Online 'phishing' attacks targeting housebound federal staffers as COVID-19 spreads

The number of "phishing" attacks meant to steal the online credentials of public servants and corporate sector employees now housebound due to the COVID-19 pandemic is on the rise, one cyber security expert warns.

Many attempts are being made against employees who are working from home on virtual private networks (VPNs). Cyber experts are still gathering data to establish a direct correlation between the pandemic crisis and the increase in malicious activity.

But Rafal Rohozinski, chief executive officer of the SecDev Group of Companies, said this pandemic moment — when large numbers of employees are at home and receiving instructions from their workplaces on how to connect to internal networks — offers online thieves a "huge opportunity."

Federal government and corporate sector systems were never designed to support a sudden, mass migration of employees from offices to their homes, he said.

"The opening that creates for those who want to wreak havoc through ransomware and malware is really, really significant," said Rohozinski. "And I don't think we're anywhere near prepared for that.

"What we're seeing is an increase in phishing being used as a means to get people's credentials."

An internal note circulating among federal employees on Tuesday, obtained by CBC News, warned those working at home to be on guard against phishing attempts — to stay off YouTube and avoid social media sites such as Facebook, to avoid large transfers of data and to use their cellphones to read and send email.

The system is under strain because of the large number of users. The memo warns federal workers they "may face issues when attempting to connect remotely" for things such as teleconferences.

A spokesman for the Communications Security Establishment (CSE), Canada's electronic surveillance agency, said it has moved to dismantle fake websites linked to phishing attacks.  

"While we are limited in what we can say on specific operational efforts, we can confirm that CSE is contributing to Canada's response to the COVID-19 virus," said Ryan Foreman, a CSE spokesman, in an email Tuesday.

"For example, we are working in coordination with our partners to ensure COVID-19 related phishing sites mimicking the Government of Canada are removed."

A statement from Shared Services Canada, the agency that oversees the federal government's computer network, said it believes the system has the capacity to handle the flood of employees working from home, but noted it is advising people to stay off of social media sites and to work staggered hours.

The agency also said it believes its VPN network is secure.

U.S. Health Department attacked

The U.S. Health and Human Services Department's website was hit by a cyber attack over several hours on Sunday, an incident which involved overloading its servers with millions of hits.

Officials said the system was not penetrated, although media reports in Washington described it as an attempt to undermine the U.S. government's response to the coronavirus pandemic — and may have been the work of a foreign actor.

Rohozinski said that while the facts are not all in yet, his "professional guess" is that there's a link between the attack and the COVID-19 crisis.

Concern about the vulnerabilities exposed by having so many federal and corporate employees working from home is also present in the U.S., where a senior fellow at the The Wilson Center, in Washington, expressed concern Tuesday.

"As much of the nation switches from office-based activities to remote work, it's unclear how well we are prepared for such a seismic shift," said Stuart Brotman.

"Several potential problems come quickly to mind. Many company networks, particularly those supporting small and medium-sized businesses, are not protected from system contamination — viruses of a different kind that may be spread to company employees working at home."

Last week, Canada's top military commander warned that he'd seen recent indications the country's adversaries intend to exploit the uncertainty, confusion and fear generated by the pandemic.

Gen. Jonathan Vance, chief of the defence staff, was not specific about the potential threats — but experts say they could range from hacking to online disinformation campaigns aimed at discrediting the federal government's response.

Rohozinski said he's concerned about the federal government's technical capacity to support thousands of employees on private networks.

"Everybody's moving on to VPNs. Everybody," he said. "This is an enormous pinpoint and an enormous vulnerability."

Federal Digital Government Minister Joyce Murray's office was asked for a response Monday, but was unable to provide an immediate comment.

Many of the country's leading information technology companies are part of the Canadian Cyber Threat Exchange (CCTX), a nonprofit centre where companies can swap information and insights. A CCTX spokeswoman said the corporate sector is better prepared to face the challenges posed by the mass movement of employees to home networks.

Still, there is reason for concern.

"Given we are moving people to work from home now, companies need to ensure that the work from home environment is as safe as the corporate environment and that people are trained to notice these phishing campaigns, just like they were in the corporate environment," said Mary Jane Couldridge, director of business development at the CCTX.

"It's a matter of keeping our community aware of what is impacting Canada daily so we know how to react to it and prevent it from spreading — and not chase rainbows."

Most corporations have plans they'll activate now to cover the wholesale movement of employees to networks outside of the office, she added.