State backed hackers targeting COVID-19 responders


Government-backed hackers are attacking healthcare and research institutions to steal information on efforts to contain the coronavirus outbreak, Britain and the United States said in a joint warning.

In a statement, Britain’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Security Agency (CISA) said hackers targeted pharmaceutical companies, research organisations and local governments.

The NCSC and CISA did not say which countries were behind the attacks. A US official and a UK official said the warning was a response to intrusion attempts by suspected Chinese and Iranian hackers, as well Russian-linked activity.

The officials spoke on condition of anonymity to discuss non-public details of the alert. Tehran, Beijing and Moscow repeatedly deny conducting offensive cyber operations and say they are also victims of attacks.

State hacking groups “frequently target organisations to collect bulk personal information, intellectual property and intelligence that aligns with national priorities,” the NCSC and CISA said.

“For example, actors may seek to obtain intelligence on national and international healthcare policy or acquire sensitive data on COVID-19 related research.”

The warning follows efforts by state-backed hackers to compromise governments, businesses and health agencies in search of information about the new disease and attempts to combat it.

Reuters reported in recent weeks Vietnam-linked hackers targeted the Chinese government over its handling of the coronavirus outbreak and multiple groups, some with ties to Iran, attempted to access the World Health Organisation.

The officials said the alert was not triggered by any specific incident or compromise, but was a warning – both to attackers and targeted organisations to better defend themselves.

“These are organisation that wouldn’t normally see themselves as nation state targets and they need to understand now they are,” said one official.

The agencies said hackers were trying to identify and exploit security weaknesses caused by staff now working from home.

In other incidents, attackers repeatedly tried to compromise accounts with common and frequently-used passwords – a technique known as “password spraying”.

“It’s no surprise bad actors are doing bad things right now, in particular targeting organisations supporting COVID-19 response efforts,” a CISA spokesman said.

“We’re seeing a variety of tried and true techniques to gain access and compromise credentials.”