Sometimes, I hate to be proven right. But on July 10, I contributed an article to Homeland Security Today questioning whether healthcare researchers and U.S. hospitals were adequately prepared to fend off a cyberattack. Then last week happened.
Last Thursday, intelligence agencies in the U.S., U.K., and Canada released a joint statement accusing Russian hacker group APT29 of attacking Western institutions in an attempt to steal data on COVID-19 vaccine and treatment research. One of APT29’s malware tools, code-named WELLMESS, enables hackers to gain remote access to secure computers. It was reportedly found within multiple U.S. pharmaceutical companies.
State-sponsored cyberattacks with the goal of intellectual property (IP) theft aren’t new. China has been accused of such activities for years, across numerous verticals. The highly collaborative nature of medical research makes institutions in this sector particularly vulnerable. The culture of open dialogue that promotes scientific progress doesn’t always mesh well with tight security. And compliance with oversight bodies doesn’t necessarily make a research group more secure.
The American Hospital Association issued an alert last year warning about the potential threat that state-sponsored cyberattacks pose to healthcare organizations. It should come as no surprise that COVID-19 has amped up the likelihood of such an attack. The prospective economic benefits of developing a vaccine or cure for this global pandemic—and thus mitigating the devastating financial crisis—have set unprecedented stakes for accessing vaccine-related IP. At the same time, such IP theft has become easier, because the vast expansion of work-from-home policies has created attack vectors that didn’t exist prior to COVID-19.
Britain’s National Cyber Security Centre (NCSC) warned: “APT29 is likely to continue to target organisations involved in COVID-19 vaccine research and development, as they seek to answer additional intelligence questions relating to the pandemic.”
Last week also saw a large-scale social media attack, in which hackers co-opted the Twitter accounts of dozens of high-profile people. The goal was to scam the accounts’ millions of followers out of cryptocurrency—and it worked. Within the first 24 hours, the attackers earned about $117,000 worth of bitcoin through the scheme.
The Twitter hack does not appear to have been the work of a malicious nation-state, but rather a social engineering attack on employees, through which attackers used Twitter admin tools to hijack the affected accounts. Still, this was a very public example of a tech company losing the equivalent of its crown jewels—user confidence in the integrity of its product. It was especially troubling because Twitter has become vital to some nations’ information infrastructure, a platform through which leaders speak directly to their constituents. In a time when many people around the world distrust the media, this attack may undermine confidence in any information source.
What to Do
A week like last week necessarily leaves security teams at all kinds of organizations scratching their heads and biting their nails. Whether hackers want to steal corporate IP, co-opt an executive’s social media presence for financial gain, or pursue any other malicious objective, effective defense requires several actions:
- Research recent attacks and discover common vulnerabilities among organizations similar to their own.
- Understand how COVID-19–related shifts in the work environment, such as an increase in the number of remote employees, affect an organization’s security posture.
- Consider whether their business is a particular target. Does it provide easy access to millions of potential fraud victims (as Twitter does)? Is it doing critical work, such as vaccine research, that might make its IP more desirable in these times?
- Evaluate whether mounting global economic pressures, or other anticipated trends and events, might increase the organization’s profile and attractiveness as a potential target of attacks.
- Assess whether their organization would be resilient in the face of an attack.
- Track how regulatory bodies could increase testing and validation remits to enhance security in their industrial sector.
However likely an attack on the organization is, or lucrative its IP or other assets seem, cybersecurity needs to be a priority. The volatile business and economic climate has created large-scale incentives for IP theft around the world. Healthcare businesses may be the most obvious targets, but no industry is safe.
The importance of security testing
APT29 has been using the same tactics for years. That’s because their playbook is working, and it says a lot about the level of preparation and response within the security community. It’s crucial for organizations to not only invest in security controls, but test and validate that their security controls work. The Twitter hack and the uptick in health-care related attacks make that clear.
In April AttackIQ announced our new APT29 emulation plan to test and validate security controls by deploying automed emulations of APT29’s tactics, techniques, and procedures against organization’s defenses. APT29 matters in advance of the election, as recent news indicates, because the Russian government has shown a willingness to target social media and political organizations to disrupt American democracy. Retrospective questions of “what if” are rarely helpful, but it’s worth considering whether the U.S. pharmaceutical companies or Twitter could have uncovered security gaps through routine security control testing. More important for security professionals is whether they have a means of uncovering their own vulnerabilities.
How secure is your security? How likely is your organization to end up making headlines? Testing can help you find and fix gaps in your defenses before it’s too late.