Sabrina - stock.adobe.com

Coronavirus: NCSC issues urgent alert for healthcare sector

UK National Cyber Security Centre and US Cybersecurity and Infrastructure Security Agency say they are seeing large-scale campaigns targeting healthcare bodies and medical research organisations

The NHS, other healthcare organisations and medical research bodies are being targeted by advanced persistent threat (APT) groups conducting a wave of large-scale password-spraying attacks and should take urgent action to protect themselves, according to the UK’s National Cyber Security Centre (NCSC) and its US counterpart, the Cybersecurity and Infrastructure Security Agency (CISA).

The campaigns’ objective is to steal personal information and patient data, intellectual property and “intelligence that aligns with national priorities”, the agencies said in a joint advisory notice issued today. The attacks are clearly aimed at gathering information related to the Covid-19 coronavirus pandemic.

“Protecting the healthcare sector is the NCSC’s first and foremost priority at this time, and we’re working closely with the NHS to keep their systems safe,” said Paul Chichester, director of operations at the NCSC.

“By prioritising any requests for support from health organisations and remaining in close contact with industries involved in the coronavirus response, we can inform them of any malicious activity and take the necessary steps to help them defend against it.

“But we can’t do this alone, and we recommend healthcare policy-makers and researchers take our actionable steps to defend themselves from password-spraying campaigns.”

Bryan Ware, assistant director of cyber security at the CISA, added: “CISA has prioritised our cyber security services to healthcare and private organisations that provide medical support services and supplies in a concerted effort to prevent incidents and enable them to focus on their response to Covid-19.

“The trusted and continuous cyber security collaboration CISA has with NCSC and industry partners plays a critical role in protecting the public and organisations, specifically during this time as healthcare organisations are working at maximum capacity.”

Password-spraying attacks are a kind of brute-force attack in which threat actors attempt to gain access to target systems by attempting to log in with some of the most commonly used passwords, such as “123456”, “qwerty” and “password”.

They are particularly dangerous because, as with virtually all forms of cyber attack, the perpetrators only need to get lucky once.

If they can compromise just one account protected by an insecure password, they will know that the owner is not paying attention to their own security and are likely to be able to access multiple other accounts where the same password has been used.

They are also likely to try to move laterally across the hacked organisation’s network, stealing data and attacking other network users from within.

NHS organisations and other healthcare sector bodies should tell staff to change any password that can be reasonably guessed – the top 100,000 overused guessable passwords, compiled with help from HaveIBeenPwned.com, can be downloaded here. As a minimum standard, new passwords can be created by stringing together three random words. If possible, two-factor authentication should be implemented as an additional measure – in spite of its documented flaws, it will be better than nothing.

Read more about NHS security

The NCSC and CISA’s latest warning came just days after it was reported that multiple APT groups linked to nation state governments were targeting research organisations and pharmaceutical companies, including the University of Oxford and AstraZeneca, in an attempt to steal research on tests, treatments and vaccines for the Covid-19 virus.

According to The Observer, no successful attacks on the medical research sector have yet been observed – but this does not mean they have not happened. Hackers are known to spend upwards of three months moving around inside compromised networks.

If this trend still holds true, it is possible to predict with a small degree of confidence that the impact of cyber attacks on organisations targeted with coronavirus-related lures may begin to become apparent in the next few weeks.

As is usual in nation state-linked cyber attacks, the likely perpetrators are based in China, Iran and Russia.

Read more on Hackers and cybercrime prevention