Threat Intelligence

Post-Pandemic Cyberattacks Target Vulnerable Industries

Cybercriminals are targeting industries like retail and manufacturing that continued to operate throughout coronavirus shutdowns – and they’re becoming more sophisticated.

by Mercedes Cardona

Aug 05, 2020

Key Points

The bulk of cyberattacks during the first half of 2020 targeted industries that continued to operate during the pandemic, like manufacturing, retail, and insurance.
Many of these attacks are becoming more sophisticated and involve state actors.
Cybercriminals have also taken advantage of the shift to working from home by targeting employees with a surge of business email compromise attacks.
U.S. and UK cybersecurity agencies issue joint cyber resilience guidance.

Since the start of the COVID-19 pandemic, cyberattacks have grown more sophisticated and more likely to target the most vulnerable sectors of the U.S. economy, leading multiple government agencies to urge those industries to practice greater cyber resilience.

The industries most often targeted by cybercriminals during the first half of 2020 were manufacturing, retail and wholesale, as well as insurance, according to the latest threat intelligence report from the Mimecast Threat Center.[i] Those sectors were likely targeted because they continued operating at close to normal levels compared with others, the report noted, although increasing sophistication on the part of criminals also played a role.

Significantly, the threat intelligence researchers also warn that the ranks of cybercriminals include an advanced group of state-sponsored actors seeking to steal intellectual property and obstruct critical industries. Recently, for instance, the U.S., UK and Canada accused the Russian government of sponsoring a group trying to steal COVID-19 vaccine research.[ii]

Cyberattacks Hit the Retail and Manufacturing Sectors Hard

These shifts have taken place in response to the pandemic, the study notes.

For example, the retail/wholesale and manufacturing sectors, which continued to operate throughout the coronavirus shutdown, became key targets accounting for nearly 20% of all attacks during the year’s first half.

Throughout the lockdown, the retail and wholesale sector continued to do strong business via e-commerce, but this made it an inviting target for cyber thieves. Manufacturers, meanwhile, became targets of ransomware attacks, such as the one that put the brakes on Honda Motor Co. in June.

Cybercriminals also took advantage of the surge in working from home during the pandemic’s early days. An analysis of email attack activity at the start of the lockdown showed business email compromise attacks were up sharply.[iii] “Unsurprisingly,” the Mimecast Threat Report states, “the key threat identified in the first half of this year was the multitude of ways cybercriminals sought to exploit the circumstances of the global COVID-19 pandemic.”

This was reflected in a March 16 letter to state attorneys general from U.S. Attorney General William Barr, who warned of “reports of phishing emails from entities posing as the World Health Organization or the Centers for Disease Control and Prevention, and reports of malware being inserted into mobile apps designed to track the spread of the virus.”[iv]

Manufacturers and Healthcare Researchers Warned to Boost Cyber Resilience

The threats against critical industries have prompted the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA), the U.S. Department of Energy and the UK's National Cyber Security Centre (NCSC) to jointly issue a guide to cyber resilience best practices for industrial control systems (ICS). These include basic cyber hygiene practices such as regular data backups, prompt testing and distribution of routine software patches, whitelisting applications and disabling all unnecessary services and ports. It also recommends designing systems with cyber resiliency in mind and implementing a risk-based defense-in-depth approach to secure ICS hosts and networks.[v]

Another industry subject to increased levels of cybercriminal activity since the start of the contagion has been healthcare, and the FBI and CISA have warned U.S. organizations working on COVID-19 research to be on their guard. In May, the FBI and CISA alerted researchers about state-sponsored Chinese criminal hackers “attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data,”[vi] and the FBI issued a short list of recommendations. These include:

Assuming that press attention affiliating your organization with COVID-19-related research will lead to increased cybercriminal interest and activity.
Patching all systems for critical vulnerabilities and prioritizing timely patching for known vulnerabilities.
Actively scanning web applications for unauthorized access, modification or anomalous activity.
Upgrading credential requirements and requiring multifactor authentication.
Identifying and suspending access for users who exhibit unusual activity.

The Bottom Line

Cybercriminals are opportunistically targeting industries that continued to operate full tilt during the recent coronavirus shutdowns, and their attacks have grown ever more sophisticated. Given this shifting landscape, taking the appropriate countermeasures becomes

[i] Mimecast Threat Intelligence Report: Black Hat USA Edition, July 2020

[ii] “Russia Is Trying To Steal Virus Vaccine Data, Western Nations Say” New York Times, July 16, 2020

[iii] “The First 100 Days of Coronavirus,” Mimecast Report, May 2020

[iv] “Memorandum To All United States Attorneys” U.S. Attorney General William Barr, March 16, 2020

[v] “Recommended Cybersecurity Practices for Industrial Control Systems” Department of Homeland Security CISA

[vi] “People’s Republic of China (PRC) Targeting of COVID-19 Research Organizations” FBI National Press Office