Cyber attack trends during the lockdown
From January 2020 onwards, and particularly during the lockdown months, we observed an exponential increase in cyber crime incidents.
Estimates indicate that incidents recorded in the first six months of 2020 matched in volume the total incidents registered throughout 2019.
During this period, we tracked a rise in malware attacks delivered via email (multiple COVID-19 themed campaigns) and attacks targeting publicly exposed servers, particularly RDP, Citrix, and VPN infrastructure.
What merits particular attention is not the technical evolution of cyber attacks—which follows established trends from preceding years—but rather the marked increase in manual operator activity and targeted attacks conducted by threat actors during cyberattack campaigns.
1. Healthcare
Compromise and sale of administrative access credentials to a European hospital infrastructure:
- 5 000 employees
- RDP access with administrative privileges
- asking price: $4 000
Link: https://www.linkedin.com/feed/update/urn:li:activity:6676036086457790464
2. Engineering and Large Construction
We tracked targeted ransomware attacks, with exfiltrated data published and sold on blackmarket forums. Cyber Threat Intelligence monitoring has identified multiple threat actors operating within this vertical, leveraging T1486 (Data Encrypted for Impact) and TA0010 (Exfiltration) tactics.
Link: https://www.linkedin.com/feed/update/urn:li:activity:6677136813322321920
3. Law Firms and Small Enterprises
We observed attacks targeting small enterprises (hundreds of workstations). Access credentials were sold on blackmarket venues for several hundred euros.
Italian organizations were among the identified victims.
Link: https://www.linkedin.com/feed/update/urn:li:activity:6679409641694273536
4. Large Enterprises
We tracked targeted ransomware attacks and phishing campaigns (T1566.002 – Phishing: Spearphishing Link) aimed at compromising critical systems. Notable victims include Twitter, Geox, and Garmin.
Link: https://www.linkedin.com/feed/update/urn:li:activity:6689285691685289984
The convergence of increased manual operator engagement, targeted attack methodologies, and cross-sector victimization reflects a fundamental shift in threat actor operational patterns—moving from indiscriminate commodity malware distribution toward precision-targeted intrusions with explicit monetization objectives.
