State-backed hackers targeting coronavirus responders, U.S. and UK warn

By Jack Stubbs and Christopher Bing

LONDON/WASHINGTON (Reuters) – Government-backed hackers are attacking healthcare and research institutions in an effort to steal valuable information about efforts to contain the new coronavirus outbreak, Britain and the United States said on Tuesday in a joint warning.

In a statement, Britain’s National Cyber Security Centre (NCSC) and the U.S. Cybersecurity and Infrastructure Security Agency (CISA) said the hackers had targeted pharmaceutical companies, research organisations and local governments.

The NCSC and CISA did not say which countries were responsible for the attacks. But one U.S. official and one UK official said the warning was in response to intrusion attempts by suspected Chinese and Iranian hackers, as well as some Russian-linked activity.

The two officials spoke on condition of anonymity to discuss non-public details of the alert. Tehran, Beijing and Moscow have all repeatedly denied conducting offensive cyber operations and say they are the victims of such attacks themselves.

State hacking groups “frequently target organisations in order to collect bulk personal information, intellectual property and intelligence that aligns with national priorities,” the NCSC and CISA said.

“For example, actors may seek to obtain intelligence on national and international healthcare policy or acquire sensitive data on COVID-19 related research.”

The warning follows efforts by a host of state-backed hackers to compromise governments, businesses and health agencies in search of information about the new disease and attempts to combat it.

Reuters has reported in recent weeks that Vietnam-linked hackers targeted the Chinese government over its handling of the coronavirus outbreak and that multiple groups, some with ties to Iran, tried to break into the World Health Organization.

The officials said the alert was not triggered by any specific incident or compromise, but rather intended as a warning – both to the attackers and the targeted organizations that need to better defend themselves.

“These are organizations that wouldn’t normally see themselves as nation-state targets, and they need to understand that now they are,” said one of the officials.

The agencies said hackers had been seen trying to identify and exploit security weaknesses caused by staff working from home as a result of the coronavirus outbreak.

In other incidents, the attackers repeatedly tried to compromise accounts with a series of common and frequently-used passwords – a technique known as “password spraying”.

“It’s no surprise that bad actors are doing bad things right now, in particular targeting organizations supporting COVID-19 response efforts,” a CISA spokesman said.

“We’re seeing them use a variety of tried and true techniques to gain access to accounts and compromise credentials.”

(Writing by Jack Stubbs; Editing by Peter Graff; Editing by Alex Richardson and Peter Graff)