May 18, 2020 – A joint alert issued recently by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the U.K. National Cyber Security Centre (NCSC) warns that they continue to see “indications that advanced persistent threat (APT) groups are exploiting the [COVID-19] pandemic” by targeting organizations involved in the COVID-19 response, including “healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments.”
In a May 5 CISA/NCSC alert, the groups stated that APT actors frequently target organizations to collect bulk personal information, intellectual property and intelligence. However, the pandemic has raised the stakes, prompting APT actors to also seek intelligence on national and international healthcare policy, as well as sensitive COVID-19-related research.
“Protecting data privacy and security remains an ongoing challenge, and sadly it is not surprising that the pandemic— and critical work to contain it — would become another prime target for hackers,” noted Coalition for Healthcare Communication Executive Director Jon Bigelow. “All of us in the healthcare community need to take notice, and this situation reinforces the need for strong national legislation to improve data privacy and security.”
CISA and NCSC currently are investigating a number of incidents in which threat actors are targeting pharmaceutical companies, medical research organizations and universities. “Organizations involved in COVID-19-related research are attractive targets for APT actors looking to obtain information for their domestic research efforts into COVID-19-related medicine,” the alert stated. “These organizations’ global reach and international supply chains increase exposure to malicious cyber actors.”
Specifically, CISA and NCSC report that APT actors have been scanning the external websites of targeted companies and looking for vulnerabilities in unpatched software. CISA and NCSC also are investigating “password spraying activity,” which they define as an attempt to access a large number of accounts using commonly known passwords.
CISA recommends that companies put the following practices into place to help defend themselves against cyberattacks:
- Update VPNS, network infrastructure devices and devices being used to remote into work environments with the latest software patches and configurations;
- Use multi-factor authentication to reduce the impact of password compromises;
- Protect the management interfaces of critical operations systems;
- Review and refresh incident management processes;
- Use modern systems and software; and
- Invest in preventing malware-based attacks across various scenarios.
“We can’t do this alone, and we recommend healthcare policy makers and researchers take our actionable steps to defend themselves from password spraying campaigns,” said CISA Assistant Director of Cybersecurity Bryan Ware. “CISA has prioritized our cybersecurity services to healthcare and private organizations that provide medical support services and supplies in a concerted effort to prevent incidents and enable them to focus on their response to COVID-19.”