Government Cloud Authors: Elizabeth White, Liz McMillan, Gopala Krishna Behara, Raju Myadam, Kevin Jackson


Network Health: Advanced Cyber Threats to the Medical & Life Sciences Industries

Billions stolen & Lives at Risk

In a 2011 report to Congress on Foreign Economic Collection and Industrial Espionage released by the Office of the National Counterintelligence Executive, the authors stated that "Healthcare services and medical devices/equipment will be two of the five fastest growing international investment sectors according to a US consulting firm. The massive research and development (R&D) costs for new products in these sectors, up to $1 billion for a single drug, the possibility of earning monopoly profits from a popular new pharmaceutical, and the growing need for medical care by aging populations in China, Russia, and elsewhere are likely to drive interest in collecting valuable US healthcare, pharmaceutical, and related information."

Cyber Squared is actively tracking sophisticated cyber threats, some of which are targeting the medical and life sciences industries, in ThreatConnect.com.  In  recent years, cyber threat groups have increasingly demonstrated a growing interest in these industries.  Due to this identified trend, Cyber Squared has developed a case study that examines targeted attacks and describes the motives behind the victimization of the medical industry by these specific threat groups.

Because attacks within the medical industry rarely make headlines, one may not be aware of its appeal to attackers but there are several reasons why it is a prime target. Those within the medical industry who research, develop, sell products, or provide services to consumers need to understand why they are being targeted, that they are faced with an increasing risk, and how they can better protect their assets. The following examples identify specific APT threat groups that are targeting medical and health related organizations today.

APT Example 1:
In October of 2012, a Chinese threat actor staged the domains geneoptix[.]com, bioduroinc[.]com, and accsenture[.]com to host a malicious Internet Explorer (IE) zero day exploit (CVE-2012-4969).  Links to these malicious websites were most likely used within targeted spearphishing campaigns and/or within targeted driveby download attacks.  The staged domain names resembled the domains of the legitimate companies GenOptix, BioDuro and Accenture, all of whom provide advanced medical, drug, and life sciences research. The identified malicious infrastructure co-existed at overlapping points in time, which indicates that there were likely multiple concurrent targeting campaigns occurring.

Screenshot of the malicious BioDuro website

Cyber Squared was able to confirm that the attackers mirrored the legitimate BioDuro website with a driveby attack site that used a malicious iframe redirecting users to a CVE-2012-4969 IE zero day exploit.  BioDuro is a Drug Discovery and Life Science Research company located in Beijing.  Upon compromise the victims were subsequently infected with a downloader variant of Destroy Remote Access Trojan (RAT) known as Win32/Thoper.B aka Sogu aka TVT.

The attackers would have had the ability to leverage the malicious infrastructure to directly target a variety of individuals such as personnel within the legitimate companies, their parent companies, partners, affiliates and competitors. Any individual within a target organization who would have recognized and trusted the BioDuro brand would have been an ideal target.  Persistent access to cutting edge research or competitive information could have allowed the attackers to leverage their remote accesses to provide an advantage to the benefactors of any compromised data.

APT Example 2:
On July 2, 2012, AlienVault Labs published a blog about a family of malware called Sykipot, which was a follow-up from a January 12th blog.  The Sykipot implant (also known as GetKys) has been used in targeted attacks for at least the past couple of years, and unconfirmed traces date back to as early as 2006. While the AlienVault Labs blog identified nine domains that were registered by Sykipot actors, Cyber Squared analysts used ThreatConnect to apply additional enrichments to the Alien Vault data, and were able to grow the data set to more than thirty additional command and control (C2) domains and three email addresses used to register the C2 domains. After analyzing the infrastructure used by the perpetrators of Sykipot, Cyber Squared has confidently determined that these adversaries are targeting the medical industry. Here is a sample of the results of our analysis:

  • One of the thirty domains registered by the Sykipot actor(s) is "nihnrhealth[.]com", which could be easily mistaken by a Sykipot victim as a legitimate domain associated with the National Health Information Network.
  • Another Sykipot command and control domain (server.hostdefense[.]net) resolved to the IP address of a host registered by the Asian Pacific AIDS Intervention Team (APAIT). The APAIT is an organization that positively affects the quality of life for Asian and Pacific Islanders living with or at-risk for HIV/AIDS by providing a continuum of prevention, health and social services, community leadership and advocacy to the Southern California region. APAIT is one of the nation's largest providers of HIV/AIDS prevention and care services for the Asian and Pacific Islander (API) communities. Based in Southern California, APAIT has been providing culturally and linguistically appropriate services to API's since 1987. (Commerce, 2009) It is likely that APAIT networks were a previous target of threat actors, and are being repurposed in subsequent attacks. (Parkour, 2010)
  • Cyber Squared used ThreatConnect to analyze Sykipot domain "e-landusa[.]net", and identified more than twenty other command and control domains had resolved to IP address 24.236.34[.]140.  One of the domains identified was "altchksrv.hostdefence[.]net". AlienVault previously implicated Sykipot actors using "altchksrv.hostdefence[.]net" in attacks that utilized Adobe vulnerability CVE-2011-2462 in December 2011.
  • "Hostdefence[.]net" was registered by the email address "parviz7415 [at] yahoo.com", and has another sub domain of "server.hostdefence[.]net". Both "server.hostdefence[.]net" and "altchksrv.hostdefence[.]net" resolved to 216.2.95[.]195, (the APAIT IP address) for nearly 12 months.
  • A malware sample submitted to ThreatExpert in January 2012 was labeled Sykipot by Kaspersky antivirus signatures, and attempts connections to 216.2.95[.]195.  Victims were exploited to deliver malicious software that enabled a command and control relationship between their compromised systems and the Sykipot actor's infrastructure.  Domains were tailored to the medical community and medical systems that used unwilling participants in exploitation efforts as midpoint hops.
  • While not connected to Sykipot, between December 8, 2011 and January 18, 2012, four other malware samples were submitted to ThreatExpert that had APAIT IP address 216.2.95[.]195 embedded as a command and control destination. All were assessed to be of Chinese origin.
  • Further research shows a 2010 targeted email attack using an APAIT Internet Protocol address to send a malicious spearphishing message.

APT Example 3:
Between June and July of 2012, a group of Chinese threat actors (also known as "VOHO") employed a driveby download campaign to mass compromise their victims.  The targets appeared to be specifically chosen to compromise victims involved in business and local governments in Washington, D.C. and Boston, Massachusetts, as well as organizations involved the development and promotion of the democratic process in non-permissive regions.  The attackers used the Gh0st RAT to interact with their victims.  According to a report by RSA, the attackers compromised a legitimate Taiwanese medical web site, "www.wsdhealty[.]com" to host malicious software that exploited Java and Microsoft vulnerabilities CVE-2012-1889 and CVE-2012-1723.  Cyber Squared was able to identify that the attackers also staged the domain, "nih-gov.darktech[.]org" within associated malicious command and control infrastructure also used within the initial VOHO campaign.  This likely indicates an infrastructure management technique on the part of the VOHO actors in targeting the National Institute of Health (NIH) as part of the VOHO campaign.

The threats posed by resourced and sophisticated threat groups targeting the medical and life sciences industry is very real.  The application of economic espionage within these industries ultimately leaves multi-billion dollar lifesaving research and medical breakthroughs in the crosshairs.  Organizations, who invest their time and resources specializing in advanced life sciences and research, must begin to address the risks posed by sophisticated threats in an effort to minimize intellectual property loss and disruptions to business operations. Those who are unwilling to address the risk posed by persistent cyber threats could face the loss of intellectual property, market share, revenues and much more.

All of the APT examples highlighted above have all been compiled and publicly shared under the Incident "20130313A: Medical Threats Blog" within the ThreatConnect community.  If you represent a medical research or life sciences organization and wish to obtain regular threat intelligence updates within a secure community sharing exchange, please register at ThreatConnect.com for an organizational account. The Medical Case Study, "Medical Industry, A Cyber Victim: Billions Stolen and Lives At Risk", is available on the Cyber Squared downloads page.

More Stories By Rich Barger

Rich is the Chief Intelligence Officer for Cyber Squared and the ThreatConnect Intelligence Research Team (TCIRT) Director.

IoT & Smart Cities Stories
The many IoT deployments around the world are busy integrating smart devices and sensors into their enterprise IT infrastructures. Yet all of this technology – and there are an amazing number of choices – is of no use without the software to gather, communicate, and analyze the new data flows. Without software, there is no IT. In this power panel at @ThingsExpo, moderated by Conference Chair Roger Strukhoff, Dave McCarthy, Director of Products at Bsquare Corporation; Alan Williamson, Principal ...
Apps and devices shouldn't stop working when there's limited or no network connectivity. Learn how to bring data stored in a cloud database to the edge of the network (and back again) whenever an Internet connection is available. In his session at 17th Cloud Expo, Ben Perlmutter, a Sales Engineer with IBM Cloudant, demonstrated techniques for replicating cloud databases with devices in order to build offline-first mobile or Internet of Things (IoT) apps that can provide a better, faster user e...
In his keynote at 19th Cloud Expo, Sheng Liang, co-founder and CEO of Rancher Labs, discussed the technological advances and new business opportunities created by the rapid adoption of containers. With the success of Amazon Web Services (AWS) and various open source technologies used to build private clouds, cloud computing has become an essential component of IT strategy. However, users continue to face challenges in implementing clouds, as older technologies evolve and newer ones like Docker c...
Disruption, Innovation, Artificial Intelligence and Machine Learning, Leadership and Management hear these words all day every day... lofty goals but how do we make it real? Add to that, that simply put, people don't like change. But what if we could implement and utilize these enterprise tools in a fast and "Non-Disruptive" way, enabling us to glean insights about our business, identify and reduce exposure, risk and liability, and secure business continuity?
The Founder of NostaLab and a member of the Google Health Advisory Board, John is a unique combination of strategic thinker, marketer and entrepreneur. His career was built on the "science of advertising" combining strategy, creativity and marketing for industry-leading results. Combined with his ability to communicate complicated scientific concepts in a way that consumers and scientists alike can appreciate, John is a sought-after speaker for conferences on the forefront of healthcare science,...
To Really Work for Enterprises, MultiCloud Adoption Requires Far Better and Inclusive Cloud Monitoring and Cost Management … But How? Overwhelmingly, even as enterprises have adopted cloud computing and are expanding to multi-cloud computing, IT leaders remain concerned about how to monitor, manage and control costs across hybrid and multi-cloud deployments. It’s clear that traditional IT monitoring and management approaches, designed after all for on-premises data centers, are falling short in ...
"The Striim platform is a full end-to-end streaming integration and analytics platform that is middleware that covers a lot of different use cases," explained Steve Wilkes, Founder and CTO at Striim, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"MobiDev is a Ukraine-based software development company. We do mobile development, and we're specialists in that. But we do full stack software development for entrepreneurs, for emerging companies, and for enterprise ventures," explained Alan Winters, U.S. Head of Business Development at MobiDev, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
The deluge of IoT sensor data collected from connected devices and the powerful AI required to make that data actionable are giving rise to a hybrid ecosystem in which cloud, on-prem and edge processes become interweaved. Attendees will learn how emerging composable infrastructure solutions deliver the adaptive architecture needed to manage this new data reality. Machine learning algorithms can better anticipate data storms and automate resources to support surges, including fully scalable GPU-c...
As IoT continues to increase momentum, so does the associated risk. Secure Device Lifecycle Management (DLM) is ranked as one of the most important technology areas of IoT. Driving this trend is the realization that secure support for IoT devices provides companies the ability to deliver high-quality, reliable, secure offerings faster, create new revenue streams, and reduce support costs, all while building a competitive advantage in their markets. In this session, we will use customer use cases...