Skip to content
frederic-koberl-x_0hW-KaCgI-unsplash
29 April 2020| doi: 10.5281/zenodo.3775746

State-sponsored cyber activities in Coronavirus times

The coronavirus pandemic has created a gold mine for cybercriminal activities, including those sponsored by states, generating digital chaos. However, amid this chaos, a light at the end of the tunnel may be seen, involving interactions between states and society.


The coronavirus pandemic has increased the online presence of people as a result of the social distance measures, making society more dependable on digital infrastructure. Not only home-office seems to be the “new normal,” but also some services, such as grocery’s or medical supplies delivery, were forced to deal with a huge online demand quickly. The speed on digitalization of some services, as those examples, converted them into new digital vulnerabilities, once their security barriers were not properly settled and cyberattacks could easily disrupt society’s functioning through them. Besides the move to less secure environments (either by lack of preparation or lack of cybersecurity awareness), such as private homes, made available to malicious actors more access points to digital systems. The increase of these access points is due to the availability of more people online that can be lured to make security mistakes, giving to cybercriminals the opportunity needed to operate and usually achieve financial gains. The pandemic in this way has generated a mine of gold for malicious actors as people’s fear or curiosity toward the virus outbreak makes them more susceptible to psychological manipulation, allowing cyberattacks through social engineering to happen.

However, the cybercriminal activity related to COVID-19 is not restricted to individuals trying to obtain financial gains. There have been some findings on suspected state-sponsored groups conducting cyber operations. The Thales group’s Cyber Threat Intelligence Center and the threat intelligence company, IntSights, showed in their reports that more state-sponsored groups are using COVI-19 as part of their espionage campaigns. The reports showed that, in essence, the malicious actors emulate a trusted source and offer documents with COVID-19 information, luring their targets into opening these documents and, without knowing, downloading a hidden malware. Once downloaded, the malware provides remote control of the infected device. These activities are involving so far actors that may be linked to Russia (Hades group), China (Mustang and Vicious Panda), North Korea (Kimsuky), and Pakistan (APT36). These actors have affected by now targets in Ukraine, Taiwan, Vietnam, Mongolia, South Korea, and India.

These findings are significant as the targets typically are related to governmental agencies, making it possible for malicious actors to get access to sensitive state information, and thus making it feasible to conduct espionage campaigns. Besides, they could potentially use the new vulnerabilities in the digital domain to conduct offensive cyber operations against rival states that, if directed to the healthcare sector, especially at this moment, could result in actual deaths.In front of the digital perils of these types of cyber activities online, there is the need as UN Under-Secretary-General Fabrizio Hochschild called for a global “digital ceasefire” during the pandemic. Still, the solution might not come from states itself in the first moment, but society.

States, Proxies and Society

To understand how the solution to curb malicious activities perpetrated by state-sponsored actors may be developed, it is essential to know that the use of these actors in the digital domain is not new. In fact, since the public revelation of Stuxnet malware, most states became aware of political and military options cyberspace provided for them. The range of these opportunities, coupled with the possibility to act extraterritoriality employing non-state actors, usually operating from third countries (Maurer,2018),  provided them the comfortable legal situation needed to engage in a “less diplomatic way” in their cyber operations.

Thus, the main benefit generated by the use of these non-state actors (proxies) is related then to the fact that the outcomes of their actions, cannot be directly associated with states. This indirect relationship means that states cannot be held legally responsible for the actions proxies carry on (at least for the time being). This relationship thus allows proxies to conduct not only cyber-espionage campaigns for states but also act in other types of cyber operations. Indeed, according to the IntSight’s cyber threat analyst Charity Wright, some countries attempt “to promote division and distrust in institutions like the free press, civil society groups, and non-governmental organizations.” The Hades group is an excellent example, as it deployed a disinformation campaign, related to COVId-19, that, coupled with the arrival of a flight of evacuees from China, incited riots and looting across Ukraine (Thales; IntSights).

In sum, both espionage campaigns and the possibility of other cyber operations conducted by proxies lead to distrust not only among governments and civil society but also between states, especially during the chaotic times generated by the pandemic. Thus, a movement to reach a close “digital ceasefire” should target trust and transparency. These elements do not seem present on some states’ intentions, as they can gain from the use of proxies in cyberspace. One alternative that emerges is a bottom-up movement initiated by a social demand.

The light at the end of the tunnel?

The pandemic could create momentum for society to realize that they have a voice in digital outcomes. As Yuval Noah Harari exposed, well-informed people who have access to scientific facts and trust public authorities to tell them these facts can act spontaneously for the common good. Therefore, as cyber proxies operate in the shadows, people demanding an open debate with states regarding digital information on COVID-19 could throw some lightning into the darkness. People could then enhance their trust in governments, being less accessible to fall into psychological manipulation and, by consequence, proportionally tackling the malicious cyber activities (generating a diffuse cyber defense against diffused cyberattacks). Besides, information sharing with allied nations could decrease the curiosity or mistrust among states that could potentially lead to espionage, at least relate to coronavirus’s information. The trust among nations then could proportionate the possibility of collective reactions toward countries that insist on supporting deviant actions in the digital realm based on the current pandemic.

Trust is the keyword, and it may be achieved by transparency and an open discussion toward the development of a “digital agenda for pandemic response,” involving among other propositions a multi-stakeholder approach and expansion on information sharing. However, the development of such type of agenda must be called upon society, at least democratic ones, and the first step is to people to start thinking about actions during the pandemic in a more critical way, including digital ones.

This post represents the view of the author and does not necessarily represent the view of the institute itself. For more information about the topics of these articles and associated research projects, please contact info@hiig.de.

Bruna Toso de Alcântara

Ehem. Fellow: Daten, Akteure, Infrastrukturen

Sign up for HIIG's Monthly Digest

HIIG-Newsletter-Header

You will receive our latest blog articles once a month in a newsletter.

Explore Research issue in focus

Platform governance

In our research on platform governance, we investigate how corporate goals and social values can be balanced on online platforms.

Further articles

Modern subway station escalators leading to platforms, symbolizing the structured pathways of access rights. In the context of online platforms, such rights enable research but impose narrow constraints, raising questions about academic freedom.

Why access rights to platform data for researchers restrict, not promote, academic freedom

New German and EU digital laws grant researchers access rights to platform data, but narrow definitions of research risk undermining academic freedom.

Three groups of icons representing people have shapes travelling between them and a page in the middle of the image. The page is a simple rectangle with straight lines representing data used for people analytics. The shapes traveling towards the page are irregular and in squiggly bands.

Empowering workers with data

As workplaces become data-driven, can workers use people analytics to advocate for their rights? This article explores how data empowers workers and unions.

A stylised illustration featuring a large "X" in a minimalist font, with a dry branch and faded leaves on one side, and a vibrant blue bird in flight on the other. The image symbolises transition, with the bird representing the former Twitter logo and the "X" symbolising the platform's rebranding and policy changes under Elon Musk.

Two years after the takeover: Four key policy changes of X under Musk

This article outlines four key policy changes of X since Musk’s 2022 takeover, highlighting how the platform's approach to content moderation has evolved.