Cyber security experts have warned of malicious cyber campaigns targeting healthcare organisations and policy makers involved in the Covid-19 response.

The UK’s National Cyber Security Centre (NCSC) and the US Cybersecurity and Infrastructure Agency (CISA) have spotted large-scale ‘password-spraying’ campaigns against healthcare and medical research organisations.

Password spraying refers to an attempt to access large numbers of accounts using commonly known passwords. The ‘advanced persistent threat’ groups target such bodies to collect bulk personal information, intellectual property and intelligence that aligns with national priorities, they said.

Speaking at yesterday’s daily coronavirus brief briefing Dominic Raab urged healthcare organisations to be diligent against the threat of cyber criminals.

In an advisory for international organisations, published 5 May, the NCSC and CISA advised staff to change any passwords that could be reasonable guessed. It should be replaced with one created with three random words, they said.

A two-factor authentication model should also be implemented to reduce cyber threats, it adds.

Paul Chichester, NCSC director of operations, said: “Protecting the healthcare sector is the NCSC’s first and foremost priority at this time, and we’re working closely with the NHS to keep their systems safe.

“By prioritising any requests for support from health organisations and remaining in close contact with industries involved in the coronavirus response, we can inform them of any malicious activity and take the necessary steps to help them defend against it.

“But we can’t do this alone, and we recommend healthcare policy makers and researchers take our actionable steps to defend themselves from password spraying campaigns.”

Pharmaceutical companies and local governments have also been targeted.

The World Health Organisation (WHO) has also seen a “dramatic increase” in the number of cyber attacks directed at staff and email scams targeting the public. Attacks are now more than five times higher than in the same period last year, it said.

In the week beginning 20 April some 450 WHO email addresses and passwords were leaked online, alongside thousands of others associated with people working on the coronavirus response.

The organisation said it did not impact security as the data was out of date and it is now working with the private sector to establish more robust internal systems and to strengthen security measures. Staff are also being given training on cybersecurity risks.

Bernardo Mariano, WHO’s chief information officer, said: “Ensuring the security of health information for member states and the privacy of users interacting with us a priority for WHO at all times, but also particularly during the Covid-19 pandemic. We are grateful for the alerts we receive from member states and the private sector. We are all in this fight together.”

It comes as the UK’s intelligence and security organisation was granted extra powers to access information from NHS IT system during the Covid-19 outbreak.

Under the powers, approved by health secretary Matt Hancock, GCHQ can request from the NHS anything “relating to the security of any network and information system”.

The apparent attempt to bolster NHS cyber security followed a stark warning from the NCSC on 8 April regarding an increase of Covid-19 related malicious cyber activity.

Both the NCSC and the US Department of Homeland Security have noted a growing use of Covid-19 themes from cyber attackers, though the overall levels of cyber crime has not increased.