author photo
By Bruce Sussman
Tue | May 5, 2020 | 9:33 AM PDT

Scientists, researchers, and academics around the world are working on solutions to the coronavirus.

And nation-state backed hackers, known as Advanced Persistent Threats (APTs), are trying to steal as much of this research as they can.

Hackers are targeting specific organizations to steal coronavirus data

The new cybersecurity warning is a joint advisory from the United Kingdom's National Cyber Security Centre (NCSC) and the United States Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA).

"The NCSC and CISA are currently investigating a number of incidents in which threat actors are targeting pharmaceutical companies, medical research organisations, and universities. APT groups frequently target such organisations in order to steal sensitive research data and intellectual property (IP) for commercial and state benefit.

Organisations involved in COVID-19 related research are attractive targets for APT actors looking to obtain information for their domestic research efforts into COVID-19 related medicine."

How nation-state hackers are trying to steal COVID-19 research

How are these APTs or nation-state hackers attempting to break into computer networks and steal coronavirus data and research?

The advisory says a key method is looking for unpatched vulnerabilities.

"Recently the NCSC and CISA have seen APT actors scanning the external websites of targeted companies and looking for vulnerabilities in unpatched software. Actors are known to take advantage of Citrix vulnerability CVE-2019-197811,2 and vulnerabilities in Virtual Private Network (VPN) products from vendors Pulse Secure, Fortinet and Palo Alto."

These nation-state actors are also using brute force or password spraying cyber attacks against organizations doing novel coronavirus research:

"Malicious cyber actors, including APT groups, collate names from various online sources that provide organisational details and use this information to identify possible accounts for targeted institutions. The actor will then 'spray' the identified accounts with lists of commonly used passwords.

In previous incidents investigated by the NCSC and CISA, malicious cyber actors used password spraying to compromise email accounts in an organisation and then, in turn, used these accounts to download the victim organisation's Global Address List (GAL). The actors then used the GAL to password spray further accounts."

And these nation-state hackers are looking for another possible way in, by compromising organizations and vendors the COVID-19 research organizations may be working with.

"The global reach and international supply chains of these organisations increase exposure to malicious actors. Actors view supply chains as a weak link that they can exploit to obtain access to better-protected targets. Many elements of the supply chains will also have been affected by the shift to remote working and the new vulnerabilities that have resulted."

Why is COVID-19 information so valuable to nation-state hackers?

Alexander Urbelis discovered one of the earliest nation-state linked cyberattacks during the COVID-19 pandemic. He watched a website come to life that mimicked a World Health Organization login page in an effort to trick WHO users into entering their login credentials so hackers could capture and use that information.

It's a well-known trick in the hacker world. But why? What is the value to the country supporting this type of cyberattack?

SecureWorld asked Urbelis about this during a recent podcast episode.

"Any nation that could acquire or any company that could acquire an advanced preview of the World Health Organization statistics with respect to the pandemic itself and its proliferation in other countries or information or intelligence with respect to palliative care vaccines underway, and all of this information could give a country or private industry or even I daresay investors, a massive leg up in terms of competitive business as well as nation state level intelligence."

Listen to the podcast here (or on your device) about the coronavirus cyberattack at the World Health Organization:

And long before COVID-19 came onto the world stage, SecureWorld interviewed Dawn-Marie Hutchinson, the Information Security Officer for Research and Development at pharmaceutical giant GlaxoSmithKline.

Speaking after her keynote at SecureWorld Philadelphia, she offered insight into the cyber adversaries of the pharmaceutical industry:

"So every industry has a different set of threat actors. And the first thing we do when we do threat mapping is we start to talk about, who are they?

We're not likely combating cybercriminals. We're likely looking at cyber espionage, other companies looking to interfere with our production, or nation-state actors because providing cutting-edge medicines to their people is important.

If it's a cyber espionage situation, when we look at nation-state actors, nine out of 10 times they're looking to steal information."

This is exactly the point of the new U.S. and U.K. advisory, that nation-state adversaries are attempting to steal information on COVID-19 research.

And the stakes are extremely high.

Mitigations against nation-state hacking attempts

How can you mitigate the risk against these APT hacking groups? The joint cybersecurity advisory includes a variety of mitigation steps and technical details, which you can read here.

COVID-19 related cybercrimes and threats podcast

Also, if you're interested in the wider spectrum of cyber attacks being used by criminal hackers related to COVID-19, and how these threats are evolving, check out the following podcast episode:

Comments