APTs target COVID-19 research programs

At a glance

On 13 May 2020, the Cybersecurity and Infrastructure Security Agency (CISA) and UK National Cyber Security center (NCSC) released joint advisory AA20-126A warning of coordinated cyber campaigns targeting organizations involved in COVID-19 response. Advanced persistent threat (APT) groups are actively conducting password spraying attacks, vulnerability scanning, and supply chain reconnaissance against healthcare providers, pharmaceutical companies, research institutions, and government entities working on pandemic response.

Threat Actor Activity

The advisory documents ongoing campaigns by nation-state actors seeking to compromise COVID-19 research and response organizations:

• Password spraying: Attackers are conducting large-scale password spraying campaigns against healthcare and research organizations, attempting common passwords across many accounts to gain initial access.
• VPN exploitation: APT groups are actively scanning for and exploiting vulnerabilities in VPN concentrators, particularly Citrix ADC (CVE-2019-19781), Pulse Secure (CVE-2019-11510), Fortinet FortiOS (CVE-2018-13379), and Palo Alto GlobalProtect (CVE-2019-1579).
• Supply chain reconnaissance: Threat actors are mapping connections between target organizations and their vendors, contract research organizations, and academic partners to identify alternative access paths.
• Intellectual property theft: The ultimate objective appears to be exfiltration of vaccine research data, clinical trial information, treatment protocols, and pandemic response planning documents.

Target Profile

The advisory specifically calls out the following organization types as high-risk targets:

• Healthcare delivery organizations: Hospitals, clinics, and health systems providing direct patient care for COVID-19 patients
• Pharmaceutical companies: Organizations developing vaccines, therapeutics, diagnostics, or medical devices for pandemic response
• Academic research institutions: Universities and research centers conducting COVID-19 studies or participating in clinical trials
• Medical research organizations: Government laboratories, non-profit research institutes, and contract research organizations supporting pandemic research
• Local and national governments: Public health agencies and government entities coordinating pandemic response
• International organizations: WHO, international health organizations, and global coordination bodies

Password Spraying Threat Analysis

Password spraying attacks present particular risk for healthcare and research organizations:

• Credential reuse: Researchers and healthcare workers often maintain accounts across multiple institutions, creating credential reuse exposure.
• Legacy systems: Healthcare environments frequently operate legacy systems lacking modern authentication controls.
• Emergency access: Pandemic response pressure may lead to relaxed security controls for rapid onboarding or access provisioning.
• Detection challenges: Password spraying distributes attempts across many accounts to avoid lockout thresholds, making detection difficult without behavioral analytics.
• Cloud services: Cloud email and collaboration platforms (Office 365, G Suite) provide targets for spraying attacks against externally accessible authentication endpoints.

VPN Vulnerability Context

The advisory emphasizes that attackers are targeting known VPN vulnerabilities that many organizations patched months ago but some have not addressed:

• Citrix ADC (CVE-2019-19781): Directory traversal vulnerability enabling arbitrary code execution; patches available since January 2020.
• Pulse Secure (CVE-2019-11510): Arbitrary file read vulnerability allowing credential theft; patches available since April 2019.
• Fortinet FortiOS (CVE-2018-13379): Path traversal enabling system file access; patches available since May 2019.
• Palo Alto GlobalProtect (CVE-2019-1579): Remote code execution in SSL VPN portal; patches available since July 2019.

Organizations with unpatched VPN infrastructure face heightened risk as APT groups specifically scan for these vulnerabilities.

Recommended Defensive Measures

Organizations supporting COVID-19 response should implement the following security controls:

• Multi-factor authentication: Enforce hardware-backed MFA on all privileged accounts, VPN access, cloud services, and external-facing applications. MFA defeats password spraying attacks.
• VPN patching: Immediately verify patch status for Citrix, Pulse Secure, Fortinet, and Palo Alto VPN appliances. Disable unnecessary VPN portals or legacy SSL VPN services.
• Password policy enforcement: Implement banned password lists, complexity requirements, and breach password checking to prevent use of commonly sprayed credentials.
• Account monitoring: Deploy behavioral analytics to detect distributed authentication attacks that evade traditional lockout thresholds.
• Network segmentation: Isolate research data, SCADA systems, and critical laboratory networks from general-purpose IT infrastructure.
• Supplier security: Request security attestations from CROs, academic partners, and manufacturing vendors covering password policies, access monitoring, and incident notification.

Incident Response Preparation

Given the elevated threat level, you should improve incident response readiness:

• Update contact lists for FBI, CISA, and sector-specific ISACs handling COVID-19 related incidents
• Brief security operations teams on indicators of compromise from the advisory
• Pre-position incident response resources for rapid deployment if compromise is detected
• Establish communication protocols for notifying partners if supply chain compromise is suspected
• Document critical research data and systems requiring focus ond protection during incidents

International Coordination

The joint CISA-NCSC nature of this advisory reflects coordinated threat activity affecting multiple nations:

• Similar targeting patterns observed across US, UK, and other allied nations
• Threat intelligence sharing between national cyber security agencies is active
• If you are affected, report suspected incidents to both national authorities and international coordination bodies
• Cross-border research collaborations may create shared vulnerability exposure requiring coordinated defense

Wrapping up

Advisory AA20-126A represents a significant warning that nation-state actors are actively targeting pandemic response efforts. Organizations involved in COVID-19 research, healthcare delivery, or response coordination should treat this as an elevated threat environment requiring improved security controls. The combination of password spraying, VPN exploitation, and supply chain reconnaissance shows sophisticated, persistent adversary interest in pandemic-related intellectual property and operational information. Immediate action on MFA deployment, VPN patching, and credential hygiene can significantly reduce exposure to these ongoing campaigns.

Related articles

Curated signals from the same pillar or overlapping topics.

Cybersecurity · Credibility 73/100 · May 12, 2020

CISA/NSA list the top 10 exploited vulnerabilities

Want to know which CVEs attackers actually exploit? CISA, FBI, and NSA just published the top 10 from 2016-2019—and they are not exotic zero-days. Pulse Secure, Citrix ADC, SharePoint, Office flaws. Stuff that is been…

Cybersecurity · Credibility 93/100 · May 18, 2020

CISA Emergency Directive 20-03: Microsoft 365 hardening

CISA's Emergency Directive 20-03 is technically just for federal agencies, but the Microsoft 365 security checklist applies to everyone: enable unified audit logging, enforce MFA, block legacy authentication, and…

Cybersecurity · Credibility 73/100 · April 29, 2020

CISA dissects Microsoft 365 tenant compromises

CISA’s AA20-120A alert warns that rushed Microsoft 365 migrations are leaving global admin accounts, audit logs, and alerting disabled, giving adversaries easy footholds during the COVID-19 telework surge.

Cybersecurity · Credibility 73/100 · May 28, 2020

NSA warns of Exim CVE-2019-10149 exploitation

The NSA cautioned on May 28, 2020 that Russian actors were exploiting Exim mail servers via CVE-2019-10149, urging immediate upgrades to patched versions and audits for unauthorized users or scheduled tasks.

Cybersecurity · Credibility 73/100 · April 22, 2020

DOJ, FBI, and Secret Service cut down hundreds of COVID-19 scam domains

Justice Department, FBI, Secret Service, and domain registrars jointly dismantled hundreds of pandemic-themed scam sites, giving CISOs a roadmap for takedown escalation, cross-sector intelligence sharing, and remote-work…

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Cybersecurity Operations Playbook

  Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

• Network Security Fundamentals Explained Practically

  A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

• Small Business Cybersecurity Survival Checklist

  A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published

May 13, 2020

Coverage pillar

Cybersecurity

Source credibility

73/100 — medium confidence

Topics

AA20-126A · Password spraying · COVID-19 research

Sources cited

3 sources (cisa.gov, cvedetails.com, iso.org)

Reading time

5 min

References

1. AA20-126A: APT Groups Targeting Healthcare and Essential Services
2. CVE Details - Vulnerability Database — CVE Details
3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization