U.S., U.K. security agencies warn state-based hackers targeting healthcare, medical research

Cybersecurity authorities in the U.S. and U.K. are warning that nation-state hackers are after intellectual property and medical research related to COVID-19 treatments.

In a joint alert, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and Britain's National Cyber Security Centre (NCSC) warned that advanced persistent threat (APT) groups are attacking healthcare policy makers and medical research organizations to steal information about efforts to contain the coronavirus outbreak.

"CISA and NCSC are currently investigating a number of incidents in which threat actors are targeting pharmaceutical companies, medical research organizations, and universities. APT groups frequently target such organizations in order to steal sensitive research data and intellectual property for commercial and state benefit," the authorities said in the alert. "Organizations involved in COVID-19-related research are attractive targets for APT actors looking to obtain information for their domestic research efforts into COVID-19-related medicine."

These organizations’ global reach and international supply chains increase exposure to malicious cyber actors, according to the alert.

Hackers view supply chains as a weak link they can exploit to get access to better-protected targets. Many supply chains also have been affected by the shift to remote working and the new vulnerabilities that have resulted, CISA and NCSC wrote.

APTs are typically associated with foreign governments because of the level of sophistication and resources they can put into their hacking campaigns. 

RELATED: HHS cyberattack highlights how hackers are exploiting the pandemic. Here are 4 strategies to mitigate the risks

According to CISA and NCSC, hackers have been scanning public websites looking for vulnerabilities in unpatched software. Hackers are known to take advantage of Citrix vulnerability CVE-2019-19781 and vulnerabilities in virtual private network products from Pulse Secure, Fortinet and Palo Alto, according to the alert.

Hackers are using a method called "password spraying," or trying commonly used passwords to try to gain access.

"This technique allows the attacker to remain undetected by avoiding rapid or frequent account lockouts. These attacks are successful because, for any given large set of users, there will likely be some with common passwords," the authorities said.

CISA and NCSC are investigating large-scale password spraying campaigns conducted by APT groups. Hackers are using this type of attack to target healthcare organizations in several countries—including the U.K. and the U.S.—as well as international healthcare organizations.

RELATED: AMA and AHA team up to launch resource to fight malicious cyberactivity

Nation-state attacks can be harder to understand because the motivation isn’t always financial in nature, said Tim Erlin, vice president, product management and strategy at cybersecurity company Tripwire.

"Pandemic or not, cyberattacks continue. It’s vitally important that these organizations have a good handle on their vulnerabilities. It may not be possible to fix every single vulnerability, but you have to know you have them before you can effectively prioritize remediation activities," Erlin said via email in response to the cybersecurity alert.

The authorities offered mitigation recommendations to help organizations deter this type of attack. They are advising staff to change any passwords that could be reasonably guessed to one created with three random words and implement two-factor authentication to reduce the threat of compromises.

CISA also has published guidelines on password spraying and improving password policies.

The NCSC previously revealed the most commonly hacked passwords attackers are known to use to gain access to personal and corporate accounts and networks. CISA has a security tip sheet to help organizations and individuals avoid making common mistakes when choosing and protecting their passwords.

The alert follows a joint advisory published by the NCSC and CISA on April 8 about cybercriminals exploiting the coronavirus outbreak for their own personal gain. It is expected that the frequency of coronavirus-related cyberattacks will increase over the coming weeks and months, the agencies said.