Healthcare worker working on machine showing the warning from cybersecurity agencies on APT groups running cyberattacks to get COVID-19 research data

APT Groups Targeting COVID-19 Research, Cybersecurity Agencies Warn

Health organizations and other government entities in the United Kingdom and the United States that are involved in the fight against COVID-19 have suffered a slew of cyberattacks in recent months. According to the cybersecurity agencies of both countries, many of these cyberattacks originate at the hands of state sponsored hackers, referred to as advanced persistent threats, or APT groups.

These APT groups have sought to use the global public health crisis to throw the US and UK’s COVID-19 response efforts into chaos, and to gather intelligence and commit espionage in the process. This is according to officials from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s counterpart, the National Cyber Security Centre (NCSC), who announced their findings in a joint alert on May 5.

APT groups use tried-and-trusted tricks

According to the two cybersecurity agencies, the APT groups responsible for the disruptions have used a wide array of methods to achieve their malicious aims; most notably using phishing emails and large scale password spraying. The latter tactic, for example, involves hackers attempting to access a large number of account usernames with a set of commonly used password combinations.

The NCSC and CISA cybersecurity agencies warn further that the number of domain names that have been registered using a coronavirus connection have skyrocketed in recent months. According to the two cybersecurity agencies, much of these registrations go on to be used in phishing campaigns and give the hackers a veneer of credibility.

In order to help organizations better prepare against coronavirus-themed threats, the two cybersecurity agencies have jointly laid out an extensive list, termed ‘Indicators of Compromise’. The list includes a large number of domain names and IP addresses which are believed to be of dodgy origin.

COVID-19 related research in the crosshairs

The targets of the APT groups have included a broad range of state entities involved in both national and international COVID-19 responses. These include health, pharmaceutical and healthcare organizations, government agencies and universities.

However, the list of targeted organizations laid out by the cybersecurity agencies may indeed not be exhaustive. According to news website Government Technology, for example, additional targets have so far also included other major institutions on the frontlines in the fight against the pandemic, such as the World Health Organization (WHO) and the National Institutes of Health (NIH).

According to CISA and NCSC, the propensity of the APT groups to target such institutions, which appear typically to be healthcare related, reveals their intent to steal information relating to medical research into the coronavirus.

“APT groups frequently target such organizations in order to steal sensitive research data and intellectual property for commercial and state benefit,” the cybersecurity agencies point out, adding that organizations involved in COVID-19-related research are “attractive targets for APT actors looking to obtain information for their domestic research efforts into COVID-19-related medicine.”

Cybersecurity agencies scramble to respond

Director of Operations at the NCSC Paul Chichester asserts that, while the scale of the cyberattacks by APT groups remains concerning, the organization is doing all in its power to bring the situation under control.

“Malicious cyber actors are adjusting their tactics to exploit the COVID-19 pandemic, and the NCSC is working round the clock with its partners to respond,” Chichester said. “Our advice to the public and organizations is to remain vigilant and follow our guidance, and to only use trusted sources of information on the virus such as UK Government, Public Health England or NHS websites.”

Chichester’s position was reaffirmed by his US counterpart, Bryan Ware, the Assistant Director for Cybersecurity at CISA. “As the COVID-19 outbreak continues to evolve, bad actors are using these difficult times to exploit and take advantage of the public and business,” Ware wrote. “Our partnerships with the NCSC and industry have played a critical role in our ability to track these threats and respond.”

Ware went on to point out that, in the meantime, the public ought to be cognizant of the threat posed by APT groups, and to adapt their digital behaviors accordingly.

“We urge everyone to remain vigilant to these threats, be on the lookout for suspicious emails and look to trusted sources for information and updates regarding COVID-19,” he explained. “We are all in this together and collectively we can help defend against these threats.”

COVID-19 research data is attractive to #APT groups looking for commercial and state benefits. #cyberattacks #respectdataClick to Tweet

Additionally, the cybersecurity agencies have issued several guidelines for employees at affected organizations and for the public at large in order to reduce the risk of falling victim to attacks from threat actors. These include advice to regularly update virtual private networks and make use of multi-factor authentication and other “modern systems and software,” the joint alert recommends.