Getty Images/iStockphoto

APT Hackers Targeting Healthcare, Essential Services Amid COVID-19

A new joint alert from DHS CISA and UK NSCS warns advanced persistent threat (APT) hacking groups are exploiting the COVID-19 pandemic to target healthcare providers and other essential services.

Healthcare organizations and other essential services are again being warned that advanced persistent threat (APT) hacking groups are continuing to exploit the COVID-19 pandemic; this time to actively target organizations involved in both the national and international response.

According to the new joint alert from the Department of Homeland Security Cybersecurity and Infrastructure Security Agency and UK National Cyber Security Centre (NCSC), officials have seen an uptick in Coronavirus-related password spraying campaigns as part of their cyber operations.

The latest APT campaign in specifically targeting healthcare bodies, pharmaceutical companies, medical research organizations, local governments, and academia, attempting to collect bulk personal information, intellectual property, and intelligence related to national priorities.

In fact, CISA and NCSC are currently investigating multiple incidents where threat actors have targeted pharma companies, medical research organizations and universities.

“The pandemic has likely raised additional interest for APT actors to gather information related to COVID-19,” officials explained. “For example, actors may seek to obtain intelligence on national and international healthcare policy or acquire sensitive data on COVID-19-related research.”

“APT groups frequently target such organizations in order to steal sensitive research data and intellectual property for commercial and state benefit,” they added. “Organizations involved in COVID-19-related research are attractive targets for APT actors looking to obtain information for their domestic research efforts into COVID-19-related medicine.”

Given the global reach and the use of international supply chains, these organizations have an increased exposure to malicious cyberactivity. Supply chains, in particular, are seen as a weak link, where hackers can exploit the chain to obtain access to typically better-protected targets.

The increase in remote working as further increased this threat landscape, fueling new vulnerabilities as a result.  For example, the latest alert shows APT actors are scanning external websites of targeted companies to find vulnerabilities in unpatched software.

These findings mirror other alerts from federal agencies and security researchers, including attacks on patched and unpatched Virtual Private Networks (VPNs), supply chain procurement, Citrix flaws, remote workers, and a host of hospitals, among many others.

CISA and UK NCSC are also actively investigating a massive campaign of COVID-19-related password spraying activity conducted by APT hacking groups against healthcare entities in a number of countries, including international healthcare organizations.

These attacks have been used in the past to target a host of other industries, including telecommunications, research organizations, and the government. Password spraying is a style of brute force attack where a hacker attempts to use a single, commonly used password across many accounts before attempting a second password, and down the line.

Researchers warn the method allows the threat actor to remain undetected, as they can avoid rapid or frequent account lockouts. As many individuals will commonly reuse passwords, these attacks are highly successful.

“Malicious cyber actors, including APT groups, collate names from various online sources that provide organizational details and use this information to identify possible accounts for targeted institutions,” the agencies warn.

“The actors will then ‘spray’ the identified accounts with lists of commonly used passwords,” they continued. “Once the malicious cyber actor compromises a single account, they will use it to access other accounts where the credentials are reused.”

The hacker could also use the access to move laterally across the victim’s network to steal more data and launch additional cyberattacks against other accounts from the network. In previous attacks, the cybercriminals have compromised enterprise email accounts, then used those accounts to download the victim’s Global Address List (GAL). the GAL is leveraged to password spray additional email accounts.

Past attacks have also been used to gain access into corporate accounts and networks, where the hackers use passwords base don the month of the year, seasons, and the company name.

Mitigation Recommendations

CISA and NSCS recommend organizations update all VPNs, network infrastructure devices, and all remote devices being used in work environments with the latest software configurations and patches. Multi-factor authentication is also needed to reduce the impact of compromised passwords.

Organizations should review and revise incident management process and establish a security monitoring capability, which will allow IT leadership collect the data necessary for analyzing network intrusions.

Further, healthcare entities should use browse-down architecture to protect management interfaces of critical operational systems, which will prevent hackers from easily gaining privileged access. Modern systems and software should be implemented, as the tech typically has better security.

“If you cannot move off out-of-date platforms and applications straight away, there are short-term steps you can take to improve your position,” officials wrote. And invest in preventing malware-based attacks across various scenarios.”

Organizations are being urged to review previous CISA guidance on password spraying attacks and other guidance around password protections. CISA has also released cyber essentials designed for smaller organization, which provide insights into building a culture of security and necessary steps for IT leaders to put those plans into action.

CISA’s Cyber Essentials for small organizations provides guiding principles for leaders to develop a culture of security and specific actions for IT professionals to put that culture into action. Additionally, the UK government’s Cyber Aware campaign provides useful advice for individuals on how to stay secure online during the coronavirus pandemic. This includes advice on protecting passwords, accounts, and devices.

In addition, healthcare providers should review recent insights from the American Medical Association and American Hospital Association, as well as DHS cloud and Microsoft O365 remote work guidance.

Next Steps

Dig Deeper on Cybersecurity strategies