As the world went into lockdown, cybersecurity teams went on high alert. A health crisis, especially one with global reach, was almost certainly going to attract threat actors looking to capitalize on a topic with such high interest. It’s to be expected. But despite any warnings or tips we could offer at the start of the pandemic, it was challenging to accurately estimate the damage that would be caused by the speed and scale of attacks that were likely to come. The strategies and motivations had to play out, and security teams had to respond in real time.
Fast forward two plus years, we now have an opportunity to analyze several methods of fraud campaigns related to the pandemic that we’ve observed, the damage done in terms of cost at scale, and specifically, how fraud impacted federal security operations throughout the government’s response to COVID-19.
For more lessons learned, view our webinar on-demand, Ripped from the Headlines, to hear my discussion with Gregory J. Touhill, former U.S. Federal CISO, current Director of the CERT Division of the Carnegie Mellon University Software Engineering Institute and Brian Kime, VP of Intelligence Strategy and Advisory at ZeroFox.– AJ Nash
Impersonation of Federal Agencies and Programs
In April 2021, Kevin Reardon, Chief Operating Officer at ZeroFox, led a panel discussion with Steven Hernandez, CISO and Director of Information Assurance Services at the U.S. Department of Education, and James Saunders, former CISO of the Small Business Administration (SBA), during which they discussed the external threats they faced as a result of the pandemic and how they had to evolve quickly to respond.
For both agency leaders, the first challenge was to establish the fact that they had the authority to operate outside the agency perimeter. With no law explicitly stating that authority, they had to shift from a traditional mentality around required authorities and determine that using “proactive assertive defense” to protect external assets was an important part of their security mission.
At SBA, threats increased rapidly after the CARES Act and Paycheck Protection Program passed, making rapid response essential. Impersonations of the agency in social media were becoming a significant issue, as fraudsters tried to cash in on the public’s interest in the new funding for small businesses. According to Saunders, in April 2020 the SBA was taking down roughly 600 social media impersonations per year. Before Saunders left in March 2021, that number had grown to 2,000 per year; a 333% increase in just one year.
Hernandez, who oversees cybersecurity at the U.S. Department of Education, had to expand his threat-hunting approach. With a common tactic being watering hole attacks that often take place in public forums, his teams had to resurface from the Dark Web into the more “common places” to understand how attackers were thinking. While not the typical procurement request, his team also bought URLs with names that were likely to be exploited in order to stop problems before they started.
Later, when the Biden Administration announced covidtests.gov, more than 600 suspicious domains were registered. As a Fortune article points out, “Domain scams didn’t start with the COVID-19 pandemic…Yet, the unique nature of the coronavirus pandemic—from health concerns and shifting government guidelines to ripple effects like employment uncertainty—has been a boon to hackers.”
Impersonation of US Citizens
Only after the government’s response to COVID has nearly run its course are we getting to see the true damage attributed to impersonation fraud. In December 2021, approximately two years after the “start” of COVID, the US Department of Labor reported, “More than $87 billion in unemployment benefits funded by the federal government was likely siphoned from the system during the Covid-19 pandemic, much of it due to fraud.”
According to ProPublica, Unemployment Insurance (UI) fraud during the pandemic was “perhaps the largest fraud wave in history,” as evidenced by the example of one person using a single Social Security number to file claims in 40 states; collecting $222,532 from 29 of them. Unsurprisingly, those fake claims from “state residents” actually originated from IP addresses in nearly 170 countries. At the same time that crime rings were expanding their targets, agencies were losing staff and budgets. While combating UI fraud was nothing new to agencies prior to COVID, the volume and speed of attacks during the pandemic left them vulnerable.
Despite several attempts to correct UI fraud through proposed legislation over the past couple of years, further guidance, enforcement mechanisms, and new technologies are needed for significant change to occur.
Expensive Silver Lining
Large agencies and major funding programs are great targets for criminals because they provide the most bang for the buck. And, as systems are hardened, adversaries look for other ways in. Social media, for instance, is where we often find highly motivated adversaries conducting targeted campaigns against large agencies and their programs.
On a positive note, agencies have grown their capacity to handle impersonation threats – a very expensive silver lining, in retrospect. Among the many ways that the government has or is maturing its response to impersonation threats include:
- Leading agencies implemented automation tools that continuously monitor external assets and respond quickly to large scale attacks.
- Revised Department of Labor policy pertaining to state information sharing now requires states to share confidential information with federal inspectors general for fraud investigation purposes.
- Proposed legislation to reauthorize cyber training programs such as the Department of Homeland Security’s (DHS) National Computer Forensics Institute (NCFI).