The UK National Cyber Security Centre say they are seeing large-scale campaigns targeting healthcare bodies and medical research organisations as they continue to fight against the global threat of COVID-19.

According to the NCSC and its US counterpart, the Cybersecurity and Infrastructure Security Agency (CISA), the NHS and other healthcare businesses are suffering significant increases in inbound cyber attacks - more specifically, they are being targeted by advanced persistent threat (APT) groups conducting large-scale password-spraying attacks.

The objective of these rising campaigns, as revealed in a joint advisory notice issued by NCSC, is to steal personal information, sensitive patient data, and "intelligence that aligns with national priorities".

To offer some more detail on how these attacks work; password-spraying campaigns are a type of brute-force cyber attack that aim to gain access to target systems and accounts by attempting to log in using some of the most commonly used passwords, such as 'qwerty' or '123456'. These campaigns of course rely heavily on luck as well as poor security awareness on the account owner's part, but once the attacker has successfully gained access to just one single account it can then be used to move laterally across the hacked organisation's network, stealing confidential data and attacking other users internally.


Other Examples of Healthcare Attacks

When it comes to targeting the healthcare sector, attackers are leveraging more than just password-spraying tactics. As recently reported by the BBC, two companies involved in building emergency COVID-19 hospitals have been hit by more advanced attacks just this month.

Interserve, which assisted in building Birmingham's NHS Nightingale hospital, is currently recovering from a targeted attack that took place last weekend that may have seen the details of up to 100,000 users stolen. Hackers infiltrated Interserve's infrastructure on the 9th of May and gained access to a human resources database which contained information on both current and former employees according to a company insider. The stolen data included employee names, addresses, bank details, payroll information and more.

In a separate incident Bam Construct, who were involved with the construction of the NHS Nightingale hospital in Harrogate, experienced a cyber-attack that forced the business to shut down some of its computer systems. Limited information has been released in regards to the nature and impact of the attack other than an insider stating that the company was 'hit by a computer virus', but public statements from Bam Construct have confirmed that they "have reported the attack to the authorities and, as everyone would after such an event, are taking the opportunity to learn from it to make any necessary changes to our systems for the future."


Taking Steps to Improve Defences

With the majority of targeted campaigns taking advantage of poor account access security, weak email protections and user error, there are a handful of best practices that healthcare organisations - and all businesses for that matter - should look to implement immediately to significantly improve their overall defences against criminal interference.

  • Multi-Factor Authentication
    This authentication method ensures a user can only gain access to an account or system after successfully presenting two or more pieces of evidence of their authorisation - for example, entering a password upon login, and then relaying a confirmation code send to the corresponding phone number. 
    This is one of the most reliable yet simple methods for preventing account takeover through brute-force means.

  • Security Awareness Training
    As so many targeted attacks rely on user error, whether that be the use of predictable passwords or interacting with suspicious email content, it is vital that businesses look to transform their vulnerable employees into a human firewall of protection through the use of continuous and relevant security awareness training.

    Barracuda Phishline uses advanced, automated education technology that includes simulation-based training, continuous testing, powerful reporting for administrators, and active incident response awareness.

  • AI-Powered Inbox Defence
    Most advanced email-based attacks like spear phishing can easily evade traditional gateway defences due to their reliance on social engineering tactics as opposed to easily-detectable malicious payloads. However, by implementing email protections that make use of artificial intelligence and machine learning, businesses can detect abnormalities in behavioural patterns such as suspicious email intentions. 

    Barracuda Sentinel integrates directly with Microsoft 365 APIs to detect attacks coming from both internal and external sources, leveraging AI to detect signs of malicious intent and deception to combat advanced threats like account takeover with virtually no IT administration required.