With help from Eric Geller, Martin Matishak and Laurens Cerulus

Editors Note: Morning Cybersecurity is a free version of POLITICO Pro Cybersecuritys morning newsletter, which is delivered to our subscribers each morning at 6 a.m. The POLITICO Pro platform combines the news you need with tools you can use to take action on the days biggest stories. Act on the news with POLITICO Pro.

Coronavirus-themed cyberattacks show no sign of slowing, as federal agencies and companies explore whos vulnerable and whos responsible.

MC exclusive: An examination of cyber-related sanctions and indictments showed disparities across U.S. administrations and nations.

The NSA and an Australian spy agency warned about a kind of attack thats on the rise.

A message from Global Strategy Group:

What do Americans expect from corporate leaders as they respond to COVID-19? Who do they trust most? How and whether companies respond will have a lasting impact on their reputationand their bottom line. Download the full report here.

HAPPY THURSDAY and welcome to Morning Cybersecurity! Russian Doll was great but your MC host isnt sure what to make of this. Send your thoughts, feedback and especially tips to [emailprotected]. Be sure to follow @POLITICOPro and @MorningCybersec. Full team info below.

POLITICO Pro is here to help you navigate these unprecedented times. Check out our new Covid-19 Coverage Roundup, which provides a daily summary of top Covid-19 news coverage from across all 16 federal policy verticals as well as premium content, such as DataPoint graphics. Please sign up at our settings page to receive this unique roundup sent directly to your inbox every weekday afternoon.

Sign up for POLITICO Nightly: Coronavirus Special Edition, your daily update on how the illness is affecting politics, markets, public health and more.

EVER-EXPANDING Months into the Covid-19 crisis, were still learning more each day about the scope and innovation in coronavirus-themed attacks via the government agencies and tech companies fighting off the hackers.

IBM on pace and vulnerabilities: IBM says it has seen a 6,000 percent increase in Covid-19 spam from mid-March to mid-April. It also released a study today that suggests small-business owners and consumers could be the most vulnerable to scams where cyber criminals masquerade as the government. More than a third of those polled by IBM and Morning Consult said they expect emails from the IRS, despite years of the IRS and others warning that the agency wouldnt email anyone about their tax filings; over half said they would click on links or attachments in emails about stimulus checks. And just 14 percent of small-business owners said they felt very knowledgeable about relief loans. Palo Alto Networks also provided some figures on coronavirus-related scams Wednesday.

DOJ on takedowns, Google on nation-state hacking: DOJ said Wednesday that law enforcement, cybersecurity companies and website operators have taken down hundreds of domains that were using the coronavirus crisis for fraud. Not coincidentally, some of the ones identified by the FBI mimicked the IRS relief payment portal. And, according to Google, federal employees have been targets themselves of coronavirus-themed phishing campaigns orchestrated by hackers backed by other nations; in total, more than a dozen such hacking groups have launched attacks that use Covid-19.

FireEye on Vietnam: Hackers linked to the Vietnamese government have been spear-phishing Chinese government agencies in an apparent effort to understand Beijings handling of the coronavirus pandemic, FireEye researchers said Wednesday. The malicious emails went to China's Ministry of Emergency Management and the municipal government in Wuhan, where the virus first emerged, according to FireEye, which attributed the activity to the Vietnam-linked group APT32. While targeting of East Asia is consistent with the activity weve previously reported on APT32, the researchers wrote, this incident, and other publicly reported intrusions, are part of a global increase in cyber espionage related to the crisis, carried out by states desperately seeking solutions and nonpublic information.

The spear-phishing campaign, which seems to have begun in early January, uses virus-related lures to entice victims into opening the infected attachments, which then deploy the Metaljack malware payload. FireEye spotted the same malware and command-and-control server in a phishing campaign in December likely targeting Southeast Asian countries.

The first malicious email that FireEye caught was dated Jan. 6, one week before Thailand reported the first infection outside China. Vietnam was [very] quick to respond to early reports of the disease, Reuters reporter Jack Stubbs pointed out. Maybe now we have an idea why. Vietnam has reported fewer than 300 coronavirus cases and no deaths.

FIRST IN MC: CYBER SANCTIONS AND INDICTMENTS The Trump administration in its first term has been far more aggressive in issuing cyber-related sanctions and indictments against China, Iran, North Korea and Russia than the Obama administration in its second term, according to an analysis and infographic out today from the Foundation for Defense of Democracies. President Donald Trump has issued 106 indictments and 110 sanctions, compared to 28 and five, respectively, from President Barack Obama from 2013 to 2016, the think tank found.

Across both administrations, the number of sanctions and indictments are applied inconsistently across nations. While North Korea is behind larger and more destructive attacks than Iran, North Korea has endured six total indictments and sanctions to Irans 30, the analysis and infographic concluded. Authors Trevor Logan and Pavak Patel explained that might be because North Korean hackers are more closely affiliated with their governments, whereas Iranian hackers arent exclusively loyal and therefore easier to name.

China more often faces indictments than sanctions. Logan and Patel wrote that may indicate that the United States is reluctant to issue sanctions against malicious Chinese actors due to the fear of escalation or economic retaliation against American companies. In contrast, the relative weakness of the Iranian, North Korean, and Russian economies means that Washington can act more freely without fear of blowback.

MALWARE IN A HALF SHELL The NSA and its Australian counterpart on Wednesday issued guidelines for detecting and defending against so-called shell malware, a tactic hackers are increasingly using in their operations. Web shells provide attackers with persistent access to a compromised network using communication channels disguised to blend in with legitimate traffic, the notice from NSA and the Australian Signals Directorate explained. The intelligence organizations suggested a defense-in-depth approach using multiple detection capabilities as the best way to both uncover and prevent the malware from wreaking havoc on systems, as well as tips on how to recover from such an attack. A critical focus once a web shell is discovered should be on how far the attacker penetrated within the network.

A message from Global Strategy Group:

New research from Global Strategy Group reveals the opportunities and risks facing corporate leaders as they respond to COVID-19.

A majority of Americans expect the private sector to play a major role, and people trust corporate leadership more than the White House.

But CEOs need to buck the existing perception that they are too focused on their bottom line and not enough on their employees.

Americans trust corporations in this moment and corporations can and must deliver. Companies will be defined later by what they do now, and the reputational costs could be high.

Download the full report today.

WHOS ZOOMING WHO Zoom announced stronger encryption and an array of additional security measures for version 5.0 of the video conferencing platform it rolled out on Wednesday. From our network to our feature set to our user experience, everything is being put through rigorous scrutiny, said Oded Gal, chief product officer of the company.

CZECHS TO WORLD: STOP ATTACKING HOSPITALS From our friends at POLITICO Europes Cyber Insights: The Czech Republic wants all countries around the world to pledge not to launch cyberattacks on hospitals and medical facilities. Thats according to its written feedback on a draft report on international norms for cybersecurity from the U.N.s Open-ended Working Group.

The rising number of cyberattacks on medical facilities worldwide reinforce the need for coordinated global action to protect [the] public health care sector from malicious ICT activities, the Czech proposal reads. Specifically, it wants the OEWG to endorse the idea to add medical services and medical facilities to a list of things that states are barred from attacking, as laid out in the U.N.s landmark 2015 deal on cyber norms.

Czech hospitals have been the targets of cyberattacks in the past month, and last week its government warned of more attacks, prompting the U.S. to threaten hackers with consequences.

Russias feedback for the draft said the application of international humanitarian law should be applied only in the context of a military conflict while currently the ICTs [information and communications technologies] do not fit the definition of a weapon. Moscow also slammed the mention of political attribution of cyberattacks, adding the report artificially exaggerated the importance of having NGOs and civil rights groups engage with the U.N. OEWG.

Member states feedback on the OEWGs draft report can be found here. Heres security researcher Lukasz Olejniks Twitter thread analyzing the papers.

TWEET OF THE DAY Only sharing this because of the good dog.

Alston & Bird announced a Women in Cyber network co-directed by partners Kim Peretti, co-leader of Alston & Birds cybersecurity preparedness and response team, and Amy Mushahwar, member of the firms privacy and data security and cybersecurity preparedness and response teams. Associates Emily Poole and Alysa Austin will support them.

The networks advisory board includes Jeannie McCarver, senior vice president for cybersecurity at U.S. Bank; Tracey Scraba, chief privacy officer at CVS Health; and Jennifer Martin, global cybersecurity counsel at Verizon Media.

Motherboard: Researchers revealed some iPhone zero day exploits.

ZDNet: Security researcher identifies new APT group mentioned in 2017 Shadow Brokers leak.

NBC News: The leaked data on employees of the World Health Organization and others was likely from previous breaches.

Kaspersky released a survey on corporate security and employee privacy.

The Voting Village's Jake Braun and Synack's Mark Kuhr talked election security.

Good news about the number of ransomware attacks on governments, health care providers and educational organizations in the first quarter, via Emsisoft.

Thats all for today.

Stay in touch with the whole team: Eric Geller ([emailprotected], @ericgeller); Bob King ([emailprotected], @bkingdc); Martin Matishak ([emailprotected], @martinmatishak); and Tim Starks ([emailprotected], @timstarks).

Read more:

The reach of cyberattacks related to Covid-19 - Politico