Feeds

Cyberspies send ZOMBIES to steal DRUGS from medical research firms

They're flinging RATs at us too, say US spooks

SANS - Survey on application security programs

Cyber-espionage crews have been targeting the lucrative medical and life science industries using custom malware and spear-phishing, according to new research.

According to a current US counterintelligence report which it delivered to US Congress, healthcare services and medical equipment are expected to be two of the five fastest-growing international investment sectors, with the US among the leading nations worldwide. Multi-billion dollar lifesaving research is being put at risk as cyberspies attempt to crack life science firms' security.

The counterintelligence gov bods said the massive research and development costs for new drugs and techniques as well as the growing need for medical care by ageing populations in China, Russia, and elsewhere were creating a fertile breeding ground for industrial espionage.

Security intelligence firm Cyber Squared said that at least three distinct groups have targeted the industry for more than two years since 2010. It has posted a blog post exposing some of the techniques and tradecraft of cyberspies targeting the life science sector. A single drug can cost up to $1bn to develop, the security bods note.

In the first attack discussed by Cyber Squared, a China-based group used a zero-day Internet Explorer (IE) zero day exploit in October 2012 to get at the life sciences firms assets. Three malicious websites hosting these exploits were established and subsequently used within targeted spear-phishing campaigns or within targeted drive-by download attacks, said the researchers.

"The staged domain names resembled the domains of the legitimate companies GenOptix, BioDuro and Accenture, all of whom provide advanced medical, drug, and life sciences research," a blog post by Cyber Squared explains.

When RATs, Trojans and zombies attack

Cyber Squared was able to confirm that the attackers mirrored the legitimate BioDuro website with a drive-by attack site that used a malicious iFrame redirecting users to the IE zero day exploit. BioDuro is Beijing-based life science research firm. Compromised machines were subsequently infected with a variant of Destroy Remote Access Trojan (RAT), which is also known as Thoper-B or Sogu.

The firm also cited a second attack by a cyberspying menace, first reported on by security tools firm AlienVault in July 2012. It used a variant of the Sykipot malware to create an extensive botnet. The zombie network featured more than 30 additional command-and-control domains and three email addressees, analysts from Cyber Squared discovered. After analysing the infrastructure used by the perpetrators of Sykipot, Cyber Squared concluded that the botmasters behind the network were targeting the medical industry.

One of the 30 domains registered by the Sykipot bad guys is “nihnrhealth[.]com”, which could be easily mistaken by a Sykipot victim as a legitimate domain associated with the National Health Information Network.

Another Sykipot command-and-control domain (server.hostdefense[.]net) resolved to the IP address of a host registered by the Asian Pacific AIDS Intervention Team (APAIT), a southern California-based charitable organisation, said the researchers.

A third attack last summer featured a Chinese hacking group (also known as “VOHO”) using a drive-by download campaign. The attack was targeted against victims within business and local governments in Washington, DC and Boston, Massachusetts, as well as organisations involved the development and promotion of the democratic process in non-permissive regions.

The attackers used the Gh0st RAT to control compromised machines.  According to a report by RSA, the attackers compromised a legitimate Taiwanese medical website "www.wsdhealty[.]com" to host malicious software that exploited Java and Microsoft vulnerabilities.

Cyber Squared was able to identify that the attackers also abused the domain "nih-gov.darktech[.]org” run by the National Institute of Health (NIH) as part of the command-and-control infrastructure of the cyber-espionage operation.

"The threats posed by resourced and sophisticated threat groups targeting the medical and life sciences industry is very real," Rich Barger, chief intelligence officer at Cyber Squared, and a former US Army intelligence analyst. "The application of economic espionage within these industries ultimately leaves multi-billion dollar lifesaving research and medical breakthroughs in the crosshairs."

Organisations within the sector need to wake up to the threat and take steps to guard against intellectual property loss and disruptions to business operations, Barger warned.

The Obama administration's strategy for combating the theft of US trade secrets, unveiled last month, listed industrial espionage as one of sectors likely to experience fast growth, and cited healthcare, pharmaceuticals and clean energy as prime targets for the web spies.

However, more attention has arguably been paid to attempts to steal the blueprints of information and communications technology; military technologies (particularly marine systems and drones - unmanned aerial vehicles); other aerospace technologies; and information about natural resources (including oil and gas). Cyber Squared's report is therefore noteworthy in highlighting an under-reported risk.

All of the Advanced Persistent Threat examples put together by Cyber Squared were compiled and shared under the “Medical Threats Blog” within the ThreatConnect community. ThreatConnect.com is a collaborative cyber intelligence exchange whose members include government agencies, banks, non-profits, and manufacturers as well as medical research and life sciences organisations. The exchange - run by Cyber Squared and akin to a neighbourhood watch scheme - collects, analyses and shares threat intelligence. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.