APT Hackers Targeting Healthcare, Essential Services Amid COVID-19

Healthcare organizations and other essential services are again being warned that advanced persistent threat (APT) hacking groups are continuing to exploit the COVID-19 pandemic; this time to actively target organizations involved in both the national and international response.

According to the new joint alert from the Department of Homeland Security Cybersecurity and Infrastructure Security Agency and UK National Cyber Security Centre (NCSC), officials have seen an uptick in Coronavirus-related password spraying campaigns as part of their cyber operations.

The latest APT campaign in specifically targeting healthcare bodies, pharmaceutical companies, medical research organizations, local governments, and academia, attempting to collect bulk personal information, intellectual property, and intelligence related to national priorities.

In fact, CISA and NCSC are currently investigating multiple incidents where threat actors have targeted pharma companies, medical research organizations and universities.

“The pandemic has likely raised additional interest for APT actors to gather information related to COVID-19,” officials explained. “For example, actors may seek to obtain intelligence on national and international healthcare policy or acquire sensitive data on COVID-19-related research.”

“APT groups frequently target such organizations in order to steal sensitive research data and intellectual property for commercial and state benefit,” they added. “Organizations involved in COVID-19-related research are attractive targets for APT actors looking to obtain information for their domestic research efforts into COVID-19-related medicine.”

Given the global reach and the use of international supply chains, these organizations have an increased exposure to malicious cyberactivity. Supply chains, in particular, are seen as a weak link, where hackers can exploit the chain to obtain access to typically better-protected targets.

The increase in remote working as further increased this threat landscape, fueling new vulnerabilities as a result.  For example, the latest alert shows APT actors are scanning external websites of targeted companies to find vulnerabilities in unpatched software.

These findings mirror other alerts from federal agencies and security researchers, including attacks on patched and unpatched Virtual Private Networks (VPNs), supply chain procurement, Citrix flaws, remote workers, and a host of hospitals, among many others.

CISA and UK NCSC are also actively investigating a massive campaign of COVID-19-related password spraying activity conducted by APT hacking groups against healthcare entities in a number of countries, including international healthcare organizations.

These attacks have been used in the past to target a host of other industries, including telecommunications, research organizations, and the government. Password spraying is a style of brute force attack where a hacker attempts to use a single, commonly used password across many accounts before attempting a second password, and down the line.

Researchers warn the method allows the threat actor to remain undetected, as they can avoid rapid or frequent account lockouts. As many individuals will commonly reuse passwords, these attacks are highly successful.

“Malicious cyber actors, including APT groups, collate names from various online sources that provide organizational details and use this information to identify possible accounts for targeted institutions,” the agencies warn.

“The actors will then ‘spray’ the identified accounts with lists of commonly used passwords,” they continued. “Once the malicious cyber actor compromises a single account, they will use it to access other accounts where the credentials are reused.”

The hacker could also use the access to move laterally across the victim’s network to steal more data and launch additional cyberattacks against other accounts from the network. In previous attacks, the cybercriminals have compromised enterprise email accounts, then used those accounts to download the victim’s Global Address List (GAL). the GAL is leveraged to password spray additional email accounts.

Past attacks have also been used to gain access into corporate accounts and networks, where the hackers use passwords base don the month of the year, seasons, and the company name.