Feeds

Cyberspies send ZOMBIES to steal DRUGS from medical research firms

They're flinging RATs at us too, say US spooks

SANS - Survey on application security programs

Cyber-espionage crews have been targeting the lucrative medical and life science industries using custom malware and spear-phishing, according to new research.

According to a current US counterintelligence report which it delivered to US Congress, healthcare services and medical equipment are expected to be two of the five fastest-growing international investment sectors, with the US among the leading nations worldwide. Multi-billion dollar lifesaving research is being put at risk as cyberspies attempt to crack life science firms' security.

The counterintelligence gov bods said the massive research and development costs for new drugs and techniques as well as the growing need for medical care by ageing populations in China, Russia, and elsewhere were creating a fertile breeding ground for industrial espionage.

Security intelligence firm Cyber Squared said that at least three distinct groups have targeted the industry for more than two years since 2010. It has posted a blog post exposing some of the techniques and tradecraft of cyberspies targeting the life science sector. A single drug can cost up to $1bn to develop, the security bods note.

In the first attack discussed by Cyber Squared, a China-based group used a zero-day Internet Explorer (IE) zero day exploit in October 2012 to get at the life sciences firms assets. Three malicious websites hosting these exploits were established and subsequently used within targeted spear-phishing campaigns or within targeted drive-by download attacks, said the researchers.

"The staged domain names resembled the domains of the legitimate companies GenOptix, BioDuro and Accenture, all of whom provide advanced medical, drug, and life sciences research," a blog post by Cyber Squared explains.

When RATs, Trojans and zombies attack

Cyber Squared was able to confirm that the attackers mirrored the legitimate BioDuro website with a drive-by attack site that used a malicious iFrame redirecting users to the IE zero day exploit. BioDuro is Beijing-based life science research firm. Compromised machines were subsequently infected with a variant of Destroy Remote Access Trojan (RAT), which is also known as Thoper-B or Sogu.

The firm also cited a second attack by a cyberspying menace, first reported on by security tools firm AlienVault in July 2012. It used a variant of the Sykipot malware to create an extensive botnet. The zombie network featured more than 30 additional command-and-control domains and three email addressees, analysts from Cyber Squared discovered. After analysing the infrastructure used by the perpetrators of Sykipot, Cyber Squared concluded that the botmasters behind the network were targeting the medical industry.

One of the 30 domains registered by the Sykipot bad guys is “nihnrhealth[.]com”, which could be easily mistaken by a Sykipot victim as a legitimate domain associated with the National Health Information Network.

Another Sykipot command-and-control domain (server.hostdefense[.]net) resolved to the IP address of a host registered by the Asian Pacific AIDS Intervention Team (APAIT), a southern California-based charitable organisation, said the researchers.

A third attack last summer featured a Chinese hacking group (also known as “VOHO”) using a drive-by download campaign. The attack was targeted against victims within business and local governments in Washington, DC and Boston, Massachusetts, as well as organisations involved the development and promotion of the democratic process in non-permissive regions.

The attackers used the Gh0st RAT to control compromised machines.  According to a report by RSA, the attackers compromised a legitimate Taiwanese medical website "www.wsdhealty[.]com" to host malicious software that exploited Java and Microsoft vulnerabilities.

Cyber Squared was able to identify that the attackers also abused the domain "nih-gov.darktech[.]org” run by the National Institute of Health (NIH) as part of the command-and-control infrastructure of the cyber-espionage operation.

"The threats posed by resourced and sophisticated threat groups targeting the medical and life sciences industry is very real," Rich Barger, chief intelligence officer at Cyber Squared, and a former US Army intelligence analyst. "The application of economic espionage within these industries ultimately leaves multi-billion dollar lifesaving research and medical breakthroughs in the crosshairs."

Organisations within the sector need to wake up to the threat and take steps to guard against intellectual property loss and disruptions to business operations, Barger warned.

The Obama administration's strategy for combating the theft of US trade secrets, unveiled last month, listed industrial espionage as one of sectors likely to experience fast growth, and cited healthcare, pharmaceuticals and clean energy as prime targets for the web spies.

However, more attention has arguably been paid to attempts to steal the blueprints of information and communications technology; military technologies (particularly marine systems and drones - unmanned aerial vehicles); other aerospace technologies; and information about natural resources (including oil and gas). Cyber Squared's report is therefore noteworthy in highlighting an under-reported risk.

All of the Advanced Persistent Threat examples put together by Cyber Squared were compiled and shared under the “Medical Threats Blog” within the ThreatConnect community. ThreatConnect.com is a collaborative cyber intelligence exchange whose members include government agencies, banks, non-profits, and manufacturers as well as medical research and life sciences organisations. The exchange - run by Cyber Squared and akin to a neighbourhood watch scheme - collects, analyses and shares threat intelligence. ®

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Arts and crafts store Michaels says 3 million credit cards exposed in breach
Meanwhile, Target investigators prepare for long process in nabbing hackers
prev story

Whitepapers

SANS - Survey on application security programs
In this whitepaper learn about the state of application security programs and practices of 488 surveyed respondents, and discover how mature and effective these programs are.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.