The UK’s National Cyber Security Centre (NCSC) is warning of large-scale COVID-19-related ‘password spraying’ campaigns against healthcare bodies and medical research organisations, by commercial and state data thieves – known as ‘advanced persistent threat’ (APT) groups  – seeking bulk personal information, intellectual property and intelligence that aligns with national priorities.

Password spraying is the attempt to access a large number of accounts using commonly known passwords – NCSC earlier published a list of the most commonly hacked passwords.

National and international healthcare bodies, pharmaceutical companies, research organisations and local government are the focus of these attacks, which have been detected by NCSC in co-operation with the US Cybersecurity and Infrastructure Security Agency (CISA).

The problem is such that NCSC and CISA have jointly issued an advisory document for workers within healthcare and essential services.

“Protecting the healthcare sector is the NCSC’s first and foremost priority at this time,” said NCSC director of operations Paul Chichester. “By prioritising any requests for support from health organisations and remaining in contact with industries involved in the corona virus response, we can inform them of any malicious activity and take the necessary steps to help them defend against it. But we can’t do this alone, and we recommend healthcare policy makers and researchers take our actionable steps to defend themselves from password spraying campaigns.”

Amongst the advice is to read CISA security tip ST04-002 before choosing a password.

Last month, the NCSC created the Suspicious Email Reporting Service after seeing an increase in coronavirus-related email scams. In its first week, the service received more than 25,000 reports – resulting in 395 phishing sites being taken down.

An earlier joint NCSC/CISA advisory (08 April 2020) detailed the exploitation of the COVID-19 pandemic by cyber criminals and APT groups. This joint NCSC/CISA advisory provides an update to ongoing malicious cyber activity relating to coronavirus.