The U.S. government warned last week that APT groups have been zeroing in on healthcare preanies with the aim of extracting sensitive COVID-19 intelligence and research.
The Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Security Agency (CISA) - part of the Department of Homeland Security - doubled down on those claims this week in a joint public service announcement (.PDF) unmasking the enemy as hackers working for the People's Republic of China.
It's the latest instance of the U.S. government formally attributing a cyberattack to Chinese-affiliated hackers – something that was once a rarity but become more common over the last several years.
The government agencies are encouraging organizations that are working on a response to COVID-19 to be aware they're being targeted and in some instances, compromised. Research institutions, pharmaceutical companies, and healthcare companies especially should remain on high alert, the agencies say.
“These actors have been observed attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research, the PSA reads, “The potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options.”
While neither agency released additional details around the attribution, a FBI press release accompanying the news promised that “additional technical details regarding the threat will be released in the coming days.”
To combat the threat, the agencies are making the following recommendations:
- Assume that press attention affiliating your organization with COVID-19 related research will lead to increased interest and cyber activity.
- Patch all systems for critical vulnerabilities, prioritizing timely patching for known vulnerabilities of internet-connected servers and software processing internet data.
- Actively scan web applications for unauthorized access, modification, or anomalous activities.
- Improve credential requirements and require multi-factor authentication.
- Identify and suspend access of users exhibiting unusual activity
CISA has had its hands full these past several weeks. Earlier this week, the agency, also working with the FBI, recapped the top 10 vulnerabilities it saw exploited from 2016-2019.
Last week, the group, in a joint warning alongside the United Kingdom's National Cyber Security Centre (NCSC) first cautioned healthcare companies working on COVID-19 treatments that they were being targeted.
"APT actors are actively targeting organizations involved in both national and international COVID-19 responses. These organizations include healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments," the groups said at the time.
In that advisory the groups said that APT groups were carrying out large-scale password spraying campaigns to infiltrate organizations and companies, then looking to get into as many accounts as possible, using that access to download email lists and password spray further.
