Feeds

Cyberspies send ZOMBIES to steal DRUGS from medical research firms

They're flinging RATs at us too, say US spooks

The Essential Guide to IT Transformation

Cyber-espionage crews have been targeting the lucrative medical and life science industries using custom malware and spear-phishing, according to new research.

According to a current US counterintelligence report which it delivered to US Congress, healthcare services and medical equipment are expected to be two of the five fastest-growing international investment sectors, with the US among the leading nations worldwide. Multi-billion dollar lifesaving research is being put at risk as cyberspies attempt to crack life science firms' security.

The counterintelligence gov bods said the massive research and development costs for new drugs and techniques as well as the growing need for medical care by ageing populations in China, Russia, and elsewhere were creating a fertile breeding ground for industrial espionage.

Security intelligence firm Cyber Squared said that at least three distinct groups have targeted the industry for more than two years since 2010. It has posted a blog post exposing some of the techniques and tradecraft of cyberspies targeting the life science sector. A single drug can cost up to $1bn to develop, the security bods note.

In the first attack discussed by Cyber Squared, a China-based group used a zero-day Internet Explorer (IE) zero day exploit in October 2012 to get at the life sciences firms assets. Three malicious websites hosting these exploits were established and subsequently used within targeted spear-phishing campaigns or within targeted drive-by download attacks, said the researchers.

"The staged domain names resembled the domains of the legitimate companies GenOptix, BioDuro and Accenture, all of whom provide advanced medical, drug, and life sciences research," a blog post by Cyber Squared explains.

When RATs, Trojans and zombies attack

Cyber Squared was able to confirm that the attackers mirrored the legitimate BioDuro website with a drive-by attack site that used a malicious iFrame redirecting users to the IE zero day exploit. BioDuro is Beijing-based life science research firm. Compromised machines were subsequently infected with a variant of Destroy Remote Access Trojan (RAT), which is also known as Thoper-B or Sogu.

The firm also cited a second attack by a cyberspying menace, first reported on by security tools firm AlienVault in July 2012. It used a variant of the Sykipot malware to create an extensive botnet. The zombie network featured more than 30 additional command-and-control domains and three email addressees, analysts from Cyber Squared discovered. After analysing the infrastructure used by the perpetrators of Sykipot, Cyber Squared concluded that the botmasters behind the network were targeting the medical industry.

One of the 30 domains registered by the Sykipot bad guys is “nihnrhealth[.]com”, which could be easily mistaken by a Sykipot victim as a legitimate domain associated with the National Health Information Network.

Another Sykipot command-and-control domain (server.hostdefense[.]net) resolved to the IP address of a host registered by the Asian Pacific AIDS Intervention Team (APAIT), a southern California-based charitable organisation, said the researchers.

A third attack last summer featured a Chinese hacking group (also known as “VOHO”) using a drive-by download campaign. The attack was targeted against victims within business and local governments in Washington, DC and Boston, Massachusetts, as well as organisations involved the development and promotion of the democratic process in non-permissive regions.

The attackers used the Gh0st RAT to control compromised machines.  According to a report by RSA, the attackers compromised a legitimate Taiwanese medical website "www.wsdhealty[.]com" to host malicious software that exploited Java and Microsoft vulnerabilities.

Cyber Squared was able to identify that the attackers also abused the domain "nih-gov.darktech[.]org” run by the National Institute of Health (NIH) as part of the command-and-control infrastructure of the cyber-espionage operation.

"The threats posed by resourced and sophisticated threat groups targeting the medical and life sciences industry is very real," Rich Barger, chief intelligence officer at Cyber Squared, and a former US Army intelligence analyst. "The application of economic espionage within these industries ultimately leaves multi-billion dollar lifesaving research and medical breakthroughs in the crosshairs."

Organisations within the sector need to wake up to the threat and take steps to guard against intellectual property loss and disruptions to business operations, Barger warned.

The Obama administration's strategy for combating the theft of US trade secrets, unveiled last month, listed industrial espionage as one of sectors likely to experience fast growth, and cited healthcare, pharmaceuticals and clean energy as prime targets for the web spies.

However, more attention has arguably been paid to attempts to steal the blueprints of information and communications technology; military technologies (particularly marine systems and drones - unmanned aerial vehicles); other aerospace technologies; and information about natural resources (including oil and gas). Cyber Squared's report is therefore noteworthy in highlighting an under-reported risk.

All of the Advanced Persistent Threat examples put together by Cyber Squared were compiled and shared under the “Medical Threats Blog” within the ThreatConnect community. ThreatConnect.com is a collaborative cyber intelligence exchange whose members include government agencies, banks, non-profits, and manufacturers as well as medical research and life sciences organisations. The exchange - run by Cyber Squared and akin to a neighbourhood watch scheme - collects, analyses and shares threat intelligence. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.