APT Groups Target Healthcare and Essential Services

This is a joint alert from the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC)

CISA and NCSC continue to see indications that advanced persistent threat Advanced Persistent Threats (APT) groups are exploiting the Coronavirus Disease 2019 (COVID-19) pandemic as part of their cyber operations.

This joint alert highlights ongoing activity by APT groups against organizations involved in both national and international COVID-19 responses. It describes some of the methods these actors are using to target organizations and provides mitigation advice.

The joint CISA-NCSC Alert: (AA20-099A) COVID-19 Exploited by Malicious Cyber Actors from April 8, 2020, previously detailed the exploitation of the COVID-19 pandemic by cybercriminals and APT groups.

This joint CISA-NCSC Alert provides an update to ongoing malicious cyber activity relating to COVID-19.

For a graphical summary of CISA’s joint COVID-19 Alerts with NCSC, see the following guide.

COVID-19-related targeting

APT actors are actively targeting organizations involved in both national and international COVID-19 responses. These organizations include healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments.

APT actors frequently target organizations in order to collect bulk personal information, intellectual property, and intelligence that align with national priorities.

The pandemic has likely raised additional interest for APT actors to gather information related to COVID-19. For example, actors may seek to obtain intelligence on national and international healthcare policy, or acquire sensitive data on COVID-19-related research.

Targeting of pharmaceutical and research organizations

CISA and NCSC are currently investigating a number of incidents in which threat actors are targeting pharmaceutical companies, medical research organizations, and universities. APT groups frequently target such organizations in order to steal sensitive research data and intellectual property for commercial and state benefit.

Organizations involved in COVID-19-related research are attractive targets for APT actors looking to obtain information for their domestic research efforts into COVID-19-related medicine.

These organizations’ global reach and international supply chains increase exposure to malicious cyber actors. Actors view supply chains as a weak link that they can exploit to obtain access to better-protected targets.

Many supply chain elements have also been affected by the shift to remote working and the new vulnerabilities that have resulted.

Recently CISA and NCSC have seen APT actors scanning the external websites of targeted companies and looking for vulnerabilities in unpatched software. Actors are known to take advantage of Citrix vulnerability CVE-2019-19781[1],[2] and vulnerabilities in virtual private network (VPN) products from Pulse Secure, Fortinet, and Palo Alto.[3],[4]

COVID-19-related password spraying activity

CISA and NCSC are actively investigating large-scale password spraying campaigns conducted by APT groups. These actors are using this type of attack to target healthcare entities in a number of countries—including the United Kingdom and the United States—as well as international healthcare organizations.

Previously, APT groups have used password spraying to target a range of organizations and companies across sectors—including government, emergency services, law enforcement, academia and research organizations, financial institutions, and telecommunications and retail companies.

Technical Details

Password spraying is a commonly used style of brute force attack in which the attacker tries a single and commonly used password against many accounts before moving on to try a second password, and so on. This technique allows the attacker to remain undetected by avoiding rapid or frequent account lockouts. These attacks are successful because, for any given large set of users, there will likely be some with common passwords.

Malicious cyber actors, including APT groups, collate names from various online sources that provide organizational details and use this information to identify possible accounts for targeted institutions. The actors will then “spray” the identified accounts with lists of commonly used passwords.

Once the malicious cyber actor compromises a single account, they will use it to access other accounts where the credentials are reused. Additionally, the actor could attempt to move laterally across the network to steal additional data and implement further attacks against other accounts within the network.

In previous incidents investigated by CISA and NCSC, malicious cyber actors used password spraying to compromise email accounts in an organization and then, in turn, used these accounts to download the victim organization’s Global Address List (GAL).

The actors then used the GAL to password spray further accounts.

NCSC has previously provided examples of frequently found passwords, which attackers are known to use in password spray attacks to attempt to gain access to corporate accounts and networks. In these attacks, malicious cyber actors often use passwords based on the month of the year, seasons, and the name of the company or organization.

CISA and NCSC continue to investigate activity linked to large-scale password spraying campaigns.

APT actors will continue to exploit COVID-19 as they seek to answer additional intelligence questions relating to the pandemic. CISA and NCSC advise organizations to follow the mitigation advice below in view of this heightened activity.


CISA and NCSC have previously published information for organizations on password spraying and improving password policy. Putting this into practice will significantly reduce the chance of compromise from this kind of attack.

CISA’s Cyber Essentials for small organizations provides guiding principles for leaders to develop a culture of security and specific actions for IT professionals to put that culture into action.

Additionally, the UK government’s Cyber Aware campaign provides useful advice for individuals on how to stay secure online during the coronavirus pandemic. This includes advice on protecting passwords, accounts, and devices.

A number of other mitigations will be of use in defending against the campaigns detailed in this report:

Contact Information

CISA encourages U.S. users and organizations to contribute any additional information that may relate to this threat by emailing CISAServiceDesk@cisa.dhs.gov.

The NCSC encourages UK organizations to report any suspicious activity to the NCSC via their website: https://report.ncsc.gov.uk/.


This report draws on information derived from CISA, NCSC, and industry sources. Any findings and recommendations made have not been provided with the intention of avoiding all risks and following the recommendations will not remove all such risk. Ownership of information risks remains with the relevant system owner at all times.

CISA does not endorse any commercial product or service, including any subjects of analysis. Any reference to specific commercial products, processes, or services by service mark, trademark, manufacturer, or otherwise, does not constitute or imply their endorsement, recommendation, or favoring by CISA.


[1] CISA Alert: Detecting Citrix CVE-2019-19781

[2] NCSC Alert: Actors exploiting Citrix products vulnerability

[3] CISA Alert: Continued Exploitation of Pulse Secure VPN Vulnerability

[4] NCSC Alert: Vulnerabilities exploited in VPN products used worldwide

US-Cert.gov (May 2020) APT Groups Target Healthcare and Essential Services

Not every COVID-19 testing site is legit

You probably know that COVID-19 tests are in short supply. But did you know there’s no shortage of scammers setting up fake COVID-19 testing sites to cash in on the crisis? 

The fake sites can look real, with legitimate-looking signs, tents, hazmat suits, and realistic-looking tests. And the damage these fake testing sites can cause is very real.

They aren’t following sanitation protocols, so they can spread the virus.

They’re taking people’s personal information, including Social Security numbers, credit card information, and other health information – all of which can be used for identity theft and to run up your credit card bill. Worst of all, they’re not giving people the help they need to stay healthy. In other words, these testing sites are bad news.

Here are a few things to keep in mind when looking into testing sites.

  • If you think you should get tested, ask your doctor. Some people with COVID-19 have mild illness and are able to recover at home without medical care. They may not need to be tested, according to the CDC. Not sure if you need to get tested? Try the CDC’s self-checker.
  • Get a referral. Testing sites are showing up in parking lots and other places you wouldn’t expect to get a lab test. Some of these are legit – and some are not. The best way to know is to go somewhere you have been referred to by your doctor or state or local health department’s website. In other words, don’t trust a random testing site you see on the side of the road.
  • Not sure if a site is legit? Check with your local police or sheriff’s office. If a legitimate testing site has been set up, they should know about it. And, if an fake testing site is operating, they’ll want to know.

Spotted a fake COVID-19 testing site? We want to hear about it. Report it at ftc.gov/complaint.

FTC.gov (May 2020) Not every COVID-19 testing site is legit

COVID-19 Changes Daily Life of Marines

The work, social and home lives of Marines living in the barracks deviates from life before the pandemic. Marines assigned to the distribution management office, DMO, on Camp Foster, Okinawa, have a unique and difficult task to perform during this time.

DMO Marines are tasked with booking flights for temporary assignments and permanent-change-of-station orders, as well as moving all of a Marine’s personal property to the new location. With the Defense Department’s travel ban, DMO Marines are teleworking to help successfully move Marines and sailors to and from the island.

Communication is the most challenging aspect of teleworking during the outbreak, said Marine Corps Lance Cpl. Amanda Martinez, a personal property clerk at Marine Corps Base Camp Butler on Okinawa.

“We are used to face-to-face interactions, but we are having to call and email members, and they’re teleworking as well,” Martinez said. “It has been taking a little bit longer as far as documents being signed and information being sent back and forth.”

The daily lives of U.S. Marines have drastically changed since the outbreak of COVID-19. Marines stationed at Marine Corps Base Camp Smedley D. Butler, Okinawa, Japan, have implemented teleworking as a way to practice social distancing and combat the spread of the virus.

While teleworking is an effective way to combat the spread of the virus, it hinders the DMO to operate at its full potential.

“Half of our staff is in office, and half of the staff is teleworking at the barracks. So, we’re trying out a bunch of things to figure out the best way to communicate with our members and our team to make mission,” said Marine Corps Cpl. Ricardo Casarez, the noncommissioned officer in charge of the passenger travel office at Camp Butler. “Regardless, we continue to work as a team in order to adapt and overcome COVID-19.”

Not only have their jobs been affected, but so have their daily duties as Marines and the uniforms they wear.

“We are now required to wear masks. It’s become a part of our everyday carries for us, and we are required to maintain social distancing, which are both not part of our daily routines, but it has become a norm for Marines,” Casarez said.

Even the Marines’ physical training schedule has been altered, but it does not stop them from working out however they can.

“We used to PT every day, now it’s all on yourself to maintain your physical fitness,” Martinez said. “It is kind of hard because of the gyms being closed, but a lot of us are just running every day, and do what we can with what we have. We are just adapting and overcoming to still be ready to fight if we have a calling.”

The 3rd Marine Expeditionary Force announced Health Protection Condition Charlie Plus, which prohibits off-base liberty. However, the Marines still see a bright side during these difficult times.

“Due to COVID-19, Marines [are not] able to execute liberty off-base and enjoy the island,” Casarez said. “I think it’s brought camaraderie within units. It has definitely brought that feeling of being close for us. I believe it has made us more united than we have ever been.”

(Marine Corps Lance Cpl. Brennan Beauton is assigned to Marine Corps Installations Pacific.)

Defense.gov (April 2020) COVID-19 Changes Daily Life of Marines

COVID-19 fraud domain seized from seller who attempted to sell it using bitcoin

U.S. Immigration Customs and Enforcement’s (ICE) Homeland Security Investigations (HSI) and United States Attorney’s Office for the District of Columbia obtained a warrant Friday authorizing seizure of coronaprevention.org following an HSI Philadelphia investigation in support of Operation Stolen Promise.

HSI recently launched Operation Stolen Promise to protect the homeland and global supply-chain from the increasing and evolving threat posed by COVID-19-related fraud and criminal activity by combining HSI’s expertise in global trade investigations, financial fraud, and cyber investigations with robust private and public partnerships.

“Sadly, criminals are using the current pandemic as an opportunity to generate proceeds while so many Americans are suffering,” said William S. Walker, acting HSI Philadelphia special agent in charge. “Homeland Security Investigations and our partners will continue to aggressively pursue those who attempt to illegally capitalize on this crisis through illicit money-making schemes.”

The seizure warrant alleges that the owner of the domain name, coronaprevention.org, posted it for sale on a hackers forum.

The post appeared the day after the president declared a national emergency due to the COVID-19 pandemic. The seller stated on the forum that this domain would be an effective way to sell “high markup in demand products.”

The seller exponentially marked up the price of the domain. The seller asked for the payment to be made via bitcoin.

The warrant further alleges that the seller engaged in conversations with an undercover agent from HSI about the sale of the domain. The seller stated that it was “genius” to sell “fake testing kits” using this domain.

The seller further stated that the seller “wanted to do that but I couldn’t get enough cash to bulk buy them from Alibaba [a Chinese e-commerce site].” The seller recommended directed the undercover agent on how to set up a new website on the domain using a foreign-based service, so as to prevent U.S. authorities from being able to shut it down in the future.

“We will not tolerate exploitation of this national emergency for personal gain,” said U.S. Attorney Tim Shea. “This office will not allow fraudsters to use anonymous online spaces and cryptocurrency to hide their harmful activities and prey on victims.”

The charges in the warrant are merely allegations, and civil forfeiture proceedings will commence in which any interested party may make a claim to ownership of the seized property.

The enforcement action against the owner of a fraudulent website follows Attorney General William Barr’s recent direction for the department to prioritize the detection, investigation, and prosecution of illegal conduct related to the pandemic.

The case is being handled by Assistant U.S. Attorney Zia M. Faruqui, Paralegal Specialist Brian Rickers, and Legal Assistant Jessica McCormick of the U.S. Attorney’s Office for the District of Columbia.

As part of Operation Stolen Promise, HSI is partnering with U.S. Customs and Border Protection (CBP), the Food and Drug Administration, the U.S. Postal Inspection Service, the U.S. Secret Service, the Internal Revenue Service, the Federal Bureau of Investigation, and the Five Eyes Law Enforcement Working Group. Additionally, efforts span multiple HSI components including the National Intellectual Property Rights Coordination Center, HSI International Operations, the Illicit Finance and Proceeds of Crime Unit, and the Cyber Crimes Center.

As of April 23, 2020, HSI special agents have opened over 232 cases initiated, 376 total seizures, 329 leads sent, 70 disruptions, seized over three million dollars in illicit proceeds; made six arrests; executed 12 search warrants; sinkholed over 11,000 COVID-19 domain names and worked alongside CBP to seize over 225 shipments of mislabeled, fraudulent, unauthorized or prohibited COVID-19 test kits, treatment kits, homeopathic remedies, purported anti-viral products and personal protective equipment.

The launch of the operation is in direct response to a significant increase in criminal activity.

To report suspected illicit criminal activity or fraudulent schemes related to the COVID-19 pandemic, email Covid19Fraud@dhs.gov.

ICE.gov (April 2020)COVID-19 fraud domain seized from seller who attempted to sell it using bitcoin

FBI Warns of Money Mule Schemes Exploiting the COVID-19 Pandemic

Fraudsters are taking advantage of the uncertainty and fear surrounding the COVID-19 pandemic to steal your money, access your personal and financial information, and use you as a money mule.

When criminals obtain money illegally, they have to find a way to move and hide the illicit funds.

They scam other people, known as money mules, into moving this illicit money for them either through funds transfers, physical movement of cash, or through various other methods. Money mules are often targeted through online job schemes or dating websites and apps.

Save 45.0% on select products from bofeifs with promo code 456BA8GH, through 4/30 while supplies last.

Acting as a money mule—allowing others to use your bank account, or conducting financial transactions on behalf of others—not only jeopardizes your financial security and compromises your personally identifiable information, but is also a crime.

Protect yourself by refusing to send or receive money on behalf of individuals and businesses for which you are not personally and professionally responsible. The FBI advises you to be on the lookout for the following:

Work-from-home schemes

Watch out for online job postings and emails from individuals promising you easy money for little to no effort. Common red flags that you may be acting as a money mule include:

  • The “employer” you communicate with uses web-based services such as Gmail, Yahoo, Hotmail, Outlook, etc.
  • You are asked to receive funds in your personal bank account and then “process” or “transfer” funds via wire transfer, ACH, mail, or money service businesses, such as Western Union or MoneyGram
  • You are asked to open bank accounts in your name for a business
  • You are told to keep a portion of the money you transfer

Individuals claiming to be located overseas asking you to send or receive money on their behalf

Watch out for emails, private messages, and phone calls from individuals you do not know who claim to be located abroad and in need of your financial support. Criminals are trying to gain access to U.S. bank accounts in order to move fraud proceeds from you and other victims to their bank accounts. Common fictitious scenarios include:

  • Individuals claiming to be U.S. service members stationed overseas asking you to send or receive money on behalf of themselves or a loved one battling COVID-19
  • Individuals claiming to be U.S. citizens working abroad asking you to send or receive money on behalf of themselves or a loved one battling COVID-19
  • Individuals claiming to be U.S. citizens quarantined abroad asking you to send or receive money on behalf of themselves or a loved one battling COVID-19
  • Individuals claiming to be in the medical equipment business asking you to send or receive money on their behalf
  • Individuals affiliated with a charitable organization asking you to send or receive money on their behalf

If you are looking for accurate and up-to-date information on COVID-19, the CDC has posted extensive guidance and information that is updated frequently.

The best sources for authoritative information on COVID-19 are http://www.cdc.gov and http://www.coronavirus.gov. You may also consult your primary care physician for guidance.

If you believe you, or someone you know, has been solicited to be a money mule, please contact your local FBI field office. To report suspicious activity, please visit the FBI’s Internet Crime Complaint Center at ic3.gov.

FBI.gov (April 2020) FBI Warns of Money Mule Schemes Exploiting the COVID-19 Pandemic