In a non-public online meeting hosted by the Aspen Institute, FBI Deputy Assistant Director Tonya Ugoretz informed those present that the FBI has detected state-backed hackers targeting U.S. healthcare and research entities working on the COVID-19 pandemic.
She noted, according to Reuters, “We certainly have seen reconnaissance activity, and some intrusions, into some of those institutions, especially those that have publicly identified themselves as working on COVID-related research.”
In late-March, the Canadian Communications Security Establishment (CSE), equivalent of the U.S. National Security Agency, warned Canada’s COVID-19 researchers to lock down their data. In their alert, the CSE noted:
The Cyber Centre assesses that the COVID-19 pandemic presents an elevated level of risk to the cyber security of Canadian health organizations involved in the national response to the pandemic. The Cyber Centre therefore recommends that these organizations remain vigilant and take the time to ensure that they are engaged in cyber defense best practices, including increased monitoring of network logs, reminding employees to practice phishing awareness and ensuring that servers and critical systems are patched for all known security vulnerabilities.
Sophisticated threat actors may attempt to steal the intellectual property (IP) of organizations engaged in research and development related to COVID-19, or sensitive data related to Canada’s response to COVID-19.
While the FBI has chosen not to make their counterintelligence admonishment and warning public, they have issued multiple alerts concerning criminal activity surrounding COVID-19. A review of the National Counterintelligence and Security Center is equally silent on the national security threat posed by nation state activity.
We know from global media reports of both ransomware attacks on hospitals and research entities, as well as there has been no diminishing in the effort to steal intellectual property or conduct cybersecurity intrusions.
These are evidenced by California firm 10x Genomics, who is actively involved in COVID-19 research. They faced, in March 2020, an “attempted ransomware attack, which involved the theft of certain company data,” according to the company’s SEC 8-K filing. The company was able to mitigate the attack and return to normal operations.
The willingness to attack those seeking a COVID-19 solution is further evidence by the attempt to compromise the World Health Organization (WHO). In March 2020 Blackstone Law Group’s Alexander Urbelis discovered a live attack on the WHO attempting to get individuals to login to a fake site which resembled WHO’s email portal. The effort was designed to steal email credentials for exploitation. Urbellis advises the threat was neutralized.
Also in March 2020, FireEye researchers unraveled the China’s activities designed to compromise and penetrate the Information Technology infrastructure of the United States and many other countries (Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Philippines, Poland, Qatar, Saudi Arabia, Singapore, Sweden, Switzerland, UAE, and the UK).
With China digging into national infrastructure, they cement their ability to target the U.S. and global entities working to mitigate COVID-19.
The warning out of Canada is clear:
“These actors may attempt to gain intelligence on COVID-19 response efforts and potential political responses to the crisis or to steal ongoing key research towards a vaccine or other medical remedies, or other topics of interest to the threat actor. Organizations should exercise increased monitoring in order to detect attempted compromises by sophisticated threat actors.”
The message is clear. All entities involved in COVID-19 response or research no longer need to think of the hypothetical attack on their cyber infrastructure, the attacks are occurring.
As we admonish often, your entity doesn’t get to decide who is targeted or attacked, you get to decide how you prevent or respond to the attack.