Skip to content


Making sense of our connected world


Making sense of our connected world


State-sponsored cyber activities in Coronavirus times

29 April 2020| doi: 10.5281/zenodo.3775746

The coronavirus pandemic has created a gold mine for cybercriminal activities, including those sponsored by states, generating digital chaos. However, amid this chaos, a light at the end of the tunnel may be seen, involving interactions between states and society.

The coronavirus pandemic has increased the online presence of people as a result of the social distance measures, making society more dependable on digital infrastructure. Not only home-office seems to be the “new normal,” but also some services, such as grocery’s or medical supplies delivery, were forced to deal with a huge online demand quickly. The speed on digitalization of some services, as those examples, converted them into new digital vulnerabilities, once their security barriers were not properly settled and cyberattacks could easily disrupt society’s functioning through them. Besides the move to less secure environments (either by lack of preparation or lack of cybersecurity awareness), such as private homes, made available to malicious actors more access points to digital systems. The increase of these access points is due to the availability of more people online that can be lured to make security mistakes, giving to cybercriminals the opportunity needed to operate and usually achieve financial gains. The pandemic in this way has generated a mine of gold for malicious actors as people’s fear or curiosity toward the virus outbreak makes them more susceptible to psychological manipulation, allowing cyberattacks through social engineering to happen.

However, the cybercriminal activity related to COVID-19 is not restricted to individuals trying to obtain financial gains. There have been some findings on suspected state-sponsored groups conducting cyber operations. The Thales group’s Cyber Threat Intelligence Center and the threat intelligence company, IntSights, showed in their reports that more state-sponsored groups are using COVI-19 as part of their espionage campaigns. The reports showed that, in essence, the malicious actors emulate a trusted source and offer documents with COVID-19 information, luring their targets into opening these documents and, without knowing, downloading a hidden malware. Once downloaded, the malware provides remote control of the infected device. These activities are involving so far actors that may be linked to Russia (Hades group), China (Mustang and Vicious Panda), North Korea (Kimsuky), and Pakistan (APT36). These actors have affected by now targets in Ukraine, Taiwan, Vietnam, Mongolia, South Korea, and India.

These findings are significant as the targets typically are related to governmental agencies, making it possible for malicious actors to get access to sensitive state information, and thus making it feasible to conduct espionage campaigns. Besides, they could potentially use the new vulnerabilities in the digital domain to conduct offensive cyber operations against rival states that, if directed to the healthcare sector, especially at this moment, could result in actual deaths.In front of the digital perils of these types of cyber activities online, there is the need as UN Under-Secretary-General Fabrizio Hochschild called for a global “digital ceasefire” during the pandemic. Still, the solution might not come from states itself in the first moment, but society.

States, Proxies and Society

To understand how the solution to curb malicious activities perpetrated by state-sponsored actors may be developed, it is essential to know that the use of these actors in the digital domain is not new. In fact, since the public revelation of Stuxnet malware, most states became aware of political and military options cyberspace provided for them. The range of these opportunities, coupled with the possibility to act extraterritoriality employing non-state actors, usually operating from third countries (Maurer,2018),  provided them the comfortable legal situation needed to engage in a “less diplomatic way” in their cyber operations.

Thus, the main benefit generated by the use of these non-state actors (proxies) is related then to the fact that the outcomes of their actions, cannot be directly associated with states. This indirect relationship means that states cannot be held legally responsible for the actions proxies carry on (at least for the time being). This relationship thus allows proxies to conduct not only cyber-espionage campaigns for states but also act in other types of cyber operations. Indeed, according to the IntSight’s cyber threat analyst Charity Wright, some countries attempt “to promote division and distrust in institutions like the free press, civil society groups, and non-governmental organizations.” The Hades group is an excellent example, as it deployed a disinformation campaign, related to COVId-19, that, coupled with the arrival of a flight of evacuees from China, incited riots and looting across Ukraine (Thales; IntSights).

In sum, both espionage campaigns and the possibility of other cyber operations conducted by proxies lead to distrust not only among governments and civil society but also between states, especially during the chaotic times generated by the pandemic. Thus, a movement to reach a close “digital ceasefire” should target trust and transparency. These elements do not seem present on some states’ intentions, as they can gain from the use of proxies in cyberspace. One alternative that emerges is a bottom-up movement initiated by a social demand.

The light at the end of the tunnel?

The pandemic could create momentum for society to realize that they have a voice in digital outcomes. As Yuval Noah Harari exposed, well-informed people who have access to scientific facts and trust public authorities to tell them these facts can act spontaneously for the common good. Therefore, as cyber proxies operate in the shadows, people demanding an open debate with states regarding digital information on COVID-19 could throw some lightning into the darkness. People could then enhance their trust in governments, being less accessible to fall into psychological manipulation and, by consequence, proportionally tackling the malicious cyber activities (generating a diffuse cyber defense against diffused cyberattacks). Besides, information sharing with allied nations could decrease the curiosity or mistrust among states that could potentially lead to espionage, at least relate to coronavirus’s information. The trust among nations then could proportionate the possibility of collective reactions toward countries that insist on supporting deviant actions in the digital realm based on the current pandemic.

Trust is the keyword, and it may be achieved by transparency and an open discussion toward the development of a “digital agenda for pandemic response,” involving among other propositions a multi-stakeholder approach and expansion on information sharing. However, the development of such type of agenda must be called upon society, at least democratic ones, and the first step is to people to start thinking about actions during the pandemic in a more critical way, including digital ones.

This post represents the view of the author and does not necessarily represent the view of the institute itself. For more information about the topics of these articles and associated research projects, please contact

Further articles

Why we need fewer men in computer science

There have been calls for more women in computer science for decades, but so far nothing has changed. Therefore, we claim that it is time to invert the call: we...

Myth: AI will end discrimination

We approach the de-mystification of this claim by looking at concrete examples of how AI (re)produces inequalities and connect those to several aspects which help to illustrate socio-technical entanglements.

Siri’s evil sister. When the Dutch public service steals your data

“System Risk Indication” (SyRI) deployed by the dutch government for automatically detecting social benefit fraud. The program was shut down due to a severe lack in transparency and unproportional collection...