Protecting Information Amongst the Chaos

Protecting Information Amongst the Chaos


This week, new evidence emerged that a group linked to the Russian government, APT29 (also known as Cozy Bear), has been attacking and trying to steal COVID-19-related information from organizations in the US, Canada, the UKJapan, and even China 

Here’s a recent joint advisory from some governmental cybersecurity heavy-hitters (CISA, NCSC, CSE, and the NSA, in case you’re wondering who).  

What’s happening here?  

Novel Virus, Novel Threat 

For months, the global pandemic has been providing good cover for malicious actors to exploit the limited and scattered cybersecurity workforces and capabilities of organizations and execute increased spear phishing, ransomware, and other attacks. But the pandemic is now also providing a novel high-value target. Recently, there has been a rise in cyberattacks related to exfiltration of COVID-19 related IP and intelligence – namely, vaccine research 

A COVID vaccine represents a holy grail of commercial opportunity and domestic economic boon, as folks in the country that first develops a working vaccine could theoretically get back to their previous normal faster than other countries. The information also gives nations an opportunity to benchmark their own efforts. So it is logical that an adversarial nation may seek to steal and exploit (or even destroy) the research of other countries for such an advantage, especially as economies around the world continue to wilt under the weight of the virus. 

Cybersecurity Perspective 

As cybersecurity professionals, we spend a lot of time on security controls to defend against attacks that disrupt the integrity of data and processes. Much of our attention in the pharmaceutical and healthcare space is focused on vulnerabilities and protectingcontrol systems and remote access systems, but as providers of security solutions to the U.S. government and critical infrastructure (think nuclear power), we are also involved in preventing attacks of espionage. 

The pattern we are seeing is that state-sponsored actors are attempting to infiltrate organizations related to the COVID-19 vaccines, or other research related to the pandemic. These advanced, persistent threats (APT) are using highly targeted, novel malware and spear phishing tactics designed to exploit and compromise recently announced known (and potentially unknown) vulnerabilities in VPNs and firewalls. These include the WellMess (which has been known for two years) and WellMail (which is new) toolsas well as a custom malware package known as SoreFang designed to exploit a popular Chinese VPN. 

Once the network has been infiltrated, the attackers create legitimate credentials, and the malware is designed to exploit and run autonomously, scraping, changing, exfiltrating, or destroying data. In other words, once an attack is successfully executed, even a patched firewall no longer provides any security. 

A Warning 

In addition to the advisory mentioned above, the FBI had alreadywarned research institutions of these kinds of attacks back in AprilEven back then, the World Health Organization had noticedan increase in attacks, and Chinese agencies (presumably at the forefront of the response as the epicenter of the outbreakwereunder attack by outfits looking for COVID-19 information.  

Organizations on the front lines of the pandemic response already have a hard time securing their systems and devices during this chaos. A new target around IP theft just adds to the challenges of securing networks, people, and operations in these chaotic times. 

We Must DMore 

Protection of IP has always been big for pharma and research institutions, but your cybersecurity stance needs to change when well-funded and highly-skilled cybersecurity state actors start attacking your networks. The usual defenses (such as software-based firewalls) are clearly not enough. Everyone needs to up their game. Organizations working in these types of fields, regulators, and governments must recognize the elevated importance and relevance of this information and IP within the modern threat landscape, and do more to protect them. 

How have you been protecting your network from state-sponsored breaches related to IP? 

Charlie Schick Healthcare Consultant

Why Do A Medical Device Assessment, Part 3: The Device

In the previous two posts in this series, I talked about the reasons cybersecurity analysis on medical devices is necessary and some processes behind device analysis. In the next coupl...
October 21, 2020
Board inspection
Charlie Schick Healthcare Consultant

Why Do A Medical Device Assessment, Part 2: How We Do It

In my last post, I talked a bit about the cybersecurity challenges around medical devices. In this post, I want to tell you a bit about the process of device cybersecurity analysis, wi...
October 15, 2020
Device Assessment
Charlie Schick Healthcare Consultant

Why Do A Medical Device Assessment, Part 1: “It’s Not a Good Situation”

Relevant to this series, Owl’s Device Inspection and Analysis Lab focuses on security analysis of all sorts of devices, ranging from laptops, servers, and mobile devices; to securing op...
October 7, 2020