MENA Must Account for Pandemic-Related Cyber Threats

In addition to challenging public health and economic systems all over the world, the COVID-19 pandemic has created an environment of heightened exposure to cyber threat actors who seek to exploit vulnerable information technology (IT) infrastructure and fallible human behavior. These adversaries target both fearful populations seeking helpful information and security gaps in the rapidly expanding domain of remote work in business and government.

As governments, enterprises, and individuals across the Middle East and North Africa (MENA) region adapt to new ways of thinking, collaborating, and working, the protection of critical information and infrastructure must be earmarked as an essential priority. 

Heightened awareness of attack methods, potential vulnerabilities, threat actor tools, and social engineering tactics can help mitigate cyber risks as the threat landscape continues to rapidly evolve in response to COVID-19. To that end, there are four major attack types that entities and individuals should be especially prepared for: denial-of-service attacks, remote work exploitation, phishing and financial scams, and misinformation campaigns.

Denial-of-service attacks are cyber attacks in which a threat actor seeks to make machines, networks, tools, or websites unavailable to users. With more of the workforce operating remotely than ever before, denial-of-service attacks are an increased risk as workers are physically cut off from others and depend entirely on network reliability. In addition, threat actors are likely aware that governments and enterprises prioritize the availability and performance of critical applications and networks for their employees. This may lead to security lapses or cut corners, potentially providing additional vulnerability points in less secure areas of a network or via new routes created to facilitate remote work.

There is also a possibility that attacks could hit critical healthcare institutions or government entities, hampering their crisis response capabilities and placing lives at risk. While no major incidents of this nature have yet been reported in the MENA region, an attempted attack on the U.S. Department of Health and Human Services and hospital-focused ransomware attacks are telling indicators that threat actors are not sparing institutions involved in COVID-19 response. Recent reports on emerging internet-of-things (IoT) botnets, based on the Mirai botnet that temporarily crippled large portion of internet traffic in 2016, provide additional evidence that major attacks may lurk on the horizon.

The sudden and dramatic increase in telework necessitated by the pandemic has created conditions ripe for exploitation by malicious cyber actors. Likely targets include personal computing devices, home Wi-Fi networks, and free or low-cost telephone and video conferencing services. Attacks exploiting these vulnerabilities can result in significant data loss, including personally identifiable information (PII) and sensitive government or corporate data.

On this front, companies and entities in the Middle East are acutely vulnerable. While major foreign companies and multi-national corporations with globe-spanning operations are often well-positioned for remote work, the same is not true of many local governments and enterprises—especially small and medium-sized businesses. In mid-March, as COVID-19-related lockdowns and government-mandated remote work requirements entered into force, just 12 percent of companies in the Gulf had remote work arrangements in place based on a survey of 1,600+ Gulf-based business executives. In the ensuing weeks, even as many shifted to remote work, entities often lacked robust corporate virtual private networks (VPN), secure conferencing capabilities, two-factor authentication, and other measures fundamental to securing in a distributed work environment. 

There has been a significant uptick in phishing and financial scams during the COVID-19 crisis. This type of threat activity typically surges during prolonged disasters, which tend to create a captive audience of stressed, vulnerable citizens eager to receive guidance and information. With many employees living in a state of fear as workplace policies rapidly shift in response to the outbreak, there is a heightened risk of the types of human error that can facilitate threat actor access to corporate networks. Since the outbreak began, malicious documents with COVID-19-themed names have proliferated, and phishing campaigns have been linked back to groups operating from Pakistan, Russia, China, North Korea, and other nations. The malicious files employed in these schemes install malware, ransomware, or remote administration tools (RAT) after users are enticed to open infected emails or visiting booby-trapped websites.

Across the region, governments have issued warning to their citizens and residents to be on guard—including an advisory from the Saudi Computer Emergency Response Team on the heightened risk of phishing attacks. Banks and financial institutions have similarly sounded the alarm on the risk posed by financial scams. Warnings from Bahrain, the Central Bank of the UAE (CBUAE), and the Dubai Financial Services Authority all note that individuals and entities face a greater risk of attack and exploitation, especially as many institutions have suspended or reduced in-person transactions and pushed operations online. Observed attacks have included phone calls and even WhatsApp messages, a communication mechanism not used for official bank communications. Most recently, a United Arab Emirates (UAE) consortium consisting of the UAE Banks Federation, CBUAE, and the Abu Dhabi and Dubai police forces launched a joint anti-fraud awareness campaign. Indeed, with Trend Micro reporting more than 3,000 COVID-19 cyber attacks across the Gulf between January and March—including more than 600 cases of email phishing in the UAE alone—attacks of this type are highly likely to continue increasing throughout the crisis.

The threat of misinformation campaigns—highlighted globally in the 2016 U.S. presidential election—is continuing to grow and evolve whether from nation-states, cyber criminals, or even well-meaning but misinformed individuals. Indeed, the current information environment is ripe for exploitation given the fear and uncertainty surrounding COVID-19 as individuals seek information or worse, latch onto unproven medical treatments or false government guidance. With government entities—including first responders such as police and security personnel—preoccupied with response operations and public communications, available resources for countering or dispelling emerging misinformation campaigns are stretched thin.

Across the Gulf, countries such as UAE, Saudi Arabia, and Kuwait, have issued warnings for those caught spreading or encouraging misinformation, including the threat of fines, jail, and deportation. Kuwait has already acted against several individuals found in violation of the law, but even in light of these efforts the threat will likely remain a persistent reality throughout the duration of the crisis.

Making changes to the information security environment in the midst of a crisis is difficult. Fortunately, there are steps—especially focused on communications and awareness—that can be effectively leveraged to help.

The following recommendations are provided to help reduce the digital attack surface and prevent deeper, more persistent exploitation of an organization’s people and assets during the current state of prolonged remote work deployment:

1. Vulnerability management and security operations teams should address existing vulnerabilities that open the door for denial-of-service attacks. Prioritize patching and security tool deployments (e.g., content delivery networks designed for website security and to address availability of services during times of increased user traffic).
2. VPN connections should be established with multi-factor authentication enabled to control and protect access to enterprise networks.
3. Security teams should be prepared to increase detection and monitoring capabilities and maintain heightened vigilance of susceptible assets and infrastructure, especially those with public exposure or mission-critical assets.
4. Information security policies, specifically for remote work arrangements, should be routinely communicated and validated with staff to establish awareness, vigilance, and cyber hygiene. Complex policies may overwhelm workers, while basic cyber hygiene guidance and virtual training sessions can quickly establish an effective baseline.
5. Employees should be warned about phishing emails with COVID-19-themed filenames and attachments designed to entice them to click and open. Training should reemphasize how to identify suspicious emails or URLs suggesting links to COVID-19 information. Companies should provide guidance and links to authoritative, trusted content to reduce employee impulses to seek alternative information sources.
6. Incident response plans should incorporate out-of-band communications channels to reach employees in the event of a cyber attack to help prevent added confusion and fear, especially in a dispersed work environment.
7. Enterprise networks should ensure and reinforce blocking for downloads of unauthorized tools, applications, and software on enterprise networks or personal devices used for remote work purposes.

For more information contact [email protected].

This article is provided for informational purposes only, Booz Allen provides no warranties related to its content, and use of this information is at your own risk.