APT groups attacking UK bodies critical to coronavirus response, NCSC warns

Businesses have been warned against a sharp rise in ‘password spraying’ attacks, with state-backed hacking groups targeting organisations critical to the COVID-19 response in the UK, US and across the world.

The well-documented rise in cyber crime has been fuelled by an uptick in activity from state-backed hacking groups targeting critical organisations like healthcare bodies and pharmaceutical companies, according to the National Cyber Security Centre (NCSC).

A joint-advisory published by the NCSC and US Cybersecurity and Infrastructure Security Agency (CISA) has warned businesses and public sector bodies against this wave of password spraying attacks.

This brute force technique allows attackers to try a single and commonly used password against many accounts before moving on to try a second password, and so on. The nature of the attack also allows them to remain undetected by avoiding account lockouts.

They’re successful for the most part because a large set of users are likely to share common passwords, the advisory warned.

“We know that cyber criminals, and other malicious groups are targeting individuals, businesses, and other organisations by deploying COVID-19 related scams and phishing emails,” foreign secretary Dominic Raab said at the government’s daily press briefing yesterday.

“That includes groups that in the cyber security world are known as ‘advanced persistent threat’ groups - sophisticated networks of hackers who try to breach computer systems.

“We have clear evidence now that these criminal gangs are actively targeting national and international organisations, which are responding to the COVID-19 pandemic, which I have to say makes them particularly venal and dangerous at this time.”

The latest advice has been published a couple of weeks after the NCSC warned against a surge in online coronavirus scams. This chimes with data from other organisations including Google, which has warned of a spike in phishing emails.

In the intervening weeks, cyber security researchers have identified malicious campaigns targeting healthcare organisations, pharmaceutical companies, research organisations, as well as various different arms of local government.

Motives may vary, from fraud to espionage, although they largely tend to be designed to steal bulk personal data, intellectual property, and wider information that supports those aims. These groups are also connected with state actors, although the government declined to name the countries responsible.

This “predatory criminal behaviour” is expected to continue and evolve over the coming weeks and months, Raab added, so the government has reiterated the best practice advice from the NCSC to counter the threat and support businesses.

Beyond advice, the government says it’s seeking to “counter those who conduct cyber attacks”, working in collaboration with international patterns to deter the cyber gangs and the nations backing them.

The government is also working with the targets of these attacks, as well as potential targets, and others, to ensure these organisations aware of the cyber threat and fully prepared to stave off any attempts at intrusion.

There are several mitigating steps that organisations can take to secure themselves against potential compromise, including updating any virtual private networks (VPNs), network infrastructure devices, and devices being used to remote into work environments with patches. Using multi-factor authentication (MFA) is also a critical step that users can take to ensure their accounts benefit from an added layer of security.

Businesses have also been advised to protect the management interfaces of critical operating systems, using a browse-down architecture to prevent attackers from easily gaining privileged access to vital assets.

Various other steps that organisations can take include setting up a security monitoring capability, reviewing incident management processes, as well as using modern systems and software if not already in place.