Cybercriminals unleash diverse wave of attacks on COVID-19 vaccine researchers

As multiple companies inch closer to a potentially life-saving vaccine for the coronavirus, cybercriminals with varying motives have increased attacks.

Scientific covid-19 virus antibody sample in laboratory research experiment biotech make cultivate vaccine against virus. Scientist look at microscope, science test tube analyse Chemistry laboratory

Image: howtogoto, Getty Images/iStockphoto

Governments, companies and educational institutions around the world have banded together to come up with a vaccine or treatment for COVID-19. But efforts to collectively come up with a cure have been undermined by a diverse array of cyberattacks from government actors looking to outright steal information about potential vaccines.

SEE: Coronavirus: Critical IT policies and tools every business needs (TechRepublic Premium)

Over the last three months, there have been multiple reported government-led cyberattacks on COVID-19 research teams and facilities, between adversaries and allies. 

The FBI and the Cybersecurity and Infrastructure Security Agency caused waves in May when they outright accused China of spearheading multiple attacks in search of COVID-19 research but since then a number of reports have come out showing the problem is far more widespread. 

Vietnamese hackers went after China's Ministry of Emergency Management and Wuhan officials looking for more information on potential COVID-19 treatments, while Iranian cyberteams were caught trying to digitally break into Gilead Sciences, maker of the therapeutic drug Remdesivir, which was recently given the green light by the Food and Drug Administration for clinical trials.

SEE: Life after lockdown: Your office job will never be the same--here's what to expect (cover story PDF) (TechRepublic)

Google released a report highlighting the growth in attacks that healthcare organizations were facing by governments looking for cures. Organizations like the World Health Organization (WHO) and the Centers for Disease Control and Prevention (CDC) are seeing fivefold increases in cyberattacks coming from places like South Korea and teams across South America.   

A European biotech source for Reuters told the news outlet that many of the companies working on COVID-19 vaccines, cures and treatments are now forced to work on air-gapped computers without access to the internet to protect the research. 

During a webinar with CISO MAG earlier this month, Bryan Ware, assistant director for the US Cybersecurity and Infrastructure Security Agency (CISA) said the attacks being led by the Chinese government were "hindering vaccine development in the US," and the government body released its own memo to vaccine researchers urging them to beef up defenses. 

"APT (Advanced persistent threat) groups frequently target such organizations in order to steal sensitive research data and intellectual property for commercial and state benefit. Organizations involved in COVID-19-related research are attractive targets for APT actors looking to obtain information for their domestic research efforts into COVID-19-related medicine," the government agency reported in a joint alert with the United Kingdom's National Cyber Security Centre.

"These organizations' global reach and international supply chains increase exposure to malicious cyber actors. Actors view supply chains as a weak link that they can exploit to obtain access to better-protected targets. Many supply chain elements have also been affected by the shift to remote working and the new vulnerabilities that have resulted." 

SEE: Cybersecurity: Let's get tactical (free PDF) (TechRepublic)

The release adds that multiple government cyberattackers have been caught looking at the external websites of targeted companies and looking for vulnerabilities in unpatched software, specifically a vulnerability with Citrix and others with virtual private network (VPN) products. 

Chris Pierson, who spent nine years on the Data Privacy and Integrity Advisory Committee & Cybersecurity Subcommittee at the Department of Homeland Security, said his cybersecurity company BlackCloak has onboarded several different corporate executive groups that are in the pharmaceutical and healthcare fields in the past four weeks because of the amount of attacks they've been getting.

"We've already equaled or exceeded last year's numbers in terms of attacks. I only think it's going to get worse. It's such a hot area. If you think about it, the amount of research and development money that is being spent by the pharmaceutical industry right now is probably at an all-time high to rush to a vaccine or a treatment or some type of therapy that will lessen the impacts of COVID-19. Literally lives are on the line," Pierson said.

"This is a fertile hunting ground for nation-states to be able to use and steal the IP and R&D from these companies and use it themselves, potentially to beat another company to the solution. With so many folks so strained as a result of COVID-19 remote work, there is a higher chance for there to be a weakening in cyberdefenses." 

Pierson noted that now is a perfect time for cyberattackers to hit companies because the workforce is distributed, giving them a wider attack surface. 

This has created a two-fold problem for researchers, scientists, and healthcare executives because state actors can now infiltrate home networks through the devices of family members or children. Pierson explained that BlackCloak conducted research that showed 68% of the top executives from the main 20-30 pharmaceutical companies already have credentials exposed on the dark web from other data breaches. A number of the credentials included emails and passwords coming from a LinkedIn breach in 2015.

SEE: Zero trust security: A cheat sheet (free PDF) (TechRepublic)

Pierson noted that most executives reused the same passwords over years in both personal and work accounts. 

Mick Jenkins, CISO of Brunel University in the United Kingdom, said it was difficult for organizations to know what kind of cyber defense was necessary because each institution had a different level of maturity in terms of security. 

Jenkins previously worked for the UK government and said there are "battalions of people" working on hacking COVID-19 research institutions and vaccine researchers. These groups start by looking at the easiest way into organizations by looking through all the people that work there.

Once they have a few targets, they may decide to try phishing emails or an "RDP" as well as password spraying before trying to move laterally within the organization.

"They're harvesting usernames, email addresses, and passwords from prior breaches. They may have your Gmail username and password, and they're going to try to figure out your work email address and automate the spray of that against a public website, VPN or an email," said Steve Moore, chief security strategist at cybersecurity company Exabeam.  

"They're going to see if those commonly used passwords work. If I were in charge, I would want  to monitor the use of credentials both on the edge and internal to my company, so credential behavior. Anything that just has a username and password only will be stolen and reused. If it doesn't have some other factor to it, ideally adaptive authentication, it's no good."

In the academic sector, the level of cybersecurity varied greatly but Jenkins said the current climate was a perfect example of why now more than ever, people should understand that cybersecurity comes down to every COVID-19 researcher, doctor, and consultant.

SEE: Security expert weighs in on cybersecurity regulation and ransomware attacks of US cities (TechRepublic)

"The stakes are high here across the globe, and we know everyone is looking for an advantage with a vaccine, including the big players in espionage like Russia, Iran, China, and North Korea. Organizations need to have security briefings so people know that if they get contacted, they should report it," Jenkins said. "They also need compartmentalized portals where access control is very rigorous. The research data that is being generated should be protected in a safe data haven through various different cyber techniques but access control needs to be rigorous." 

Governments are also doing their part, providing in-depth cybersecurity guidance to universities, pharmaceutical companies, and research institutions for their work on sensitive topics like COVID-19.

Moore said the number of phishing emails they are seeing have risen significantly in healthcare companies.  

"Many countries are doing this because they all need an edge. Is there a treatment method that's better? Is a saliva or nasal swab better? What's the data say? All of these countries want a head start," he said. "This is the first-world event we've had that is affecting everyone, so the stakes are high."

A number of cybersecurity experts said the increase in attacks related to COVID-19 research was an indicator that digital security now needed to take a prominent role in how all organizations build. 

Cybersecurity teams need to be adaptive and responsive to threats while also managing detection and mitigation, according to Joe McMann, North America Cyberstrategy lead for technology consulting firm Capgemini.

Every university and healthcare organization should have a firm understanding of every asset, where it is, and what is being done to protect it, McMann added. As noted by the FBI and CISA, patching, access management and multi-factor authentication were all extremely important. 

Jenkins added that organizations need to have a platform that utilizes artificial intelligence (AI) and automation while giving visibility across an entire environment. Anyone working with high-value data should be operating in a zero-trust environment, he said. 

Moore added that companies should know what their time-to-answer is for their cybersecurity teams because you may be able to mitigate the problem depending on how fast you can contain an attack. Automation is also key because there are generally too many threats for people to handle.

"What has happened is the overall activity has increased. That's normal with any significant world event, but the status in the world of pharmaceutical or medical research has changed a bit," McMann said. "They've always been a piece of the critical infrastructure and always fulfilled an important role in society but right now it's heightened, so the risk they face has shifted."

Also see