US, UK Cyber Authorities Warn State-Backed Hackers Are After COVID-19 Treatment Data

Advanced persistent threat groups appear to be after intellectual property and research that could aid nation-states in their attempts to treat the coronavirus pandemic, according to an alert jointly issued by the Cybersecurity and Infrastructure Security Agency and the United Kingdom’s National Cyber Security Centre. 

“CISA and NCSC are currently investigating a number of incidents in which threat actors are targeting pharmaceutical companies, medical research organizations, and universities,” reads the alert. “APT groups frequently target such organizations in order to steal sensitive research data and intellectual property for commercial and state benefit. Organizations involved in COVID-19-related research are attractive targets for APT actors looking to obtain information for their domestic research efforts into COVID-19-related medicine.”

APTs are typically associated with nation-states because of the level of sophistication and resources they are able to put into their hacking campaigns. 

This morning’s alert does not name any particular nation-states, but UK authorities reportedly suspect Russia, Iran and China are responsible for a recent uptick—yet unsuccessful—in attacks.  

“Recently CISA and NCSC have seen APT actors scanning the external websites of targeted companies and looking for vulnerabilities in unpatched software,” the agencies warn. “Actors are known to take advantage of Citrix vulnerability CVE-2019-19781, and vulnerabilities in virtual private network (VPN) products from Pulse Secure, Fortinet, and Palo Alto.”

CISA and NCSC first flagged the involvement of APTs in COVID-19 related hacking attempts in an April 8 alert where they also mentioned the Citrix and VPN vulnerabilities. That alert included guidance for mitigating attacks that used teleconferencing tools and various phishing tactics to deliver the associated malware.

Today’s alert focuses on “password spraying,” where malicious actors exploit the inevitable use of poor passwords by at least a few insiders to gain access to systems and data.

The alert describes the tactic as a “brute force attack in which the attacker tries a single and commonly used password against many accounts before moving on to try a second password, and so on.”

It works, the authorities say, because “for any given large set of users, there will likely be some with common passwords.”

Password spraying is not at all new. To mitigate it, the alert links to a CISA alert on the tactic from March 2018, in addition to basic guidelines for choosing and supplementing passwords. 

Other mitigation measures such as using multifactor authentication, modern software and systems, establishing security monitoring capabilities and protecting management interfaces were also included in the alert.