Skip to main content

Advisory 2020-009: Recommendations to mitigate APT actors targeting health sector and COVID-19 essential services

The ACSC recommends that organisations in the health sector implement the following cyber security mitigations:

Implement Essential Eight security controls

The ACSC strongly recommends the implementation of the ASD Essential Eight mitigations to mitigate threats of most methodologies used by APT actors to compromise computer networks.

Specifically, to combat the threat of this recent spate of malicious activity, health sector organisations should implement the following mitigations.

Enabling multi-factor authentication

Multi-factor authentication (MFA) is one of the most effective controls an organisation can implement to prevent an adversary from gaining unauthorised access to a device or network and then compromising sensitive information. When implemented correctly, MFA can make it significantly more difficult for an adversary to steal legitimate credentials to facilitate further malicious activities on a network.

Using MFA provides a secure authentication mechanism that is far less susceptible to brute force attacks.

Block macros

Where possible, the ACSC recommends blocking macros from the internet, and only allowing the execution of vetted and approved macros.

In many cases, initial infection of a network occurs via an embedded macro in a Microsoft Office document. Disabling all unknown macros can significantly reduce the network’s risk surface.

Implementing regular patching of systems and applications

Software patches are released by device and software manufacturers to fix flaws in previous versions, including cyber security vulnerabilities. Malicious actors are constantly looking for vulnerabilities in devices and software versions that can be exploited. Once a vulnerability is in the public domain, malicious actors will begin exploiting it within a matter of days or weeks. Timely patching of vendor-supported security vulnerabilities is one of the most important steps an organisation can take to protect computer systems from cybercriminals and other malicious actors.

For more information on patching, please visit:

Making regular back-ups of critical systems and databases

Due to the large amounts of patient and other sensitive data they hold, health sector entities are a very attractive organisation for malicious adversaries to target with a ransomware attack. Regularly backing up of computers, databases and IoT devices, and choosing automatic back-ups where possible, will ensure quick and easy restoration of critical systems and services. Keep back-ups separate from corporate computers, on separate devices or use a secure cloud service.

Implement additional security controls

The ACSC publishes a comprehensive list of Strategies to Mitigate Cyber Security Incidents

Health sector organisations should also consider implementing the following specific mitigations.

Alert and educate staff

Consider sending out an organisation-wide alert to raise awareness of the dangers associated with opening attachments on unusual emails. Consider implementing an education program to improve staff awareness of cyber security or how to spot suspicious emails. For more details on how to implement a successful staff awareness program, see ACSC’s Improving Staff Awareness publication.

Email content scanning

Phishing emails have been used to spread malware across a network, with the initial intrusion linked to an email containing a malicious attachment. Email content filters and dynamic email analysis sandboxing capabilities could be put in place to prevent malicious content from reaching users and reduce the likelihood of compromise. To complement this, antivirus software using heuristics and reputation ratings should also be installed to identify and prevent malicious attachments that do make it to end users.

Develop/update incident response plans

Organisations should ensure that they have an up-to-date Incident Response Plan (IRP) that includes procedures to respond to a ransomware infection. In most situations, the aim of the ransomware procedures will be to:

  • quickly identify affected systems
  • quarantine the affected systems and isolate business critical systems
  • identify and implement security controls to prevent the propagation of the ransomware to other systems, and
  • preserve evidence for future analysis and restoration from backup.

During the COVID-19 pandemic, systems that support an organisation pandemic response and patient care functions should be considered business critical. The IRP should document a tested procedure for isolating these systems so that they can be quickly placed under protection if a ransomware outbreak occurs.

Implementing network segmentation and segregation

APT actors use techniques that allow them to move laterally within an organisation's network. Network segmentation involves partitioning a network into smaller networks; while network segregation involves developing and enforcing a ruleset for controlling the communications between specific hosts and services.

When implementing network segmentation and segregation, the aim is to restrict the level of access to sensitive information, hosts and services while ensuring an organisation can continue to operate effectively. Network segmentation and segregation measures must be carefully planned, robustly enforced, closely monitored and implemented in a manner that ensures the security controls cannot be bypassed.

Cyber incident reporting

If you have questions about this advice or have indications that your network has been compromised, contact the ACSC or call 1300 CYBER1 (1300 292 371).

Reporting cybercrime

The ACSC manages ReportCyber, an online portal for reporting cybercrime incidents. The portal is designed for individuals, businesses and large organisations to report a variety of computer-enabled crimes, such as online frauds, ransomware, identity theft, romance scams, online image abuse and business email compromise.

Once a cybercrime is reported, the matter is referred to law enforcement and national security agencies for assessment, investigation and resolution where possible. Reporting incidents helps the Australian Government better understand and develop strategies to disrupt and prevent online threats impacting Australia’s interests and the community.