CISA/NCSC Joint Alert Warns of APT Groups Targeting Healthcare and Essential Services

by Margaret Young Levi and Kathie McDonald-McClure

On May 5, 2020, the U.S. Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) issued a joint alert warning of techniques that advanced persistent threat (APT) groups are using to exploit the COVID-19 pandemic.

APT groups target and exploit organizations responding to COVID-19, such as healthcare organizations, pharmaceutical companies, universities, medical research organizations, and local governments. These groups seek to steal “bulk personal information, intellectual property, and intelligence that aligns with national priorities.” For example, pharmaceutical companies, medical research organizations, and universities have been targeted in order to steal sensitive research into COVID-19-related medicine for both commercial and governmental benefit.

These cybercriminals employ a variety of techniques to steal data.

One way cybercriminals invade a network is simply to take advantage of unpatched software. As more people are working remotely, the APT groups scan for vulnerabilities in unpatched software on Citrix and virtual private network (VPN) products that allow people to work from home with a remote connection to their business network.

Another method APT groups are using against healthcare entities is to conduct large-scale password spraying campaigns. Password spraying is a type of brute force attack in which cybercriminals try one common password against many accounts before moving on to try a second common password, and a third, etc. This technique spaces out the attempts on each account and allows the attacker to avoid being locked out or detected because they tried too frequently or too close in time. If someone uses a common password, such as “123456” or “password1” or the name of the organization, then a password spraying attack has a greater chance of successfully compromising an email account, which, in turn, can permit criminals to access other corporate accounts and networks.

In light of this uptick in cyber activity, CISA and NCSC advise organizations to take the following steps to reduce the chance of compromise from these types of attacks:

*Other COVID-19 related cyber security alerts include: A previous alert by CISA, COVID-19 Exploited by Malicious Cyber Actors, April 8, 2020 (Alert AA20-099A), and an alert by the Federal Bureau of Investigation (FBI), COVID-19 Email Phishing Against US Healthcare Providers, April 21, 2020 (Alert No. MI-000122-MW), on which we report here.

For additional guidance on responding to a cyber security incident within the first 24-48 hours afterward, see our Six Tips, which can also be found on the blog’s Data Incident Response Team tab. For information about Wyatt’s Data Privacy & Security Incident Response Team, see the tab on this blog to the Data Incident Response Team and our Data Privacy & Incident Response Team brochure.