Criminals and Nation-State Cyber Actors Conducting Widespread Pursuit of US Biological and COVID-19 Related Research
Alert ID c8b94728
TLP White Subject to standard copyright rules,
On May 21, 2020, the Federal Bureau of Investigation (FBI) issued a PIN (20200521-001) in regard to COVID-19-related research. Criminal and nation-state cyber actors since February 2020 have been increasingly targeting US pharmaceutical, medical, and biological research facilities to acquire or manipulate sensitive information, to include COVID-19 vaccine and treatment research amid the evolving global pandemic.
The US Healthcare and Public Health Sector (HPH), including pharmaceutical and medical companies, has been a common target of malicious cyber activity even prior to the pandemic. This notification seeks to raise awareness in the HPH sector by highlighting the current threat and cyber tactics used by our adversaries.
Analysis:
Cyber-enabled criminal and state actors continue to target US clinical trials data, personally identifiable information (PII), personal health information (PHI), trade secrets, means of producing critical HPH goods, and sensitive data and proprietary research of US universities and research facilities. Likely due to the current global public health crisis, the FBI has observed some nation-states shifting cyber resources to collect against the HPH sector, while criminals are targeting similar entities for financial gain. The FBI has observed malicious actors successfully compromising US victim networks through social engineering, hacking emails, and exploiting common vulnerabilities of connected devices and Internet of Things (IoT) equipment used in laboratories.
The scale and urgency of the COVID-19 health crisis exacerbates the threat against the HPH sector in two ways:
– As entities are focused on meeting urgent demands for research and product development, potential neglect of critical cyber security practices may compound existing known vulnerabilities.
– Nation-state cyber actors are targeting COVID-19-related research as many foreign governments seek to accelerate their own R&D processes and clinical trials. The compromise of US research and sensitive data undermines the effectiveness of US pharmaceutical, medical, and biological companies and harms US response efforts for health crises, including the pandemic.
Adversaries are targeting a wide range of US-based entities with access to research using network intrusions, including:
– academic institutions
– biological facilities
– bioscience industries
– medical facilities
– medical device manufacturers
– pharmaceutical facilities
– scientific collaborations
– university laboratories
The following examples illustrate targeting of the HPH sector observed by the FBI since February 2020.
– An identified healthcare-related company notified the FBI of suspected Advanced Persistent Threat (APT) activity on its network. The threat actors leveraged a Confluence server vulnerability to install a backdoor on a Windows server, which was identified by the beacon activity to a Command and Control (C2) IP address. The threat actor then leveraged a valid domain administrator account to move laterally within the network. After containment, threat actors were observed trying to unsuccessfully regain access via the same initial critical vulnerability.
– An identified US university reported an attempted intrusion into its computer network. The university received thousands of authentication requests against its hybrid exchange servers. The attackers unsuccessfully attempted to use previously acquired account credentials, likely acquired in a previous known breach.
– Likely nation-state cyber actors conducted a multi-month campaign targeting multiple external-facing devices (primarily Juniper VPN endpoints and Citrix devices) of an identified US research entity. The actors used legitimate credentials and VPN controls. When defensive measures were taken, the actors made extensive attempts to regain access to the network. The actors predominately conducted their activity through the evening and early morning US time.
– A biological research facility experienced a ransomware attack that encrypted its data. The facility was able to restore most of the encrypted data with backups and paper records.
– The following examples illustrate targeting of the HPH sector prior to this year.
– In mid-2019, an unidentified actor used social engineering to impersonate an employee to gain access to an identified university’s Biosafety Level (BSL) 3 facility. The actor attempted to reset passwords and phone numbers of the victim employee to bypass two-factor identification. The actor successfully gained access to the victim employee’s account before the university changed the password.
– In early 2019, a US-based DNA sequence company’s email account was hacked by unidentified actors. The actors impersonated company employees and sent emails to individuals associated with the company and requested money transfers.
– In early 2019, an unidentified actor gained unauthorized access to a pharmacy’s network and successfully escalated their network privileges; however, they were unsuccessful in attempts to access medical records and PII.
– In late 2018, a separate US BSL-3 laboratory reported an unidentified actor attempted to gain access to its networks by hacking a laboratory printer.