• UK and American cyber security experts issue joint warning
  • Groups of hackers targeting healthcare organisations during covid-19
  • NHS staff urged to improve passwords to IT systems

Healthcare organisations have been attacked by cyber criminals seeking to exploit the covid-19 pandemic, according to hacking experts in the UK and USA.

Both countries’ governments have issued fresh guidance after seeing “large-scale” attacks against national and international health bodies.

National cyber security chiefs have refused to say if central NHS bodies, or individual trusts, have been victims of cyber attacks during the pandemic.

Hackers have also targeted local government, pharmaceutical and research companies. They are seeking personal information, intellectual property and “intelligence that aligns with national priorities”.

The warning, from the National Cyber Security Centre and the American Cybersecurity and Infrastructure Security Agency, comes a week after HSJ revealed Matt Hancock had given NCSC – which is part of Government Communications Headquarters — extra powers to obtain information from NHS IT systems.

Last month NHS Digital chief executive Sarah Wilkinson also warned the NHS to expect cyber attacks themed on covid-19.

The NCSC said many of the attacks have been in the form of “password-spraying”, which is an attempt to access many accounts by guessing commonly used passwords.

According to the NCSC, staff working in healthcare organisations – such as the NHS – should change any passwords that could be “reasonably guessed” to one created with three random words.

Two-factor authentication should also be implemented to reduce the threat of hackers successfully gaining entry to systems.

NHS IT systems vary in age and quality, with many lacking two-factor authentication.

The health service’s old IT was cited as a key factor in the hackers’ success with their Wannacry attack in 2017, which had a damaging impact on several trusts.

Paul Chichester, the NCSC’s director of operations, said the organisation was “working closely” with the NHS to keep systems safe.

“By prioritising any requests for support from health organisations and remaining in close contact with industries involved in the coronavirus response, we can inform them of any malicious activity and take the necessary steps to help them defend against it.

“But we can’t do this alone, and we recommend healthcare policymakers and researchers take our actionable steps to defend themselves from password spraying campaigns.”

A spokesman for the NCSC said he could not comment on whether the NHS – or individual trusts – had been attacked due to “operational reasons”.

What is password spraying?

Password spraying is a commonly used style of brute force attack in which the attacker tries a single and commonly used password against many accounts before moving on to try a second password, and so on.

This technique allows the actor to remain undetected by avoiding rapid or frequent account lockouts. These attacks are successful because, for any given large set of users, there will likely be some with common passwords.

Malicious cyber actors collate names from various online sources that provide organisational details and use this information to identify possible accounts for targeted institutions.

The actor will then “spray” the identified accounts with lists of commonly used passwords. Once the malicious cyber actor compromises a single account, they will use it to access other accounts where the credentials are reused.

Additionally, the actor could attempt to move laterally across the network to steal additional data and implement further attacks against other accounts within the network