Prominent warnings from the UK government
On 5th March, the UK government’s daily coronavirus press briefing highlighted the threat of criminal and state-sponsored cyber-attacks facing all players in the concerted response to the global pandemic. Referring to a joint advisory issued by the UK National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA), the Foreign Secretary warned that national and international organizations operating in the fields of healthcare, pharmaceuticals, medical research, academia and local government, as well as their suppliers, are being targeted for purposes ranging from fraud to espionage.
The government’s choice to highlight cyber threats in this forum truly hammers home the severity of the risk to the critical organizations working on the front lines to protect our society. However, there are positive messages to the warning, because there are steps that organizations involved in the COVID-19 response can take, now, to help protect themselves and mitigate the risk of these truly reprehensible threat actors.
First, it’s important that organizations better understand the nature of the threat actors behind the attacks, to better defend against, detect and respond to them. Lessons learned from threat intelligence – and heeding the warnings of official government bodies based on threat intelligence – can help organizations build a picture of the most critical threats to them and help them militate against those actions before they strike.
What are APT groups, and why are they attacking COVID-19 responders?
Entities that hold personal, health or financial data have long been preyed on by cyber-criminals seeking assets they can sell on to fraudsters or hold to ransom, and those attacks have only increased and become more effective since the Covid-19 outbreak. However, there is another, more insidious threat that lurks within the networks of strategic targets, remaining undetected for extended periods. Advanced persistent threats (APTs) are sophisticated stealth campaigns conducted by nation states or criminal groups, frequently with the aim of espionage. The NCSC-CISA advisory notes that APTs have been observed seeking coronavirus-related information from health, research and government organizations.
In an APT cyber-attack, the attacker might enter an organization’s network by exploiting a vulnerability in its IT infrastructure or by convincing an unwitting employee to open a malicious link or attachment in a cleverly crafted “phishing” email. But the recent guidance on the healthcare sector is that APT groups are also targeting healthcare organizations with “password spraying” attacks, which are brute-force attacks that test lists of the most common passwords to attempt to gain access to an account and then move laterally through the network, broadening the threat actor’s reach and escalating privileges in the network as they go. But whereas the typical cyber-criminal will often only stay in the network long enough to gather a profitable quantity of data, an APT actor might remain in the network long term, conducting surveillance and gathering their own intelligence. The fact that known APT actors have been seen responding quickly to the coronavirus situation suggests either that they have opportunistically launched new missions or that they already had access to networks from which they are now gathering information.
In the present global health crisis, information of value to APT groups includes research into the virus and potential vaccines, and government policies. Meanwhile, certain threat actors have waged disruption campaigns aiming to undermine other countries’ ability to respond to the crisis.
Who are the targets of the APT attacks?
Cyber-attacks targeting the World Health Organization (WHO) have reportedly increased five-fold recently. An attempted WHO break-in in mid-March, potentially seeking information about a vaccine or cure, has been speculatively linked to the long-standing APT group DarkHotel, thought to be based in either North Korea or South Korea. The attack involved a malicious site mimicking the WHO’s internal email system. DarkHotel has historically focused on the hospitality sector but is suspected by some to be behind recent espionage campaigns targeting the Chinese government. In late April, credentials for active WHO accounts were leaked from an unknown source alongside data from other organizations responding to the pandemic, such as the Gates Foundation.
One popular method of compromising a network is to attack the target entity’s suppliers and then move along the supply chain. The international supply chains of healthcare providers, pharmaceutical companies and medical research organizations, coupled with their use of cloud services and recent mass shift to remote working, constitute a significant vulnerability for the health sector. Security researchers have recently seen APT actors, such as Chinese state-sponsored group APT41, scanning the external websites of targeted companies and looking for vulnerabilities in unpatched software, particularly in virtual private network (VPN) products used for remote working.
APT attacks have also targeted government entities around the world. In one example from late March, a Canadian government health organization was targeted with ransomware delivered through a phishing email from threat actors posing as the WHO. The same ransomware attack also compromised a Canadian university conducting COVID-19 research.
Hackers are targeting universities involved in vaccine research, in their search for information to provide a technological edge. Though there are no public reports of data theft to date, organizations working in the field, including most prominently the University of Oxford, have reportedly been working with government to “ensure their COVID-19 research has the best possible cybersecurity”.
Healthcare providers, including hospitals, have historically been vulnerable to ransomware due to the personal data they hold and their often limited resources to invest in security infrastructure. This trend has continued despite certain ransomware groups vowing to abstain from attacking during the healthcare crisis; notably Maze group has reneged on its promise, extorting ransoms from Affordacare Urgent Care Clinic in Texas and Hammersmith Medicines Research in London. Perhaps more concerning, however, are the actors seeking to impede healthcare providers’ ability to respond to the pandemic. In mid-March, the US Health and Human Services Department was reportedly hit by a DDOS (‘distributed denial-of-service’) attack that aimed to overwhelm its systems but did not involve intrusion into the network or theft of data. A similar attack appears to have taken place at the same time at a hospital in the Czech Republic, delaying COVID-19 test results. Although these attacks have not been attributed, their disruptive nature suggests that nation states could be behind them.
Defending our critical COVID-19 responders
An important means of mitigating the threat from APT groups or other cyber threat actors is to incorporate ongoing, relevant threat intelligence into the organization’s cyber security strategy. Simply stated, “threat intelligence” is the collection and analysis of information about attacks and their perpetrators. Organizations with particularly robust programs for using threat intelligence undertake regular threat intelligence monitoring, including scanning underground forums and marketplaces for indicators of compromise or planned attacks, and searching databases of leaked credentials, as a valuable tool for understanding the threats to the organization or its peers in similar sectors.
Similarly, organizations may want to consider a formal “threat hunting” exercise around the question: “Has the organization already been compromised?”, by conducting forensic analysis to identify whether any security or privacy issues have been exploited historically, and if so, the possible impact of those exploits. Threat intelligence gathered on behalf of the organization and its sector can also help to focus efforts on the highest-risk or most prevalent attack patterns.
Sectors that have been revealed to be key targets of the APT threat are also highly connected to third parties, often via complex supply chains or by data sharing arrangements. Accordingly, organizations would do well to consider the arrangements they have in place with third parties, ensure that cyber security due diligence has been done with those relationships – and encourage them to take heed of the current threat landscape.
Finally, it is always a good idea to review and consider improvements to internal security measures, such as those outlines by the NCSC:
- Ensure staff use strong and unique passwords (the NCSC suggests three random words and a different password for each system) and are trained in identifying phishing emails. Use of multifactor authentication will further protect account access.
- Use the latest, fully patched versions of software, especially any products used for remote working.
- Restrict admin privileges and use network segmentation.
- Employ “defence in depth”, whereby if one mechanism fails, another will prevent further compromise.
- Set up security monitoring to collect data that will be needed to analyse network intrusions.
- Review and update your incident management processes.
To learn more about how to assess and mitigate cyber risks to your organization, please contact Aon.
Authors: Julia Buckingham, Zainab Ali Majid and Dylan Brown
This material has been prepared for informational purposes only and should not be relied on for any other purpose. You should consult with your own legal and information security advisors or IT Department before implementing any recommendation or guidance provided herein.
https://www.cnet.com/news/hackers-target-us-health-agency-during-coronavirus-crisis/; https://www.bloomberg.com/news/articles/2020-03-16/u-s-health-agency-suffers-cyber-attack-during-covid-19-response; https://www.scmagazineuk.com/coronavirus-test-results-delayed-cyber-attack-czech-hospital/article/1677194
See also the NCSC guidance: https://www.ncsc.gov.uk/collection/10-steps-to-cyber-security/the-10-steps