The hacks he developed to help Mr Robot protagonist Eliot Alderson snare criminals may have been fabricated for TV, but Marc Rogers' latest project is having a very real impact on a “gold rush” of cybercriminals taking advantage of COVID-19’s disruption.

As a manager of the global CTI League, Rogers – a longtime hacker who is currently vice president of cybersecurity strategy for Okta – helped launch the effort in mid-March to protect overworked healthcare organisations, and within weeks watched it grow to over 1,400 volunteers, in 76 countries including Australia.

The first report by the moonlighting anti-hackers – comprised largely of cybersecurity researchers and specialists – identified and lodged takedown notices for 2,833 cybercriminal domains in their first month, including 17 domains emulating government bodies, the United Nations, and the World Health Organization.

They also identified over 2,000 vulnerabilities in healthcare institutions that could have been exploited by malicious hackers – who have been enthusiastically taking advantage of the disruption caused by COVID-19.

Australian targets were high on cybercriminals’ hit lists, a recent analysis by Palo Alto Networks security-research arm Unit 42 found, with Nigerian cybercrime group SilverTerrier one of many groups ramping up their efforts.

Sitting ducks for cybercrims

Cybercriminals “know there is an opportunity here and everybody is trying to cash in on it,” Rogers told Information Age, “and the fact that we’re all isolated is a multiplier.”

“Normally you get a degree of protection from being inside your company,” he explained, “and when you’re surrounded by colleagues you can easily approach your IT or security department if you get pwned.”

“But if you’re sitting at home, it’s really hard for someone to triage a laptop that has just been hacked. A lot of companies just were not prepared for the rapid shift from centralised work in the office, to distributed remote working.”

CrowdStrike’s recent Work Security Index found that 47 per cent of Australian executives believe they are more likely to experience serious cybercrime during the COVID-19 pandemic than they were before it – yet only half have trained their employees about the additional risks of working from home.

Many of the scenarios playing out every day are reminiscent of those that Rogers designed for the TV series Mr Robot, whose hacker-cum-cyber vigilante protagonist draws on an extensive hacker toolkit to take down paedophiles, criminals and corrupt governments.

The hacks in the series have been lauded for their veritas, with Rogers one of several consultants that worked with the show’s writers to design terrifying attacks including planting malware-ridden USB drives, mobile phone hacks, Bluetooth exploits, car hacking, ransomware, and manipulation of industrial control systems.

Just weeks into its work, CTI League’s resume is filling out with reports of similar threats in the real world – including threats against national security, ineffective takedowns, issues impacting government infrastructure, targeting of a specific medical facility, and more.

Rogers’ hacker army isn’t the only volunteer group fighting COVID-19 exploitation – groups like the COVID-19 Cyber Threat Coalition are also lending a hand – but its rapid growth suggests the pandemic has become a focal point for the ongoing battle between ethical and criminal hackers.

“The problems are across the board,” Rogers said – noting that amidst high levels of misinformation and targeted attacks, nation-state actors are also “taking advantage of the chaos to further their own agendas attacking infrastructure”.

Frequent attacks on hospitals “didn’t surprise me that much”, he added, “because most of these cyber criminals are willing to steal money from old people – and if you’ve got that level of morality, it’ s no surprise that you are willing to attack a hospital.”

Salad days for cybercriminals

Despite Alderson’s hacking prowess, real-world cybercriminals don’t have to work anywhere near as hard to break targets’ often laughable security.

With a wealth of hacking resources at their fingertips, unsophisticated cybercriminals can launch large-scale phishing and malware attacks on targets that have been – as in the case of many banks – diverting resources from business-as-usual to attend to their COVID-19 response.

“If you want to obtain some credentials and become a cybercriminal, you don’t even need to be smart enough to connect to Tor and find these deep darkweb sites,” said Sophos global solutions engineer Ben Verschaeren during a recent live-hacking webinar.

Alderson is adept at figuring out targets’ passwords, but publicly-available forums already offer millions of passwords skimmed from compromised sites like Ashley Madison, Zoom, and the US Office of Personnel Management (OPM).

Those passwords are often reused on employees’ LinkedIn, company email or other accounts – it happens with what Verschaeren called “ridiculous” frequency – providing an open door for cybercriminals to log into employees’ accounts and wreak havoc from within.

“Attackers will go through email and see, for example, an interesting email thread where Stephen in Accounts is waiting for the CFO to send a report,” Verschaeren said, “and they’ll insert malware into an emailed response.”

“More than likely, they will open that attachment no questions asked, and that’s going to give the hacker that initial point of persistence inside the network.”

Once in the network, use of existing tools allows hackers to traipse across the target network, potentially planting malware that gives them total control over compromised systems – which may, as the likes of Toll Group and BlueScope Steel recently discovered, lead to major business disruption.

“As a cybercriminal it really is quite trivial to attack networks,” Verschaeren said, “and as you do it more and more you notice the same problems in other environments.”

“This isn’t crazy hacker stuff; this is just abusing the native design of Windows.”