In a rare, joint alert by the U.S. and U.K., organizations involved in the fight against COVID-19 have been warned that intensified, malicious cyber activity targeting their operations has been detected.
“Advanced Persistent Threat (APT) actors are actively targeting organizations involved in both national and international COVID-19 responses. These organizations include health care bodies, pharmaceutical companies, academia, medical research organizations, and local governments,” according to an alert issued Monday by the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, or CISA, and the U.K.’s National Cyber Security Centre.
According to the bulletin, the hackers are using a well-known tactic known as “password spraying” to try to breach these organizations.
It’s a “brute-force attack in which the attacker tries a single and commonly used password against many accounts before moving on to try a second password,” the alert said.
SIGN UP TODAY for J.J. Green’s new national security newsletter, “Inside the SCIF.” The weekly email delivers unique insight into the intelligence, national security, military, law enforcement and foreign policy communities.
In 2019, one of those commonly used passwords, 123456, was linked to more than 20 million hacked accounts worldwide.
The password spraying technique allows the attacker to remain undetected by avoiding rapid or frequent account lockouts.
Cybersecurity experts said these attacks are successful because for any given large set of users, there will likely be some with common passwords.
The alert also said the attackers “may seek to obtain intelligence on national and international health care policy, or acquire sensitive data on COVID-19-related research.”
Bill Evanina, director of the U.S. National Counterintelligence and Security Center, said in a statement, “Medical research organizations and those who work for them should be vigilant against threat actors seeking to steal intellectual property or other sensitive data related to America’s response to the COVID19 pandemic.”
According to DHS, these organizations’ global reach and their international supply chains increase exposure to malicious cyber actors. Both U.S. and U.K. organizations were warned that hackers view supply chains as a weak link that they can exploit to obtain access to better-protected targets.
Limitations on the number of employees working on some sites, because of social distancing requirements, was also a key factor, the alert said.
“Many supply chain elements have also been affected by the shift to remote working and the new vulnerabilities that have resulted.”
Both U.S. and U.K. officials said they are making special provisions to help the organizations fend off these threats.
Bryan Ware, CISA assistant director of cybersecurity, said, “CISA has prioritized our cybersecurity services to health care and private organizations that provide medical support services and supplies in a concerted effort to prevent incidents and enable them to focus on their response to COVID-19.”
Based on intelligence gathered, U.S. and U.K. authorities have learned that APT groups, collate names from various online sources that provide organizational details, and they use the information to identify possible accounts for targeted institutions.
At that point, the APT actors will “spray” the identified accounts with lists of commonly used passwords.
Once a malicious cyber actor compromises a single account, it is typically used to access other accounts where the credentials are reused.
Most often, the hacker then moves laterally across the network to steal additional data and implement further attacks against other accounts within the network.
Due to the rapid growth in the number of malicious actors, educating leadership and key personnel in the affected organizations is a key objective for the intelligence agencies.
“We are fully focused on supporting the U.K.’s health and research services to defend themselves from cyberattack during the coronavirus outbreak,” said Paul Chichester, director of operations at the National Cyber Security Centre, or NCSC.
To help deter these attacks, CISA and NCSC urge all at-risk agencies to, among other items, review their password policies to ensure they align with the latest guidelines and deter the use of easy-to-guess passwords.
- Sign up for WTOP alerts
- Latest coronavirus test results in DC, Maryland and Virginia
- Coronavirus FAQ: What you need to know
- Coronavirus resources: Get and give help in DC, Maryland and Virginia
- Trump: COVID-19 task force not dismantling, just refocusing
- Coronavirus panic buying disrupts food supply chain, but dinner remains a national security priority
- ‘Blinded’: Coronavirus pandemic impedes critical work of spies
- Coronavirus intelligence void continues to impede response