Welcome!

Security through Intelligence

Rich Barger

Subscribe to Rich Barger: eMailAlertsEmail Alerts
Get Rich Barger via: homepageHomepage mobileMobile rssRSS facebookFacebook twitterTwitter linkedinLinkedIn


Article

Network Health: Advanced Cyber Threats to the Medical & Life Sciences Industries

Billions stolen & Lives at Risk

In a 2011 report to Congress on Foreign Economic Collection and Industrial Espionage released by the Office of the National Counterintelligence Executive, the authors stated that "Healthcare services and medical devices/equipment will be two of the five fastest growing international investment sectors according to a US consulting firm. The massive research and development (R&D) costs for new products in these sectors, up to $1 billion for a single drug, the possibility of earning monopoly profits from a popular new pharmaceutical, and the growing need for medical care by aging populations in China, Russia, and elsewhere are likely to drive interest in collecting valuable US healthcare, pharmaceutical, and related information."

Cyber Squared is actively tracking sophisticated cyber threats, some of which are targeting the medical and life sciences industries, in ThreatConnect.com.  In  recent years, cyber threat groups have increasingly demonstrated a growing interest in these industries.  Due to this identified trend, Cyber Squared has developed a case study that examines targeted attacks and describes the motives behind the victimization of the medical industry by these specific threat groups.

Because attacks within the medical industry rarely make headlines, one may not be aware of its appeal to attackers but there are several reasons why it is a prime target. Those within the medical industry who research, develop, sell products, or provide services to consumers need to understand why they are being targeted, that they are faced with an increasing risk, and how they can better protect their assets. The following examples identify specific APT threat groups that are targeting medical and health related organizations today.

APT Example 1:
In October of 2012, a Chinese threat actor staged the domains geneoptix[.]com, bioduroinc[.]com, and accsenture[.]com to host a malicious Internet Explorer (IE) zero day exploit (CVE-2012-4969).  Links to these malicious websites were most likely used within targeted spearphishing campaigns and/or within targeted driveby download attacks.  The staged domain names resembled the domains of the legitimate companies GenOptix, BioDuro and Accenture, all of whom provide advanced medical, drug, and life sciences research. The identified malicious infrastructure co-existed at overlapping points in time, which indicates that there were likely multiple concurrent targeting campaigns occurring.

Screenshot of the malicious BioDuro website

Cyber Squared was able to confirm that the attackers mirrored the legitimate BioDuro website with a driveby attack site that used a malicious iframe redirecting users to a CVE-2012-4969 IE zero day exploit.  BioDuro is a Drug Discovery and Life Science Research company located in Beijing.  Upon compromise the victims were subsequently infected with a downloader variant of Destroy Remote Access Trojan (RAT) known as Win32/Thoper.B aka Sogu aka TVT.

The attackers would have had the ability to leverage the malicious infrastructure to directly target a variety of individuals such as personnel within the legitimate companies, their parent companies, partners, affiliates and competitors. Any individual within a target organization who would have recognized and trusted the BioDuro brand would have been an ideal target.  Persistent access to cutting edge research or competitive information could have allowed the attackers to leverage their remote accesses to provide an advantage to the benefactors of any compromised data.

APT Example 2:
On July 2, 2012, AlienVault Labs published a blog about a family of malware called Sykipot, which was a follow-up from a January 12th blog.  The Sykipot implant (also known as GetKys) has been used in targeted attacks for at least the past couple of years, and unconfirmed traces date back to as early as 2006. While the AlienVault Labs blog identified nine domains that were registered by Sykipot actors, Cyber Squared analysts used ThreatConnect to apply additional enrichments to the Alien Vault data, and were able to grow the data set to more than thirty additional command and control (C2) domains and three email addresses used to register the C2 domains. After analyzing the infrastructure used by the perpetrators of Sykipot, Cyber Squared has confidently determined that these adversaries are targeting the medical industry. Here is a sample of the results of our analysis:

  • One of the thirty domains registered by the Sykipot actor(s) is "nihnrhealth[.]com", which could be easily mistaken by a Sykipot victim as a legitimate domain associated with the National Health Information Network.
  • Another Sykipot command and control domain (server.hostdefense[.]net) resolved to the IP address of a host registered by the Asian Pacific AIDS Intervention Team (APAIT). The APAIT is an organization that positively affects the quality of life for Asian and Pacific Islanders living with or at-risk for HIV/AIDS by providing a continuum of prevention, health and social services, community leadership and advocacy to the Southern California region. APAIT is one of the nation's largest providers of HIV/AIDS prevention and care services for the Asian and Pacific Islander (API) communities. Based in Southern California, APAIT has been providing culturally and linguistically appropriate services to API's since 1987. (Commerce, 2009) It is likely that APAIT networks were a previous target of threat actors, and are being repurposed in subsequent attacks. (Parkour, 2010)
  • Cyber Squared used ThreatConnect to analyze Sykipot domain "e-landusa[.]net", and identified more than twenty other command and control domains had resolved to IP address 24.236.34[.]140.  One of the domains identified was "altchksrv.hostdefence[.]net". AlienVault previously implicated Sykipot actors using "altchksrv.hostdefence[.]net" in attacks that utilized Adobe vulnerability CVE-2011-2462 in December 2011.
  • "Hostdefence[.]net" was registered by the email address "parviz7415 [at] yahoo.com", and has another sub domain of "server.hostdefence[.]net". Both "server.hostdefence[.]net" and "altchksrv.hostdefence[.]net" resolved to 216.2.95[.]195, (the APAIT IP address) for nearly 12 months.
  • A malware sample submitted to ThreatExpert in January 2012 was labeled Sykipot by Kaspersky antivirus signatures, and attempts connections to 216.2.95[.]195.  Victims were exploited to deliver malicious software that enabled a command and control relationship between their compromised systems and the Sykipot actor's infrastructure.  Domains were tailored to the medical community and medical systems that used unwilling participants in exploitation efforts as midpoint hops.
  • While not connected to Sykipot, between December 8, 2011 and January 18, 2012, four other malware samples were submitted to ThreatExpert that had APAIT IP address 216.2.95[.]195 embedded as a command and control destination. All were assessed to be of Chinese origin.
  • Further research shows a 2010 targeted email attack using an APAIT Internet Protocol address to send a malicious spearphishing message.

APT Example 3:
Between June and July of 2012, a group of Chinese threat actors (also known as "VOHO") employed a driveby download campaign to mass compromise their victims.  The targets appeared to be specifically chosen to compromise victims involved in business and local governments in Washington, D.C. and Boston, Massachusetts, as well as organizations involved the development and promotion of the democratic process in non-permissive regions.  The attackers used the Gh0st RAT to interact with their victims.  According to a report by RSA, the attackers compromised a legitimate Taiwanese medical web site, "www.wsdhealty[.]com" to host malicious software that exploited Java and Microsoft vulnerabilities CVE-2012-1889 and CVE-2012-1723.  Cyber Squared was able to identify that the attackers also staged the domain, "nih-gov.darktech[.]org" within associated malicious command and control infrastructure also used within the initial VOHO campaign.  This likely indicates an infrastructure management technique on the part of the VOHO actors in targeting the National Institute of Health (NIH) as part of the VOHO campaign.

Conclusion
The threats posed by resourced and sophisticated threat groups targeting the medical and life sciences industry is very real.  The application of economic espionage within these industries ultimately leaves multi-billion dollar lifesaving research and medical breakthroughs in the crosshairs.  Organizations, who invest their time and resources specializing in advanced life sciences and research, must begin to address the risks posed by sophisticated threats in an effort to minimize intellectual property loss and disruptions to business operations. Those who are unwilling to address the risk posed by persistent cyber threats could face the loss of intellectual property, market share, revenues and much more.

All of the APT examples highlighted above have all been compiled and publicly shared under the Incident "20130313A: Medical Threats Blog" within the ThreatConnect community.  If you represent a medical research or life sciences organization and wish to obtain regular threat intelligence updates within a secure community sharing exchange, please register at ThreatConnect.com for an organizational account. The Medical Case Study, "Medical Industry, A Cyber Victim: Billions Stolen and Lives At Risk", is available on the Cyber Squared downloads page.

More Stories By Rich Barger

Rich is the Chief Intelligence Officer for Cyber Squared and the ThreatConnect Intelligence Research Team (TCIRT) Director.