APT Groups Target Firms Working on COVID-19 VaccinesMicrosoft Says Attacks on Seven Companies Blocked
Three state-sponsored advanced persistent threat groups - one Russian, two North Korean - have been targeting companies across the globe involved with COVID-19 vaccine and treatment development, Microsoft says.
The software giant says the attacks in recent months on six large pharmaceutical companies and one clinical research firm - which it did not identify - were blocked. The attacks were waged by Strontium, a threat actor in Russia, and two hacker groups in North Korea - Zinc and Cerium, the company says.
"Strontium continues to use password spray and brute force login attempts to steal login credentials. These are attacks that aim to break into people's accounts using thousands or millions of rapid attempts," according to a blog post by Tom Burt, Microsoft's corporate vice president of customer security and trust.
"Zinc has primarily used spear-phishing lures for credential theft, sending messages with fabricated job descriptions pretending to be recruiters," the blog notes. "Cerium engaged in spear-phishing email lures using COVID-19 themes while masquerading as World Health Organization representatives."
The targets of recent state-sponsored APT attacks include "leading pharmaceutical companies and vaccine researchers in Canada, France, India, South Korea and the United States," Microsoft says.
"Among the targets, the majority are vaccine makers that have COVID-19 vaccines in various stages of clinical trials. One is a clinical research organization involved in trials, and one has developed a COVID-19 test. Multiple organizations targeted have contracts with or investments from government agencies from various democratic countries for COVID-19 related work," Microsoft says.
Kelvin Coleman, executive director of the National Cyber Security Alliance, sizes up the possible motivations behind the APT attacks.
"The attacks on vaccine research aren't necessarily designed to cause harm as much they are to facilitate data theft," he notes. "If these groups were operating in a way meant to cause destruction to our healthcare infrastructures - like Sandworm did with the NotPetya attack in 2017 against banks, manufacturers and pharma companies - that'd be a different story."
The attacks, Coleman says, could have been "subcontracted by other nations to accelerate research and development elsewhere and muddle the attribution path for the true attack source or nation. Or it's simply a cash grab. Data relating to a successful COVID-19 vaccine is one of the most valuable commodities on the planet because every country is racing to be the first to bring a viable cure to market - meaning said data will also likely fetch a healthy price on the black market/dark web."
Denise Anderson, president of the Health Information Sharing and Analysis Center, says the cyberthreats facing healthcare sector organizations are heightened during the COVID-19 pandemic.
"From the beginning, when the research organizations and vaccine developers, manufacturers and their supply chain began working on therapeutics for COVID-19, they have been well aware of the threats and in particular the nation-state interest in the intellectual capital," she says.
"These organizations are monitoring and collaborating closely around any threat activity they may be seeing, including working with the H-ISAC community to share indicators and best practices."
Besides the latest disclosure from Microsoft, government authorities in the U.S., U.K., Canada and a few other countries have also been warning healthcare entities about a surge in hacker attacks.
In July, government officials in the U.S., U.K. and Canada issued a joint advisory warning that the Russian hacking group APT29 - also known as "Cozy Bear" and the "Dukes" - was targeting research organizations involved in COVID-19 vaccine development (see: US, UK, Canada Warn of Russian Hackers Targeting COVID-19 Research).
Also, the FBI and the U.S. Cybersecurity and Infrastructure Security Agency last month issued warnings to hospitals about a fresh wave of Ryuk ransomware attacks (see: US Hospitals Warned of Fresh Wave of Ransomware Attacks).
A Helping Hand
Some U.S. healthcare industry groups are stepping up to assist organizations in dealing with the latest threats.
H-ISAC is providing members automated sharing of indicators of compromise; tactics, techniques and procedures; mitigations and countermeasures, says Errol Weiss, H-ISAC's CSO.
"Health-ISAC members are actively sharing threat indicators and incident details so other members can understand how these attacks can impact their organizations and ultimately use all of this shared information to enable improved defenses," he notes.
The Health Sector Coordinating Council is also offering resources that organizations can use to improve their security and better protect their intellectual property, says HSCC Executive Director Greg Garcia. That includes the Health Industry Cybersecurity Protection of Innovation Capital guidance.
Microsoft notes that company president Brad Smith, who is participating in the Paris Peace Forum, is urging governments to do more to address the latest cyberthreats facing the global healthcare sector.
"Microsoft is calling on the world's leaders to affirm that international law protects healthcare facilities and to take action to enforce the law," the company says.
"We believe the law should be enforced not just when attacks originate from government agencies but also when they originate from criminal groups that governments enable to operate - or even facilitate - within their borders. This is criminal activity that cannot be tolerated."
Coleman of the National Cyber Security Alliance notes that healthcare organizations need to develop effective defensive strategies.
"As complex and high-tech as some of the methodologies we hear about nation-state or APT groups using - like password spraying and brute force login attempts - [those] can actually be deterred by rather low-tech countermeasures like ensuring that entities keep all sensitive material protected using combination alphanumeric passwords," he says.
Password spraying, for example, relies on being able to crack an account by spamming the same password to multiple accounts within an organization to exploit any individuals using weaker or all-too-common password combinations, he says.
"Research facilities need to make sure that personnel are trained on proper account protection protocols," Coleman says. "Simple housekeeping items like multifactor authentication for logging onto endpoints, alphanumeric passphrases, updated firewalls and antivirus software, along with some basic file level encryption measures can help deter these sort of brute force attacks," Coleman says.