Skip to main content

U.S., UK Govt: APT Groups Targeting Healthcare Orgs

by Chris Brook on Thursday May 7, 2020

Contact Us
Free Demo

A joint alert via cybersecurity agencies in the UK and U.S. this week warned about how APT groups are exploiting COVID-19 to collect PII, IP, and other intelligence.

It seems as if there are alerts almost daily now around how bad actors are leveraging the ongoing coronavirus (COVID-19) pandemic to target end users.

The latest came this week after agencies from two countries, the U.S. and the U.K. warned about how advanced persistent threat (APT) groups are using the pandemic to their advantage. 

In a joint warning issued Tuesday via the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) the groups explained how attackers are looking for vulnerabilities in unpatched software to test the defenses of healthcare companies.

DHS, CISA, and NCSC warn that when it comes to healthcare, no organization is really being spared from APT groups; healthcare bodies, pharmaceutical companies, academia like universities, medical research organizations, and local governments especially.

The groups are largely looking to collect intelligence on national and international healthcare policies and sensitive data on COVID-19-related research, the agencies warned.

It probably shouldn't come as a surprise that to do so the attackers are still hitting vulnerabilities previously uncovered and disclosed in Citrix along with VPN products from Pulse Secure, Fortinet, and Palo Alto. CISA warned of an uptick in attacks exploiting Pulse Secure in particular in January, claiming it was being used to install Sodinokibi ransomware. It warned of the Citrix vulnerability (CVE-2019-19781) in January also.

The groups are also carrying out password spraying campaigns to target healthcare companies. In password spraying attacks, attackers essentially use as many kinds of common passwords as possible against accounts before moving on to the next one. Every so often they'll be successful, when they're not, they'll manage to avoid getting locked out.

According to the groups' guidance, they've observed attackers leveraging password spraying to get into an account, then downloading an organization's internal email list and using it to password spray further.

“CISA and NCSC continue to investigate activity linked to large-scale password spraying campaigns. APT actors will continue to exploit COVID-19 as they seek to answer additional intelligence questions relating to the pandemic,” the groups warned.

To mitigate the attacks, the groups are encouraging administrators to follow these tips if they’re not already:

  • Update VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and configurations.
  • Use multi-factor authentication to reduce the impact of password compromises.
  • Protect the management interfaces of your critical operational systems - use browse-down architecture to prevent attackers easily gaining privileged access to your most vital assets.
  • Set up a security monitoring capability so you are collecting the data that will be needed to analyze network intrusions.
  • Review and refresh your incident management processes.
  • Use modern systems and software. These have better security built in. If you cannot move off out-of-date platforms and applications straight away, there are short-term steps you can take to improve your position.


Tags:  Healthcare Industry Insights

Recommended Resources

The Definitive Guide to Data Loss Prevention
The Definitive Guide to Data Loss Prevention

All the essential information you need about DLP in one eBook.

6 Cybersecurity Thought Leaders on Data Protection
6 Cybersecurity Thought Leaders on Data Protection

Expert views on the challenges of today & tomorrow.

Digital Guardian Technical Overview
Digital Guardian Technical Overview

The details on our platform architecture, how it works, and your deployment options.