This week, new evidence emerged that a group linked to the Russian government, APT29 (also known as Cozy Bear), has been attacking and trying to steal COVID-19-related information from organizations in the US, Canada, the UK, Japan, and even China.
Here’s a recent joint advisory from some governmental cybersecurity heavy-hitters (CISA, NCSC, CSE, and the NSA, in case you’re wondering who).
What’s happening here?
Novel Virus, Novel Threat
For months, the global pandemic has been providing good cover for malicious actors to exploit the limited and scattered cybersecurity workforces and capabilities of organizations and execute increased spear phishing, ransomware, and other attacks. But the pandemic is now also providing a novel high-value target. Recently, there has been a rise in cyber–attacks related to exfiltration of COVID-19 related IP and intelligence – namely, vaccine research.
A COVID vaccine represents a holy grail of commercial opportunity and domestic economic boon, as folks in the country that first develops a working vaccine could theoretically get back to their previous normal faster than other countries. The information also gives nations an opportunity to benchmark their own efforts. So it is logical that an adversarial nation may seek to steal and exploit (or even destroy) the research of other countries for such an advantage, especially as economies around the world continue to wilt under the weight of the virus.
As cybersecurity professionals, we spend a lot of time on security controls to defend against attacks that disrupt the integrity of data and processes. Much of our attention in the pharmaceutical and healthcare space is focused on vulnerabilities and protecting control systems and remote access systems, but as providers of security solutions to the U.S. government and critical infrastructure (think nuclear power), we are also involved in preventing attacks of espionage.
The pattern we are seeing is that state-sponsored actors are attempting to infiltrate organizations related to the COVID-19 vaccines, or other research related to the pandemic. These advanced, persistent threats (APT) are using highly targeted, novel malware and spear phishing tactics designed to exploit and compromise recently announced known (and potentially unknown) vulnerabilities in VPNs and firewalls. These include the WellMess (which has been known for two years) and WellMail (which is new) tools, as well as a custom malware package known as SoreFang designed to exploit a popular Chinese VPN.
Once the network has been infiltrated, the attackers create legitimate credentials, and the malware is designed to exploit and run autonomously, scraping, changing, exfiltrating, or destroying data. In other words, once an attack is successfully executed, even a patched firewall no longer provides any security.
In addition to the advisory mentioned above, the FBI had already warned research institutions of these kinds of attacks back in April. Even back then, the World Health Organization had noticed an increase in attacks, and Chinese agencies (presumably at the forefront of the response as the epicenter of the outbreak) were under attack by outfits looking for COVID-19 information.
Organizations on the front lines of the pandemic response already have a hard time securing their systems and devices during this chaos. A new target around IP theft just adds to the challenges of securing networks, people, and operations in these chaotic times.
We Must Do More
Protection of IP has always been big for pharma and research institutions, but your cybersecurity stance needs to change when well-funded and highly-skilled cybersecurity state actors start attacking your networks. The usual defenses (such as software-based firewalls) are clearly not enough. Everyone needs to up their game. Organizations working in these types of fields, regulators, and governments must recognize the elevated importance and relevance of this information and IP within the modern threat landscape, and do more to protect them.
How have you been protecting your network from state-sponsored breaches related to IP?