The United Kingdom’s National Cyber Security Centre (NCSC) and the United States’ Cybersecurity and Infrastructure Security Agency (CISA) have issued a joint advisory against government-backed hackers attacking healthcare and research institutions during Covid-19.

“CISA and NCSC continue to see indications that advanced persistent threat (APT) groups are exploiting the Coronavirus Disease 2019 (COVID-19) pandemic as part of their cyber operations,” the agencies said in a statement.

The US and UK cybersecurity agencies have seen a surge in large-scale ‘password spraying’ campaigns against healthcare bodies and medical research organizations by ‘advanced persistent threat’ (APT) groups.

Password spraying campaigns

Password spraying is a style of brute force cyberattack in which the attacker tries a single and commonly used password to access multiple accounts and then repeated the same process with a second password.

“This technique allows the attacker to remain undetected by avoiding rapid or frequent account lockouts. These attacks are successful because, for any given large set of users, there will likely be some with common passwords,” read the advisory.

According to the advisory, these groups target organizations such as healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments to collect bulk personal information, intellectual property and intelligence that aligns with national priorities.

In previous instances, malicious cyber actors have used password spraying to “compromise email accounts in an organization and then, in turn, used these accounts to download the victim organization’s Global Address List (GAL). The actors then used the GAL to password spray further accounts,” the advisory said.

Furthermore, the agencies have also recently spotted APT actors scanning the external websites of targeted companies and looking for vulnerabilities in unpatched software. The attackers usually leverage the Citrix vulnerability CVE-2019-19781 and vulnerabilities in virtual private network (VPN) products from Pulse Secure, Fortinet, and Palo Alto, according to the report.

Steps to mitigate cybersecurity risks

The agencies have advised the organizations’ staff to change any passwords that could be reasonably guessed. They have been advised to create passwords with three random words and implement two-factor authentication to reduce the threat of compromises.

The agencies have also advised organizations to update their VPNs, network infrastructure devices, and devices being used to remote into work environments with the latest software patches and configurations.

The NCSC had also previously revealed the most commonly hacked passwords which attackers use to gain access to personal and corporate accounts and networks. CISA also has a security tip sheet to help organizations and individuals “avoid making common mistakes when choosing and protecting their password.”

Last month, the NCSC had created a reporting service for suspicious phishing emails after seeing an increase in coronavirus-related email scams. The Suspicious Email Reporting Service in its first week had received over 25,000 reports – resulting in 395 phishing sites being taken down, it said.