APT groups targeting Australian health sector

The Australian Cyber Security Centre has warned Australia’s health sector that advanced persistent threat (APT) groups linked to foreign nation states are actively targeting healthcare organisations and medical research facilities during the COVID-19 crisis.

“As the outbreak of the virus continues to impact the health sectors of countries worldwide, APT groups may be seeking information and intellectual property relating to vaccine development, treatments, research and responses to the outbreak as this information is now of higher value and priority globally,” the centre warned in a threat advisory.

“Accordingly, Australia’s health or research sectors could be at greater threat of being targeted, and potentially compromised, by malicious APT groups.”

APT groups are commonly associated with nation states, and typically seek to “compromise networks to obtain economic, policy, legal, or defence and security information for their strategic advantage,” the ACSC said in the advisory.

While some groups use combinations of high-end hacking tools and advanced technologies, others rely on rudimentary methods such as phishing.

As well as seeking research and IP based on work around COVID-19 vaccines or treatments, APT groups may seek to use the crisis to leverage the public desire for COVID-19 related information by generating specific COVID-19 themed spear-phishing emails.

APT and cybercrime groups have been uncovered compromising email servers of health sector entities in Australia, which they then use to distribute such COVID-19 phishing emails.

The ACSC has also received reports of senior officials in health and emergency services organisations receiving targeted spear-phishing emails.

“Sophisticated actors have also been seen undertaking brute force attacks using a trial-and-error method to guess login credentials, and password spray attacks that attempt to access numerous accounts with a list of commonly-used passwords,” the report states.

“Attacks such as these often result in the theft of sensitive data, and underscore the importance of a strong cyber security culture amongst employees. This includes adopting multi-factor authentication, strong password policies, and regular reviews of network logs for signs of malicious activity.”

A particular concern raised in the advisory involves exploiting compromised Remote Desktop Protocol credentials, as RDP is widely used in the health sector to access centralised patient databases and other shared information repositories.

The ACSC is urging health sector companies to implement the Australian Signals Directorate’s Essential Eight threat mitigation strategies, with a focus on enabling multi-factor authentication, blocking unapproved macros and implementing regular patching as well as data backups.

Other recommended actions include implementing email contact scanning, conducting staff awareness campaigns, developing or updating incident response plans and implementing network segmentation and segregation practices.

Image credit: ©stock.adobe.com/au/Alexander Borisenko