Protecting Information Amongst the Chaos

Protecting Information Amongst the Chaos

This week, new evidence emerged that a group linked to the Russian government, APT29 (also known as Cozy Bear), has been attacking and trying to steal COVID-19-related information from organizations in the US, Canada, the UKJapan, and even China 

Here’s a recent joint advisory from some governmental cybersecurity heavy-hitters (CISA, NCSC, CSE, and the NSA, in case you’re wondering who).  

What’s happening here?  

Novel Virus, Novel Threat 

For months, the global pandemic has been providing good cover for malicious actors to exploit the limited and scattered cybersecurity workforces and capabilities of organizations and execute increased spear phishing, ransomware, and other attacks. But the pandemic is now also providing a novel high-value target. Recently, there has been a rise in cyberattacks related to exfiltration of COVID-19 related IP and intelligence – namely, vaccine research 

A COVID vaccine represents a holy grail of commercial opportunity and domestic economic boon, as folks in the country that first develops a working vaccine could theoretically get back to their previous normal faster than other countries. The information also gives nations an opportunity to benchmark their own efforts. So it is logical that an adversarial nation may seek to steal and exploit (or even destroy) the research of other countries for such an advantage, especially as economies around the world continue to wilt under the weight of the virus. 

Cybersecurity Perspective 

As cybersecurity professionals, we spend a lot of time on security controls to defend against attacks that disrupt the integrity of data and processes. Much of our attention in the pharmaceutical and healthcare space is focused on vulnerabilities and protectingcontrol systems and remote access systems, but as providers of security solutions to the U.S. government and critical infrastructure (think nuclear power), we are also involved in preventing attacks of espionage. 

The pattern we are seeing is that state-sponsored actors are attempting to infiltrate organizations related to the COVID-19 vaccines, or other research related to the pandemic. These advanced, persistent threats (APT) are using highly targeted, novel malware and spear phishing tactics designed to exploit and compromise recently announced known (and potentially unknown) vulnerabilities in VPNs and firewalls. These include the WellMess (which has been known for two years) and WellMail (which is new) toolsas well as a custom malware package known as SoreFang designed to exploit a popular Chinese VPN. 

Once the network has been infiltrated, the attackers create legitimate credentials, and the malware is designed to exploit and run autonomously, scraping, changing, exfiltrating, or destroying data. In other words, once an attack is successfully executed, even a patched firewall no longer provides any security. 

A Warning 

In addition to the advisory mentioned above, the FBI had alreadywarned research institutions of these kinds of attacks back in AprilEven back then, the World Health Organization had noticedan increase in attacks, and Chinese agencies (presumably at the forefront of the response as the epicenter of the outbreakwereunder attack by outfits looking for COVID-19 information.  

Organizations on the front lines of the pandemic response already have a hard time securing their systems and devices during this chaos. A new target around IP theft just adds to the challenges of securing networks, people, and operations in these chaotic times. 

We Must DMore 

Protection of IP has always been big for pharma and research institutions, but your cybersecurity stance needs to change when well-funded and highly-skilled cybersecurity state actors start attacking your networks. The usual defenses (such as software-based firewalls) are clearly not enough. Everyone needs to up their game. Organizations working in these types of fields, regulators, and governments must recognize the elevated importance and relevance of this information and IP within the modern threat landscape, and do more to protect them. 

How have you been protecting your network from state-sponsored breaches related to IP? 

Brian Romansky Chief Innovation Officer

Vaccine-like Trials Could Allay Software Patch Concerns

A recent article from implies that perhaps the Russian race to be the first to announce an approved vaccine for COVID-19 might circumvent the level of rigorous safety and effi...
July 28, 2020
Bill Caffery Strategic Technology Advisor

Closing the Barn Door?

According to yesterday’s NY Times (July 16, 2020) U.S. Intelligence agencies have revealed that a small but well-known hacking group associated with Russian Intelligence have been “ta...
July 17, 2020

A Statement on Violence Against the Black Community from Owl Cyber Defense

As we absorb our communities’ pain and anger, we must demand change from ourselves. The heartbreaking racial acts and injustices towards the Black community across this country is a dis...
June 8, 2020