Protecting Information Amongst the Chaos

Protecting Information Amongst the Chaos


This week, new evidence emerged that a group linked to the Russian government, APT29 (also known as Cozy Bear), has been attacking and trying to steal COVID-19-related information from organizations in the US, Canada, the UKJapan, and even China 

Here’s a recent joint advisory from some governmental cybersecurity heavy-hitters (CISA, NCSC, CSE, and the NSA, in case you’re wondering who).  

What’s happening here?  

Novel Virus, Novel Threat 

For months, the global pandemic has been providing good cover for malicious actors to exploit the limited and scattered cybersecurity workforces and capabilities of organizations and execute increased spear phishing, ransomware, and other attacks. But the pandemic is now also providing a novel high-value target. Recently, there has been a rise in cyberattacks related to exfiltration of COVID-19 related IP and intelligence – namely, vaccine research 

A COVID vaccine represents a holy grail of commercial opportunity and domestic economic boon, as folks in the country that first develops a working vaccine could theoretically get back to their previous normal faster than other countries. The information also gives nations an opportunity to benchmark their own efforts. So it is logical that an adversarial nation may seek to steal and exploit (or even destroy) the research of other countries for such an advantage, especially as economies around the world continue to wilt under the weight of the virus. 

Cybersecurity Perspective 

As cybersecurity professionals, we spend a lot of time on security controls to defend against attacks that disrupt the integrity of data and processes. Much of our attention in the pharmaceutical and healthcare space is focused on vulnerabilities and protecting control systems and remote access systems, but as providers of security solutions to the U.S. government and critical infrastructure (think nuclear power), we are also involved in preventing attacks of espionage. 

The pattern we are seeing is that state-sponsored actors are attempting to infiltrate organizations related to the COVID-19 vaccines, or other research related to the pandemic. These advanced, persistent threats (APT) are using highly targeted, novel malware and spear phishing tactics designed to exploit and compromise recently announced known (and potentially unknown) vulnerabilities in VPNs and firewalls. These include the WellMess (which has been known for two years) and WellMail (which is new) toolsas well as a custom malware package known as SoreFang designed to exploit a popular Chinese VPN. 

Once the network has been infiltrated, the attackers create legitimate credentials, and the malware is designed to exploit and run autonomously, scraping, changing, exfiltrating, or destroying data. In other words, once an attack is successfully executed, even a patched firewall no longer provides any security. 

A Warning 

In addition to the advisory mentioned above, the FBI had already warned research institutions of these kinds of attacks back in AprilEven back then, the World Health Organization had noticed an increase in attacks, and Chinese agencies (presumably at the forefront of the response as the epicenter of the outbreakwere under attack by outfits looking for COVID-19 information.  

Organizations on the front lines of the pandemic response already have a hard time securing their systems and devices during this chaos. A new target around IP theft just adds to the challenges of securing networks, people, and operations in these chaotic times. 

We Must DMore 

Protection of IP has always been big for pharma and research institutions, but your cybersecurity stance needs to change when well-funded and highly-skilled cybersecurity state actors start attacking your networks. The usual defenses (such as software-based firewalls) are clearly not enough. Everyone needs to up their game. Organizations working in these types of fields, regulators, and governments must recognize the elevated importance and relevance of this information and IP within the modern threat landscape, and do more to protect them. 

How have you been protecting your network from state-sponsored breaches related to IP? 

Insights to your Inbox

Stay informed with the latest cybersecurity news and resources.

Paul Nguyen DoD Account Director

Proven Solutions for Navy “Data Maneuverability” @ AFCEA WEST

Hi, I’m Paul Nguyen, one of the new leaders of Owl’s DoD Mission Support team. I joined Owl Cyber Defense (Owl) earlier this month, just in time to be a part of our annual corporate o...
January 31, 2024

Owl SEER Lab MiniBlog 1: CVE-2023-21093

Hello and welcome to the launch of the Owl Cyber Defense System Evaluation, Exploitation, and Research (SEER) Laboratory miniblog! This is the very first in a line of forthcoming posts. ...
September 26, 2023

Reduce Cyber Stress (at least at work) by Implementing Data Diode Enforced Segmentation

In today's digital age, cybersecurity professionals play a crucial role in ensuring the safety and security of an organization's sensitive information. With the rise of cyberattacks, it's...
April 20, 2023