Skip to main content

Advanced Persistent Threat (APT) actors targeting Australian health sector organisations and COVID-19 essential services

The Australian Signals Directorate’s (ASD) Australian Cyber Security Centre (ACSC) is aware that Advanced Persistent Threat (APT) actors are actively targeting health sector organisations and medical research facilities.

Alert status
HIGH

Overview

As the outbreak of the virus continues to impact the health sectors of countries worldwide, APT groups may be seeking information and intellectual property relating to vaccine development, treatments, research and responses to the outbreak as this information is now of higher value and priority globally. Accordingly, Australia’s health or research sectors could be at greater threat of being targeted, and potentially compromised, by malicious APT groups.

Due to the increased pressure placed on the health sector to respond to the COVID-19 pandemic, it is critical that health sector organisations ensure that their networks are protected from malicious cyber actors who may seek to disrupt essential services or compromise business-critical systems.

Sophisticated actors will often use the most efficient means available to target a victim’s network and, in the current climate, APT groups may seek to maximise on the public desire for COVID-19 related information by generating specific COVID-19 themed spear-phishing emails to attempt to compromise victims.

Adversaries and cybercrime actors have been identified as responsible for compromising email servers of health sector entities in Australia, which are then used to distribute COVID-19 phishing emails in an attempt to deploy malicious software, including ransomware, or to gain access to other targeted organisations.

Malicious actors view health sector entities as a lucrative target for ransomware attacks. This is because of the sensitive personal and medical data they hold, and how critical this data is to maintaining operations and patient care. A significant ransomware attack against a hospital network would have major impact.

Sophisticated actors have also been seen undertaking brute force attacks using a trial-and-error method to guess login credentials, and password spray attacks that attempt to access numerous accounts with a list of commonly-used passwords. Attacks such as these often result in the theft of sensitive data, and underscore the importance of a strong cyber security culture amongst employees. This includes adopting multi-factor authentication, strong password policies, and regular reviews of network logs for signs of malicious activity.

The exploitation of compromised Remote Desktop Protocol (RDP) credentials by malicious actors is also a significant concern, particularly as RDP is widely used by medical clinics and doctors’ surgeries to access centralised patient databases and other shared information repositories. Compromised RDP credentials can enable unauthorised access to networks in a manner that enables the malicious actor’s digital footprint and identification to be obscured.

Organisations should implement the recommendations in this advisory in order to mitigate the threat of this malicious activity and harden their network against unauthorised access. The ACSC also recommends that organisations consider the recent joint advice provided by the NCSC-UK and CISA-US:

Threat from APTs

Advanced Persistent Threat (APT) actors is the term given to the most sophisticated and well-resourced type of malicious cyber adversary. Commonly associated with nation states, APTs will seek to compromise networks to obtain economic, policy, legal, or defence and security information for their strategic advantage. APT actors may also seek to achieve disruptive or destructive effects against their targets.

These actors use a range of different tradecraft, making it very difficult to identify patterns. Even the most sophisticated adversaries are not above using relatively simple or basic techniques to achieve their goal. While some APTs use combinations of high-end hacking tools, others will adopt fairly rudimentary methods such as phishing. In all cases, their actions are very deliberate and they carefully tailor their cyber attack to optimise the chances of success and minimise the chances of detection.

APTs are also very patient adversaries, known to undertake detailed reconnaissance of high-value networks over months and sometimes years. They will also track representatives that work in the organisation they are targeting – in an effort to find the weakest link or point of vulnerability they can exploit. Even seemingly basic information such as contact details and employment history on an organisation’s website or an employees’ social media profile can provide useful leads for APTs to target.

APT actors pose the most significant threat to Australia’s national security and economic prosperity.

Threat from cybercriminals

Cybercrime actors are opportunistic and capitalise on natural disasters or significant events to generate profit. They seek to prey on vulnerable people, consumers and organisations, using fear and urgency tactics to distribute malware or steal personal and financial information. Cybercriminals regularly attempt to trick victims into revealing sensitive information, such as user accounts to corporate systems or personal identifying information. Since the onset of the COVID-19 pandemic, the ACSC has identified a range of different email and SMS phishing campaigns being perpetrated by cybercrime actors. For more information refer to the ACSC’s Threat Updates on COVID-19 themed malicious cyber activity:

The ACSC has also received reports of senior officials in health and emergency services organisations receiving targeted spear-phishing emails. These were carefully crafted COVID-19 related emails designed to trick the recipient into clicking a link that downloaded malicious software onto their organisations’ corporate network.

A particular threat to the health sector is transnational cybercrime syndicates and their affiliates, who develop, share, sell and use sophisticated tools and techniques. There is a booming underground marketplace offering cybercrime-as-a-service, or access to high-end hacking tools that were once only available to nation states. Consequently, the lines between state-sponsored actors and cyber criminals are becoming increasingly blurred and the bar for entry is lower than ever. Malicious actors with minimal technical expertise can now purchase illicit tools and services to generate alternative income streams, launder the proceeds of traditional crimes or undertake network intrusions on behalf of more sophisticated adversities.

Organisations in the health and other critical sectors involved in COVID-19 response activities must remain vigilant against the threat posed by APT and cybercrime actors by ensuring appropriate cyber security protections are in place.