An in-depth report has looked at how COVID-19 research has become an attractive new target for organised cyber-crime.
Attackers are looking to the healthcare space as a good repository of intellectual property (IP) now more than ever, as critical research of COVID-19 therapeutics are developed & Pfizer, Moderna & other biotech firms begin to mass produce vaccines. Several incidents show that nation-states are targeting these companies extensively, as the quest to beat the pandemic continues.
Espionage attacks have recently focused in on the COVID-19 vaccine supply chain, The Zebrocy malware continues to be used by hackers in vaccine-related cyber-attacks. Earlier this month, threat players accessed Pfizer & BioNTech vaccine documentation submitted to EU regulators.
These recent attacks are not new. Hackers attempting to profit off pandemic suffering has been an ongoing issue since Jan. 2020.
COVID-19 manufacturer Dr. Reddy’s Laboratories suffered an attack in Oct. which forced it to shut down plants across Brazil, India, the UK & the US. The Indian-based company is contracted to manufacture Russia’s “Sputnik V” COVID-19 vaccine.
In July, the US Dept. of Homeland Security (DHS) warned that Russia-linked group APT29 (a.k.a. Cozy Bear or The Dukes) has been targeting British, Canadian & US research companies. The advanced persistent threat (APT) group looks to steal COVID-19 vaccine research from academic & pharmaceutical institutions, DHS warned.
Earlier in the pandemic, the World Health Organization (WHO) was targeted by the Dark Hotel APT group, which looked to infiltrate its networks to steal information.
Bullseye on Healthcare IP
Similarly, the US Justice Dept. (DoJ) recently accused Chinese-sponsored cyber-criminals of spying on COVID-19 researcher Moderna. “Even if you are good at science, this is a cheap insurance policy to maintain a seat at the table for the game of nations,” commented Sam Curry, Cybereason CSO.
”The headlines around stealing vaccine research, data & information being used to create vaccines to the world’s pandemic should be a wakeup call to research firms & both the private & public sector. It is not a question of if hacking will be done, but rather how much has already taken place,” Curry observed.
He added that nation-state backed crime groups are well funded, patient & highly skilled – meaning there is likely more activity going on than it seems. After all, having a lead on “re-opening” their part of the world could come with a lasting balance-of-power impact.
“Some groups have likely infiltrated these companies & have not been caught, & are pilfering through specific vaccine information, patents & other valuable content,” he commented.
“A vaccine for COVID is a strategically valuable (maybe crucial) asset. Whoever gets a vaccine 1st has an economic advantage & it is worth billions of dollars to a country & its economy. It is the ultimate IP with immediate value.”
In terms of how APTs are infiltrating their targets, commercially available trojans like Emotet or Trick Bot are designed for enterprises & complex environments, according to Rob Bathurst, CTO of cyber-security firm Digitalware.
These backdoors can gain persistence & provide a deployment platform for making further inroads into a victim’s network.
“The rule of thumb for an attacker is to use just enough to get the job done & that is usually commercial malware 1st, & custom packages only if needed for a specific target,” he explained.
Custom kits have indeed been seen. DHS for example warned that APT29 is using advanced, custom malware called “WellMess” & “WellMail” for data exfiltration.
Ounce of Prevention
To safeguard the IP ‘jewels’, best practices start – as ever – with the basics. One of the most common ways for criminals to gain access to any computer network is through phishing – clicking on a ‘dodgy’ email is all it needs for a threat player to deploy one of these backdoors.
It is a tactic that was seen during 2020 being deployed in the WHO attacks; a phishing page imitated the WHO’s internal email system & looked to steal passwords from multiple agency staffers.
“To combat this type of attack, organisations need to continue to improve their security hygiene, implement around-the-clock threat hunting & increase their ability to detect malicious activity early,” Curry suggested.
“Security-awareness training is also needed & employees should not open attachments from unknown sources & never download content from dubious sources.”
When it comes to preventing malware, “no security solution is perfect,” Bathurst said. “The only way to have a chance to prevent IP theft is to prevent the initial compromise & minimise the damage from the point of impact.”
To this objective, organisations can use modern antivirus protections with a combination of behavioural analytics & pattern matching, binary analysis & pre-execution analysis. Organisations should regularly review the configurations & capabilities of network-based defence technologies, beyond just firewall rules.
COVID Supply-Chain Attacks Ramp Up
It is also critical to consider the supply chain, Bathurst added. Earlier this month, IBM Security X-Force researchers identified a sophisticated phishing campaign targeting the credentials of organisations associated with the COVID-19 “cold-chain” – companies that ensure the safe preservation of vaccines by making sure they are stored and transported in temperature-controlled environments.
Supply-chain threats include those against researchers, govt. agencies, universities, pharma, hospitals treating cases, & companies involved in the manufacturing of ingredients. These attacks separate from the massive SolarWinds supply-chain attacks, focus on exploiting the urgency around the pandemic to save lives.
In Nov., another attack was reported by global biotech firm Miltenyi Biotec that explained it had been battling a malware attack. It is supplying SARS-CoV-2 antigens for researchers working on treatments for COVID-19.
“If the attacker is after vaccine-related data, that could come from 3rd-party researchers with access to your data, your clinical trials database, your research team, their home computers, notes on tables, laboratory equipment memory or storage, & even the industrial control systems that control the drug-manufacturing plants,” Bathurst explained. “Ultimately, it comes down to understanding your risks & impact points.”
Attacks will Continue in 2021
Above all, it is clear that the stakes are too high for the espionage onslaught to dry up anytime soon & in fact, the worst could be yet to come, researchers suggest.
“As flu season descends upon us & vaccine research continues, I would expect to see a sharp increase in actor activity beyond what has already been reported,” Bathurst commented. “It’s in the interest of nation-state intelligence agencies to continue to leverage everything they can throughout their ecosystem to harvest information.”
Last week, the advanced persistent threat (APT) group known as Lazarus Group & other sophisticated nation-state players were reported by Kaspersky researchers ‘actively trying’ to steal COVID-19 research to speed up their countries’ vaccine-development efforts.