The Global Health Pandemic Has Led to an Increase in Nation State Disinformation Campaigns

By Mark Pomerleau, Public Affairs Officer, MCPA and Lt. Col. Roman Vitkovitsky, USMC

May 5, 2020

Nation state actors are increasing their online disinformation activities amid the global, novel coronavirus pandemic (COVID-19). In order to sow confusion and discord among the international community, state-sponsored actors are setting their digital sights on private businesses. The complexity of the activities indicate the use of traditional intelligence techniques on a much wider scale than previously experienced.

The number of disinformation cases globally has skyrocketed since the pandemic and stay at home orders emerged, Lt. Col. Roman Vitkovitsky, Cyber Operations Director at the Marine Corps, outlined during the Military Cyber Professionals Association’s second installation of Lockdown Lunch & Learn (3L) Tuesday, April 29.

Disinformation cases about COVID-19 have gone from about 79 in March to nearly 300 by March, according to observations made by Internet security firms and discussed in his presentation.

Actors such as Russia have perpetrated disinformation campaigns in the past. As they continue to conduct these online operations, their techniques and targeting evolve. While past operations utilized the English and Russian languages, the current operations have diversified into French, Italian, and Arabic.

However, Russia is not the only actor on the stage. The People's Republic of China (PRC) has also leapt onto the scene, adopting lessons learned and waging similar campaigns in new territory. The China Arabic Broadcasting Station, a PRC-owned radio station, initiated a comprehensive effort in Arabic purporting an American origin for the novel coronavirus. This false narrative was unmasked and tracked through tools and reports from private companies and non-governmental organizations.

These campaigns embody the “infodemic” concept identified by Zignal Labs, who analyzed inauthentic behavior online in order to fingerprint nation state malicious activity. By flooding the information space, an adversary can make it difficult to discern factual and relevant information from misinformation and disinformation.

Beyond the influence campaigns are techniques used to target businesses and individuals in the midst of the infodemic: Business Email Compromises (BEC) and attacks on Remote Desktop Protocols (RDP).

These tactics require a great deal of intelligence in order to specifically target an organization or email. Nation states are very good at gathering and acting upon intelligence to perpetrate these types of attacks. Identifying a target through highly reliable intelligence techniques helps ensure their chosen victim will respond to what seems to be an authentic business transaction or other work function. These overtures can facilitate information exchanges and ultimately wire transfers leading to the loss of billions of dollars.

Business email compromises, Vitkovitsky said, rely on deception and go beyond ordinary phishing campaigns. While this tactic is only seven percent of total phishing attempts, he noted they are three times more effective because the perpetrators are opportunistic with targets now including SMS text messages.

Image: COVID-themed phishing text message claiming to be from the “UKGOV.” COVID-19 exploited by malicious cyber actors advisory, UK National Cyber Security Centre, 8 April 2020.
Image: Italian COVID-related phishing email enticing the reader to open the attached malicious Word document. https://www.inforisktoday.com/uk-us-security-agencies-sound-covid-19-threat-alert-a-14085

The intent of these types of attacks, he added, isn’t just to gain a monetary advantage, but to shape the views of the public and create a social fracas. For example, false themes ranging from Italy’s abandonment by the European Union, to bogus relationships between 5G and the spread of COVID are being actively promoted by China and Russia.

Reposify, a network security firm, reported a 127% increase in exposed remote desktop protocols due to surge in remote work under the COVID lockdown. Vitkovitsky also quoted Dr. Johannes Ulrich, the dean of research at the SANS Technology Institute as saying, “The number of source IP addresses attackers used to scan the internet for RDP increased by about 30% during March, from an average of 2,600 attacking IP addresses to around 3,540 each day in March.”

Improperly configured telework systems have resulted in more attacks utilizing RDP where, according to Vitkovitsky, credentials are then stolen to gain access to the entire internal network of the target organization. Advanced Persistent Threats (APTs) use intelligence to target their victims and do not usually use complex cyber attacks. The focus is on making the lure attractive to the specific recipient. APTs can then prosecute lateral phishing attacks after attaining initial email compromise.

The credentials permit adversaries to gain additional intelligence about the connections of the initial target, and result in the increased vulnerability of adjacent systems. Credentials are bought, sold and traded to grant access to specific business systems. Then, using misconfigured links, hijacked sites, and other tools, a feedback loop is developed where more targets are identified and the cycle continues.

Vitkovitsky noted that many have considered leveraging cyberspace operations for information statecraft during the coronavirus infodemic. Defense Support of Civil Authorities (DSCA) may be one solution to better protect businesses and society from disinformation campaigns. DSCA allows the military, in certain circumstances such as disaster relief and assistance, to operate domestically, which normally it is barred from law from doing.

In response to the pandemic, DSCA is already used to provide construction support, security assistance, and medical treatment from the Armed Services to the wider community. The authorities outlined in DSCA are time-tested. Military Support to Civil Authorities is not new.

However, doctrine in the individual Services is yet to be updated outlining Cyber as an emergency support function and stipulating proper utilization. The policies and responses of the military departments providing civil support has evolved from the early 1950s to today. The current DOD Directive was initiated in 2010 and amended in recent years. This overlaid the 1994 Stafford Act, and so on. The legislative underpinnings have been generally successful.

But we can go further. During this pandemic, we have been under an onslaught of fake news and malign messages. As global power politics plays out over types of media that did not even exist when most DSCA legislation was conceived and written, there is a need to reassess the interaction of the DoD in the broader framework.

About the Authors

Mark Pomerleau is the MCPA Public Affairs Officer (PAO) and a journalist whose work has focused on information warfare, cyber, electronic warfare, intelligence, and defense technology. His work has appeared in The Hill, The Atlantic, Defense News, C4ISRNET and Fifth Domain.

Lt. Col. Roman Vitkovitsky is the Director of Cyberspace Operations for the United States Marine Corps.