, multifactor authentication for enterprise access, and telework client device security.  
• CISA encourages caution when handling any e-mail with a COVID-19-related subject line, attachment, or hyperlink, and be wary of social media pleas, texts, or calls related to COVID-19. Cyber actors may send e-mails with malicious attachments or links to fraudulent websites to trick victims into revealing sensitive information or donating to fraudulent charities or causes.

DHS warning on 23 March 2020 –  “Terrorists Exploiting COVID-19 Pandemic in an Attempt to Incite Violence”

Violent extremists probably are seeking to exploit public fears associated with the spread of COVID-19 to incite violence, intimidate targets, and promote their ideologies, and we assess these efforts will intensify in the coming months. Since early March, violent extremists have used online platforms to spread misinformation related to federal, state, and local government mitigation efforts and, in some cases, infected individuals with COVID-19. Increased travel restrictions and social distancing possibly will complicate violent extremist efforts to operationalize attacks against more traditional terrorist targets in the Homeland, and we have no information indicating any active plotting is underway.               

• On 19 March, ISIS issued its weekly al-Naba newsletter, which contained calls for attacks in Western countries against healthcare systems that are strained by the COVID-19 pandemic.1 The newsletter also included directions for ISIS supporters to “kill [non-Muslims] wherever you find them.”
• White supremacist extremists (WSEs) and other social media users have advocated for violence against a range of targets, including critical infrastructure and faith-based and minority communities— including Asian-Americans—in response to the COVID outbreak, according to open-source reporting. WSEs also have called for infected individuals to intentionally spread COVID-19 in diverse neighborhoods and in religious institutions such as mosques and synagogues.

Other social media users are sharing and discussing perceived threats associated with theUS Government response to the outbreak, specifically tied to social media rumors and fears of martial law and gun confiscation. Some domestic terrorism-related activity in the United States historically has been driven by similar conspiracy theories, increasing our concern that a violent extremist could seek to conduct an attack based on this misinformation.

About the Author

Matt Devost

Matthew G. Devost is the CEO & Co-Founder of OODA LLC. Matt is a technologist, entrepreneur, and international security expert specializing in counterterrorism, critical infrastructure protection, intelligence, risk management and cyber-security issues. Matt co-founded the cyber security consultancy FusionX from 2010-2017. Matt was President & CEO of the Terrorism Research Center/Total Intel from 1996-2009. For a full bio, please see www.devost.net