You’re reading it here first: Every [Indian] state is using its own set of apps for various [COVID-19 related] purposes — may be for tracking, maybe for keeping account or whatever. And these apps have not gone through, ideally, the sort of process that we would have liked, the set of security testing, etc. So that is another cause of concern because what is going to happen tomorrow if these apps and the data that they have taken, if that data is gone, it is going to create its own set of problems,” India’s National Cyber Security Coordinator Lt Gen. (Dr) Rajesh Pant said during an online event organised by UN Women on “Cyber Crime Trends and Digital Safety amidst COVID-19 Pandemic”.

Hospitals, medical equipment particularly under threat at this time: Pant

If that is not enough, since a lot of medical equipment has been imported in a hurry, it is prone to “supply chain infection”, Pant said. “Supply chain infection is another way [of targeting hospitals] because hospitals are research facilities, we find, are the biggest targets today that people are trying to extract data as to what is the research going on to find a vaccine, etc.,” he explained.

“Today, every medical equipment has got electronics in it. And this can possibly be a reason for [planting] ransomware in hospitals although the attacker can also get in through the phishing and other methods of attack,” Pant said. And hospitals are “immediately ready to pay in bitcoins”, making them more vulnerable to ransomware, he said.

‘Cyber crimes have gone up by 600% globally’

Two factors have led to this massive spike in cyber crimes — working from home and fear of pandemic, Pant explained.

Work from home leads to the ‘insecurity of the entire chain’: When people worked from businesses houses, factories and enterprises, “they were behind a very secure sequence of defence in depth”. “You had a perimeter defence, a firewall, an intrusion detection system, an intrusion prevention system, some other AI-based devices to help you out with email security,” Pant explained. As people work from homes, the security of the end point, such as the laptop or the smartphone is not guaranteed: “You are not aware what is the software, whether the patches have been updated or not, and then what is the connection to his home router, his access points, which are the other IoTs which are connected to it, what is the network behind it of the telecom service providers, and if he is using a VPN or an SSL, what are the SSL aggregators in the enterprise,” Pant said. “The entire architecture of cybersecurity has undergone a change,” he said.

Fear of the pandemic makes people more vulnerable to frauds: Since people are looking for advisories, maps where COVID-19 has spread, and numerous apps have “suddenly sprung up”, this has created “the perfect storm for fraudsters” as cyber criminals are always on the lookout for big events such as Olympics, World Cup, etc., Pant said. “You are aware of happened in the PM CARES Fund, you are aware of the WHO site being cloned, all of us have heard that more than 130,000 sites have been registered in the name of Corona or COVID out of which five to six thousand have proven to be frauds,” he said. For a fraud of this kind to be successful, the perpetrator needs a success rate of 4%. “The average success rate of these clickbaiting lures is supposed to be 4%,” Pant said. And once they gain access, depending on the vector, the fraudsters can use it to get data, practise social engineering, or “if you are part of an enterprise, they want to do a lateral spread, come onto the admin server, escalate the privileges, then sit on it, and then maybe resort to ransomware”, he explained.

When information about fake UPI IDs spoofing the PM CARES Fund came in, “Computer Emergency Response Team [CERT-In] and the I4C, India Cyber Crime Coordination Centre, worked closely with each other, particularly in blocking those accounts as well as in chasing the culprits to ensure that there are enough deterrents in the system,” Rakesh Maheswhari, Senior Director and Group Coordinator, Cyber Law and e-Security at the Ministry of Electronics and Information Technology (MEITY) said.