Hackers have launched a wave of cyber-attacks trying to exploit British people working from home, as the coronavirus lockdown forces people to use often unfamiliar computer systems.
The proportion of attacks targeting home workers increased from 12% of malicious email traffic before the UK’s lockdown began in March to more than 60% six weeks later, according to to data from cybersecurity company Darktrace provided to the Guardian.
Attacks specifically aimed at exploiting the chaos wrought by Sars-CoV-2 have been evident since January, when the outbreak started to garner international news headlines.
The attacks have increased in sophistication, specifically targeting coronavirus-related anxieties rather than the more usual attempts at financial fraud or extortion.
In early May, Darktrace detected “a large malicious email campaign” against UK businesses that told employees they could choose to be furloughed if they signed up to a specific website.
Other attacks have targeted the tools used by remote workers, including fake requests to reset virtual private network (VPN) accounts, Zoom video conferencing accounts with faked sign-in pages, or accepting an incoming “chat” request from colleagues on supposedly corporate messaging systems.
There has also been an increase in spoofing attacks, with emails purporting to be from a colleague. Darktrace said about a fifth of malicious emails would normally use some form of spoofing, but that this rate has reached up to 60% as attackers exploit the increased separation of workforces.
One spoofing attack featured an unnamed company chief executive supposedly asking workers to donate to his health charity, while others mimic IT support departments asking workers to download new software.
GCHQ, the UK’s cyber-intelligence organisation, has called for people to report attempts at phishing using fraudulent emails as it tries to block malicious websites.
The EU’s foreign affairs wing, the European external action service, has already warned of a proliferation of cyber-attacks and disinformation campaigns related to the pandemic, highlighting efforts thought to be linked to the Russian and Chinese states. The World Health Organization and the US National Institutes of Health have been targeted.
Darktrace said similar patterns were evident across the world, with increases in home-working attacks evident as soon as different countries entered their lockdowns, with Italian workers targeted before those in the UK and the US.
Max Heinemeyer, director of threat hunting at Darktrace, said attackers often reuse the same techniques on many different companies, looking for back doors in networks that may have inadvertently been left open.
“It can be very easy and very quick to capitalise on vulnerabilities like this,” he said, adding that attackers such as the APT41 operation, believed to have been carried out by Chinese state-backed actors, “sprayed and prayed”, attacking large numbers of targets.
The warning came after British airline easyJet was forced to reveal that a hack had exposed the personal information, including travel records, of 9 million people over a period of more than four months.
A person with knowledge of the probe into the easyJet attack said investigators believed financial fraud was not the main motivation for the attack. Reuters reported that investigators believed the easyJet hack may have been carried out by the Chinese state.
Security experts have seen a high volume of attacks since January by actors believed to be backed by China. Another trend has been the targeting of hotel and travel companies in what is believed to be an effort to gather movement information for large numbers of people.