Full Report
The year four report covers 2020 and aims to highlight the achievements and efforts made by the Active Cyber Defence programme.
Analysis Summary
# Incident Report: Active Cyber Defence (ACD) Year Four Operations
## Executive Summary
In 2020, the NCSC's Active Cyber Defence (ACD) programme underwent a significant scale-up to counteract a surge in cyber-enabled fraud and infrastructure vulnerabilities, driven largely by the COVID-19 pandemic. Over 700,000 online campaigns were taken down, representing more than a 15-fold increase compared to 2019. The programme successfully protected the UK public and infrastructure by automating the detection and removal of malicious content and securing government communications.
## Incident Details
- **Discovery Date:** Ongoing throughout 2020
- **Incident Date:** January 1, 2020 – December 31, 2020
- **Affected Organization:** UK Public Sector, NHS, and the General Public
- **Sector:** Government, Healthcare, and Finance
- **Geography:** United Kingdom (Global source of attacks)
## Timeline of Events
### Initial Access
- **Date/Time:** 2020 (Peak during COVID-19 lockdowns)
- **Vector:** Phishing, SMS-phishing (Smishing), and Vulnerable Edge Devices
- **Details:** Attackers extensively used COVID-19 themed lures (e.g., vaccine information, NHS notifications, and government grants) to trick users into providing credentials or downloading malware.
### Lateral Movement
- **Details:** While the ACD report focuses on external defense, it notes that attackers targeted unpatched vulnerabilities in public-facing infrastructure to gain internal access, particularly within the NHS and vaccine research supply chains.
### Data Exfiltration/Impact
- **Details:** Large-scale credential harvesting through fake government portals (HMRC, Gov[.]uk) and financial loss to individual citizens through "mandate fraud" and investment scams.
### Detection & Response
- **How it was discovered:** Automated scanning via "Web Check," community reporting through the Suspicious Email Reporting Service (SERS), and global threat intelligence.
- **Response actions taken:** Automated takedown requests to hosting providers, implementation of DMARC policies to prevent email spoofing, and the expansion of the "Early Warning" service to notify organizations of compromised systems.
## Attack Methodology
- **Initial Access:** Phishing emails, Smishing (SMS), and exploitation of unpatched software.
- **Persistence:** Use of legitimate hosting services to bypass domain blacklists.
- **Privilege Escalation:** Not explicitly detailed in the high-level report, though vulnerability scanning was a primary threat.
- **Defense Evasion:** Use of short-lived URLs and mimicking official government branding.
- **Credential Access:** Phishing pages designed to look like HMRC or NHS login portals.
- **Discovery:** Automated scanning by threat actors for unpatched VPNs and servers.
- **Lateral Movement:** Exploration of internal networks following initial breach of edge devices.
- **Collection:** Bulk harvesting of personal identifiable information (PII) and financial data.
- **Exfiltration:** Standard web protocols (HTTPS) to move stolen data to attacker-controlled servers.
- **Impact:** Financial fraud, healthcare disruption, and erosion of trust in digital government services.
## Impact Assessment
- **Financial:** Prevented millions in potential losses; however, over 4 million reports were sent to SERS, indicating a massive scale of attempted fraud.
- **Data Breach:** High volume of individual credential theft; targeted scanning of vaccine research organizations.
- **Operational:** Increased strain on IT departments specifically in the healthcare sector.
- **Reputational:** High risk of public distrust in official COVID-19 communications due to impersonation.
## Indicators of Compromise
- **Network indicators:** Hundreds of thousands of malicious URLs, including clones of `gov[.]uk` and `nhs[.]uk`.
- **File indicators:** Malware disguised as COVID-19 advice documents or "Test and Trace" apps (APK/EXE).
- **Behavioral indicators:** Surge in DMARC "fail" reports for official domains; rapid registration of pandemic-related domains.
## Response Actions
- **Containment:** Takedowns of 700,000+ malicious campaigns; blocking of 43 million malicious DNS requests via Protective DNS (PDNS).
- **Eradication:** Vulnerability notifications sent to organizations via the "Web Check" and "Early Warning" services.
- **Recovery:** Assisting the NHS in securing newly deployed remote-work infrastructure.
## Lessons Learned
- **Scalability:** Manual takedown processes are insufficient; automation and high-volume reporting (like SERS) are essential for national-scale defense.
- **Agility:** Threat actors pivot rapidly to current events (COVID-19); defensive services must be flexible enough to deploy new "signatures" or protections within hours.
- **Public Collaboration:** The public is a vital "sensor" for detection; providing an easy way to report (SERS) significantly improves threat intelligence.
## Recommendations
- **MFA Adoption:** Implement Multi-Factor Authentication across all public-facing services to mitigate credential theft.
- **DMARC Implementation:** All organizations should set DMARC policies to "reject" to prevent brand impersonation.
- **Vulnerability Management:** Prioritize patching of edge devices (VPNs, Firewalls) as these remain the primary targets for initial access.
- **Service Enrollment:** Eligible organizations should enroll in NCSC Free ACD services (PDNS, Web Check, Early Warning).