Russian Hackers Validate BitSight WFH Data

This week the New York Times released a report warning that a group of Russian hackers going by the name “Evil Corp” has been attempting to exploit the rampant vulnerabilities presented by the US workforce shifting to working from home at remote offices, raising fears that major U.S. brands, news organizations, or even election systems could be disrupted with ransomware attacks. The research, conducted by Symantec, revealed that 31 large U.S. corporations, including Fortune 500 companies and news organizations, have fallen victim to Evil Corp, and those are just the ones we know about.

While the scale of the Evil Corp ransomware attacks is shocking, the threat presented by work from home networks has been well illustrated by BitSight research. Back in March 2020, when the workforce was just a few weeks into its shift to working from home (which saw up to 85% of workers in some industries start working from home), BitSight released a report on the dangers presented by remote offices and work from home networks. To briefly recap, what we found was alarming, to say the least. After we took a look at the home networks associated with 41,000 organizations we found:


  • 3.5x more likely than corporate networks to have at least one family of malware
  • 7.5x more likely to have at least five distinct families of malware
  • Common families of malware are extremely prevalent including Mirai, which is observed 20x more frequently, and Trickbot which is observed 3.75x more frequently

Services & Remote Management Exposure:

  • More than 25% of all devices have one or more services exposed on the internet
  • Almost 1 in 7 WFH-RO IP addresses have exposed cable modem control interfaces

Given our findings, the fact that a group of malicious actors is exploiting insecure home networks to attack corporations is not unexpected. What is unexpected however is the scope and sophistication of the attacks, which are somewhat ingenious and perfect for the work from home era. To precisely target their prey, the group is looking for users connecting to the internet through VPN. However, rather than going after the VPN itself, they are merely using it to figure out which organization the user is associated with. Malicious code is then placed on websites, including commerce and news sites, in hopes the user will visit, where it can then be installed when the user is vulnerable.

Once on the endpoint, the group can attempt to connect back to the organization's network and install the ransomware code.

While no active attacks or demands have yet been disclosed, there remains the very real possibility that the economic recovery, or even the upcoming elections, could be interrupted by the activation of the ransomware code -- which could lock users out of voter roll data, critical business systems, and more. “Right now this is all about making money, but the infrastructure they are deploying could be used to wipe out a lot of data — and not just at corporations,” said Eric Chien, Symantec’s technical director.

Identifying Unique Risks of WFH Remote Office

Work from home-remote office networks are 7.5x more likely to have at least five distinct families of malware. Learn more about the hidden dangers lurking in residential networks.

Read The Guide
Button Arrow

Understanding Remote Office Network Risk

With the shift to remote work due to COVID-19, the workforce has essentially migrated from the cleanest networks to some of the most infected. Because these networks are based in private residences, security teams obviously have little or no control over what happens on them. However, gaining visibility in the risk posed by work from home networks can help organizations create dynamic solutions to better secure their networks.

BitSight Work From Home-Remote Office, part of our Security Performance Management product, allows organizations to discover security issues that reside on remote office IPs to help inform existing incident response or insider threat activities.

Using our Work From Home data, one BitSight customer, a global financial services agency, was able to create an entirely new process to control access to the network. Since the outbreak of COVID-19, nearly all of the customers’ employees are working from home on corporate machines connected through VPN or modern EDR. However, recognizing that the situation posed many security challenges, such as situations where the corporate endpoint might be used by multiple members of a household, the customer queried residential IP risk data on a daily basis from Work From Home and used it to create an IP risk score. The riskiest IPs that fell below a certain threshold had tighter host-based firewall controls pushed to the endpoint, ensuring the network stayed secure. The company was able to monitor over 6,000 users by using Work From Home cybersecurity data by integrating with Splunk without ever contacting the individual users, and without needing to install any additional software..

What Can Security Leaders Do?

Exactly how broad the activity by Evil Corp has been and how severe the damage will be if they ever activate their code remains to be seen. However, it can no longer be questioned that the shift to remote work has presented profound new security challenges for organizations. While much can be done to harden end points against attacks, the networks those endpoints connect to are often overlooked, and while they may be outside the scope of direct intervention for security teams, getting visibility into the risk those networks pose is of paramount importance. Once you have that visibility, processes can be put in place to mitigate risk and decrease the likelihood of malicious attacks.