Team Cymru and Arctic Security Reveal Number of Compromised Organizations Has More Than Doubled Since Stay-at-Home Order

Analysis indicates 50,000 organizations in the US had previously infected computers unknowingly lying dormant behind corporate firewalls, and the newly remote workforce is setting these zombie computers free

ORLANDO, Fla.--()--Team Cymru and its partner Arctic Security today announced the release of new cyber threat research indicating that news coverage of the recent uptick in cyber threat activity is showing an incomplete picture. Despite the focus on VPN hacks and attacks at home, the research indicates that computers at more than 50,000 organizations in the US had been infected prior to stay-at-home orders. Researchers say they are witnessing previously infected computers being activated now that their malicious communications are no longer being blocked by corporate firewalls.

Arctic Security in Finland, with unique data from US-based internet security and threat intelligence firm Team Cymru, finds the number of compromised organizations in the US, Finland and across Europe has doubled, tripled or even quadrupled, between January and the end of March. Researchers believe this demonstrates a systemic problem facing organizations – a failure of internal security tools and processes and an inability to prepare for mobile workforces.

“Our analysis indicates that the employees’ computers were already hacked before COVID-19 made the news, but were lying dormant behind firewalls, blocking their ability to go to work on behalf of the threat actors,” explained Lari Huttunen, Senior Analyst at Arctic Security, a Security Services company in Finland. “Now those zombies are outside firewalls, connected to their corporate networks via VPNs, which were not designed to prevent malicious communications.”

This analysis offers an unsettling data point that puts numbers to the foothold threat actors have gained within public and private sector organizations. The findings may also correlate with recent public warnings, such as the FBI’s advisory on March 30 alerting of increased vulnerability probing activity. The implications are serious. These same researchers have also found that many large companies have not managed to remedy the infrastructure vulnerabilities that have exposed them to data breaches in past years.

Experts at Team Cymru say this research shines a light on a cyber pandemic and provides an unprecedented opportunity for organizations to assess the extent of compromise within their organizations, rather than hiding behind a “block and forget” security mentality. According to Arctic Security and Team Cymru, the only way to comprehensively identify whether an organization has been compromised is to observe internet threat traffic from outside the enterprise, monitoring these threat actors in the wild.

“Our clients use the pure signal Team Cymru provides to map malicious infrastructures outside their enterprise perimeters and monitor cyber threat activity at Internet scale,” explained David Monnier, Team Cymru Fellow and Director of Client Success at Team Cymru. “It’s a unique perspective that only we provide, and this visibility also allows them to see the state of their remote network assets, like branch offices, supply chain, and even work-at-home employee networks. They are able to determine at time of connection if these hosts are compromised and act accordingly.”

“Cybersecurity teams still approach security as though their enterprise ends at the firewall. This has not been the case for a long time, and this massive work-from-home movement has exposed the weakness of that approach,” stated Arctic Security CEO David Chartier, formerly of Codenomicon, the company that exposed the Heartbleed bug in 2014, which was one of the most widespread and potentially dangerous vulnerabilities ever identified.

As part of its CSIRT Assistance Program, Team Cymru works closely with 124 CSIRTs worldwide and is committed to assisting them with this uptick in activity. These CSIRTs collectively protect 52 percent of IPv4 and 72 percent of IPv6 worldwide.

The research blog is live at Team Cymru at and at Arctic Security at

About Team Cymru

Since 2005, Team Cymru’s mission has been to save and improve lives by working with public and private sector entities to discover, track and take down threat actors and criminals around the globe. We do this by delivering comprehensive visibility into global Internet traffic and cyber threat activity. Team Cymru collects, processes and aggregates global network flows and 50+ other types of data to give our clients Pure Signal™. This provides the broadest visibility into malicious activity across the Internet. We are scoring 94,000,000 events per day and delivering that information to our users in an actionable way. The most advanced cybersecurity teams and investigators around the world rely on our solutions to uncover the who, what, when, where and why of malicious behavior. They also leverage this global visibility to identify, map, and block malicious infrastructure before threats even reach their enterprises’ doorsteps. Our data is incomparable — Pure Signal™ — and our partners and clients use it to make the world a safer place. Learn more at

About Arctic Security

Arctic Security’s mission is to help you get organized in cyber defense through defense cells. The goal is to get both governmental and commercial cyber security centers and other cyber officials connected with companies and organizations to share the critical threat intelligence between each other. The more threat intelligence is spread inside a defense cell the more resilient the parties and eventually, the Internet, become. Arctic Security also specializes in delivering critical, outside-in observation to detect threats for their clients and alert victims when they’ve been compromised. Learn more at


Leslie Kesselring

Release Summary

Team Cymru and Arctic Security reveal the number of compromised organizations in the US and Europe has more than doubled since stay-at-home order.


Leslie Kesselring