Feeds

Cyberspies send ZOMBIES to steal DRUGS from medical research firms

They're flinging RATs at us too, say US spooks

Choosing a cloud hosting partner with confidence

Cyber-espionage crews have been targeting the lucrative medical and life science industries using custom malware and spear-phishing, according to new research.

According to a current US counterintelligence report which it delivered to US Congress, healthcare services and medical equipment are expected to be two of the five fastest-growing international investment sectors, with the US among the leading nations worldwide. Multi-billion dollar lifesaving research is being put at risk as cyberspies attempt to crack life science firms' security.

The counterintelligence gov bods said the massive research and development costs for new drugs and techniques as well as the growing need for medical care by ageing populations in China, Russia, and elsewhere were creating a fertile breeding ground for industrial espionage.

Security intelligence firm Cyber Squared said that at least three distinct groups have targeted the industry for more than two years since 2010. It has posted a blog post exposing some of the techniques and tradecraft of cyberspies targeting the life science sector. A single drug can cost up to $1bn to develop, the security bods note.

In the first attack discussed by Cyber Squared, a China-based group used a zero-day Internet Explorer (IE) zero day exploit in October 2012 to get at the life sciences firms assets. Three malicious websites hosting these exploits were established and subsequently used within targeted spear-phishing campaigns or within targeted drive-by download attacks, said the researchers.

"The staged domain names resembled the domains of the legitimate companies GenOptix, BioDuro and Accenture, all of whom provide advanced medical, drug, and life sciences research," a blog post by Cyber Squared explains.

When RATs, Trojans and zombies attack

Cyber Squared was able to confirm that the attackers mirrored the legitimate BioDuro website with a drive-by attack site that used a malicious iFrame redirecting users to the IE zero day exploit. BioDuro is Beijing-based life science research firm. Compromised machines were subsequently infected with a variant of Destroy Remote Access Trojan (RAT), which is also known as Thoper-B or Sogu.

The firm also cited a second attack by a cyberspying menace, first reported on by security tools firm AlienVault in July 2012. It used a variant of the Sykipot malware to create an extensive botnet. The zombie network featured more than 30 additional command-and-control domains and three email addressees, analysts from Cyber Squared discovered. After analysing the infrastructure used by the perpetrators of Sykipot, Cyber Squared concluded that the botmasters behind the network were targeting the medical industry.

One of the 30 domains registered by the Sykipot bad guys is “nihnrhealth[.]com”, which could be easily mistaken by a Sykipot victim as a legitimate domain associated with the National Health Information Network.

Another Sykipot command-and-control domain (server.hostdefense[.]net) resolved to the IP address of a host registered by the Asian Pacific AIDS Intervention Team (APAIT), a southern California-based charitable organisation, said the researchers.

A third attack last summer featured a Chinese hacking group (also known as “VOHO”) using a drive-by download campaign. The attack was targeted against victims within business and local governments in Washington, DC and Boston, Massachusetts, as well as organisations involved the development and promotion of the democratic process in non-permissive regions.

The attackers used the Gh0st RAT to control compromised machines.  According to a report by RSA, the attackers compromised a legitimate Taiwanese medical website "www.wsdhealty[.]com" to host malicious software that exploited Java and Microsoft vulnerabilities.

Cyber Squared was able to identify that the attackers also abused the domain "nih-gov.darktech[.]org” run by the National Institute of Health (NIH) as part of the command-and-control infrastructure of the cyber-espionage operation.

"The threats posed by resourced and sophisticated threat groups targeting the medical and life sciences industry is very real," Rich Barger, chief intelligence officer at Cyber Squared, and a former US Army intelligence analyst. "The application of economic espionage within these industries ultimately leaves multi-billion dollar lifesaving research and medical breakthroughs in the crosshairs."

Organisations within the sector need to wake up to the threat and take steps to guard against intellectual property loss and disruptions to business operations, Barger warned.

The Obama administration's strategy for combating the theft of US trade secrets, unveiled last month, listed industrial espionage as one of sectors likely to experience fast growth, and cited healthcare, pharmaceuticals and clean energy as prime targets for the web spies.

However, more attention has arguably been paid to attempts to steal the blueprints of information and communications technology; military technologies (particularly marine systems and drones - unmanned aerial vehicles); other aerospace technologies; and information about natural resources (including oil and gas). Cyber Squared's report is therefore noteworthy in highlighting an under-reported risk.

All of the Advanced Persistent Threat examples put together by Cyber Squared were compiled and shared under the “Medical Threats Blog” within the ThreatConnect community. ThreatConnect.com is a collaborative cyber intelligence exchange whose members include government agencies, banks, non-profits, and manufacturers as well as medical research and life sciences organisations. The exchange - run by Cyber Squared and akin to a neighbourhood watch scheme - collects, analyses and shares threat intelligence. ®

Beginner's guide to SSL certificates

More from The Register

next story
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.