A U.S. and UK joint alert on May 5 warns hackers “are actively targeting organizations involved in both national and international COVID-19 responses.”
The UK’s National Cyber Security Center (NCSC) and the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) exposed hacking campaigns (pdf) targeting organizations involved in the response to the CCP (Chinese Communist Party) virus outbreak, commonly known as the novel coronavirus.
According to the CISA alert, the campaigns were conducted by “advanced persistent threat” (APT) groups that used a “password spraying” technique to steal bulk personal information from health care, medical research, pharmaceutical, academic institutions as well as local governments.
APT actors are typically hacking groups sponsored by foreign states which gain unauthorized access to computer networks to steal data, or destroy operations, and can continue to attack on the same network for months or years while remaining undetected, according to Fire Eye, a cyber security company. They are believed to be sponsored by China, Russia, Iran, and some other states.
With the outbreak of the CCP virus, APT actors have intensified their activities “to obtain intelligence on national and international healthcare policy or acquire sensitive data on COVID-19 related research for commercial and state benefits,” according to the NCSC alert.
Password spraying is a hacking technique that uses a single commonly used password against a large number of accounts. The password is used only once per account and if the attempt fails the next account is tried. The more accounts are attempted the higher the likelihood of finding an account that uses the password. Then the attacker can try to use a second commonly used password also for a large number of accounts.
This approach allows hackers to avoid account lockout since many systems have a limit set on the number of invalid passwords and will lock an account when the limit of failed attempts is reached.
Once an account is compromised the hacker can use the access to steal personal data, compromise more accounts, and steal intelligence, or intellectual property from the system.
To reduce the risk of hacking CISA recommends two measures, changing all passwords that can be easily guessed to stronger passwords using a sequence of three random words and implementing two-factor authentication.
Two-factor authentication requires the user to provide to the system two out of three pieces of information related to “something you know” such as a password, “something you have” such as a smartphone, a small hardware token, a credit card or “something you are” such as a biometric pattern of a fingerprint, an iris scan, or a voiceprint.
Providing “something you have” means that the user needs to enter a system-generated code sent to the user’s smartphone or token device, or provide their credit card data.
In addition, both U.S. and UK agencies have also issued guidelines for information technology professionals on how to secure their systems and make them resistant to potential cyberattacks.
“CISA has prioritized our cybersecurity services to healthcare and private organizations that provide medical support services and supplies in a concerted effort to prevent incidents and enable them to focus on their response to COVID-19,” said Bryan Ware, CISA Assistant Director of Cybersecurity.
“The trusted and continuous cybersecurity collaboration CISA has with NCSC and industry partners plays a critical role in protecting the public and organizations, specifically during this time as healthcare organizations are working at maximum capacity,” he added.