The National Cyber Security Centre and the U.S. Department of Homeland Security have issued a joint advisory concerning ongoing activity by APT groups to target organisations involved in both national and international COVID-19 responses, such as healthcare bodies, pharmaceutical companies, and medical research organisations.
In a joint statement, the two authorities highlighted how APT groups are carrying out large-scale "password spraying" campaigns to gain access to accounts belonging to organisations involved in the coronavirus response- especially healthcare bodies and medical research organisations.
The primary motive of such APT groups is to collect bulk personal information, intellectual property and intelligence that aligns with national priorities. NCSC observed that "actors may seek to obtain intelligence on national and international healthcare policy or acquire sensitive data on COVID-19 related research".
The fresh advisory comes less than a month after both NCSC and DHS's Cybersecurity and Infrastructure Security Agency (CISA) issued a joint statement highlighting how malicious cyber actors were exploiting the current COVID-19 pandemic for their own objectives. NCSC said it had datected more UK government branded scams relating to COVID-19 than any other subject, with cyber criminals targeting individuals, small and medium businesses, and large organisations with COVID-19 related scams and phishing emails.
In response to increasing phishing campaigns launched by cyber criminals using the pandemic as a vector, NCSC launched its ‘Suspicious Email Reporting Service’ to allow citizens to report fake, fraudulent and suspicious emails, including those that offered coronavirus-related services.
Within a day after the service was launched, received over 5,000 complaints concerning suspicious emails for investigation and successfully shut down 83 malicious web campaigns. Citizens can continue to flag suspicious email scams by alerting the NCSC at firstname.lastname@example.org.
Commenting on the latest advisory issued by the NCSC, Chris Morales, head of security analytics at Vectra, said that the password spraying is a highly opportunistic technique that continually works because passwords are commonly reused across multiple services.
"The bigger problem here is that authentication has always been about what you know (a remembered phrase, i.e. password) but not about who and where you are. A strong password doesn’t fix the problem.
"Until authentication evolves to being truly adaptive with contextual understanding of who the user is, what the user knows, and where the user is requesting access to particular services, techniques like password spraying will continue to work and therefore to be used for opportunistic access," he added.