APT Groups Target Healthcare and Essential Services
I. Targeted Industries
- Health Care
- Pharmaceutical Companies
- Research Organizations
- Higher Education
The Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) have identified advanced persistent threat (APT) groups exploiting the COVID-19 pandemic. CISA and NCSC indicate that organizations being targeted include healthcare entities, pharmaceutical companies, academia, medical research organizations, and local governments. There are several investigations on threat actors targeting pharmaceutical companies, medical research organizations, and universities.
III. Background Information
Organizations such as pharmaceutical companies and medical research facilities are viewed as vulnerable because of their global reach and international supply chains. These affiliations increase the exposure to malicious activity. Threat actors view the supply chain as channels that can be exploited to reach higher-value organizations. The supply chain channels have also been affected by the shift towards remote work and the resulting vulnerabilities. 
Recent activity from APT actors includes scanning the external websites of targeted companies and searching for vulnerabilities in unpatched software. Threat actors take advantage of the vulnerability that exists in Citrix, CVE-2019-19781. Threat actors are taking advantage of Virtual Private Network (VPN) appliances from vendors such as Palo Alto Networks, Pulse Secure, and Fortinet. APT groups are performing these scans hoping the software patches have not been implemented.
APT groups have also been conducting password spraying attacks. Password spraying is a style of brute force attack which involves an attempt to access the system across many accounts, using a common password before attempting a second password. Once a malicious actor has compromised an account, they can reuse the same credentials to compromise other accounts. Eventually, threat actors can move laterally throughout the network once they have gained access to a system. 
- Enable multi-factor authentication
Multi-factor authentication can help prevent threat actors from gaining access to sensitive information.
- Security Updates for VPN and Firewalls
Ensure that the VPN is updated and has all the correct configurations. Patches and the latest security updates should be implemented and installed.
- Recommended Links:
- User Awareness Training
Avoid suspicious emails, links, websites, attachments, etc. Users should be educated about new types of attacks and schemes to mitigate risk.
- Recommended link: https://www.us-cert.gov/ncas/tips/ST04-014
- Review Password Policies and Management
Ensure password policies align with the National Institute of Standards and Technology (NIST) guidelines, and review IT help desk password management related to initial passwords, password resets for user lockouts, and shared accounts.
- Recommended Link: https://www.us-cert.gov/ncas/alerts/TA18-086A
IV. Indicators of Compromise (IOCs)
The link below has been included to assist with the download of some identified IOC’s related to this Threat Advisory Report. Be on the lookout for these IOC’s, as well as anything that looks similar.
(1) “Advisory: APT Groups Target Healthcare and Essential Services.” United Kingdom’s National Cyber Security Centre, 5 May 2020. https://www.ncsc.gov.uk/files/Joint%20NCSC%20and%20CISA%20Advisory%20APT%20groups%20target%20healthcare%20and%20essential%20services.pdf.
(2) “Alert (AA20-126A).” Cybersecurity and Infrastructure Security Agency CISA, 5 May 2020, www.us-cert.gov/ncas/alerts/AA20126A.
(3) “CISA Issues Fresh Alert About Ongoing APT Group Attacks on Healthcare Organizations.” HIPAA Journal, 7 May 2020, www.hipaajournal.com/cisa-issues-fresh-alert-about-ongoing-apt-group-attacks-on-healthcare-organizations/.
(4) Davis, Jessica. “APT Hackers Targeting Healthcare, Essential Services Amid COVID-19.” HealthITSecurity, HealthITSecurity, 5 May 2020, https://healthitsecurity.com/news/apt-hackers-targeting-healthcare-essential-services-amid-covid-19.