Welcome!

Government Cloud Authors: Automic Blog, Liz McMillan, Gopala Krishna Behara, Raju Myadam, Kevin Jackson

Article

Network Health: Advanced Cyber Threats to the Medical & Life Sciences Industries

Billions stolen & Lives at Risk

In a 2011 report to Congress on Foreign Economic Collection and Industrial Espionage released by the Office of the National Counterintelligence Executive, the authors stated that "Healthcare services and medical devices/equipment will be two of the five fastest growing international investment sectors according to a US consulting firm. The massive research and development (R&D) costs for new products in these sectors, up to $1 billion for a single drug, the possibility of earning monopoly profits from a popular new pharmaceutical, and the growing need for medical care by aging populations in China, Russia, and elsewhere are likely to drive interest in collecting valuable US healthcare, pharmaceutical, and related information."

Cyber Squared is actively tracking sophisticated cyber threats, some of which are targeting the medical and life sciences industries, in ThreatConnect.com.  In  recent years, cyber threat groups have increasingly demonstrated a growing interest in these industries.  Due to this identified trend, Cyber Squared has developed a case study that examines targeted attacks and describes the motives behind the victimization of the medical industry by these specific threat groups.

Because attacks within the medical industry rarely make headlines, one may not be aware of its appeal to attackers but there are several reasons why it is a prime target. Those within the medical industry who research, develop, sell products, or provide services to consumers need to understand why they are being targeted, that they are faced with an increasing risk, and how they can better protect their assets. The following examples identify specific APT threat groups that are targeting medical and health related organizations today.

APT Example 1:
In October of 2012, a Chinese threat actor staged the domains geneoptix[.]com, bioduroinc[.]com, and accsenture[.]com to host a malicious Internet Explorer (IE) zero day exploit (CVE-2012-4969).  Links to these malicious websites were most likely used within targeted spearphishing campaigns and/or within targeted driveby download attacks.  The staged domain names resembled the domains of the legitimate companies GenOptix, BioDuro and Accenture, all of whom provide advanced medical, drug, and life sciences research. The identified malicious infrastructure co-existed at overlapping points in time, which indicates that there were likely multiple concurrent targeting campaigns occurring.

Screenshot of the malicious BioDuro website

Cyber Squared was able to confirm that the attackers mirrored the legitimate BioDuro website with a driveby attack site that used a malicious iframe redirecting users to a CVE-2012-4969 IE zero day exploit.  BioDuro is a Drug Discovery and Life Science Research company located in Beijing.  Upon compromise the victims were subsequently infected with a downloader variant of Destroy Remote Access Trojan (RAT) known as Win32/Thoper.B aka Sogu aka TVT.

The attackers would have had the ability to leverage the malicious infrastructure to directly target a variety of individuals such as personnel within the legitimate companies, their parent companies, partners, affiliates and competitors. Any individual within a target organization who would have recognized and trusted the BioDuro brand would have been an ideal target.  Persistent access to cutting edge research or competitive information could have allowed the attackers to leverage their remote accesses to provide an advantage to the benefactors of any compromised data.

APT Example 2:
On July 2, 2012, AlienVault Labs published a blog about a family of malware called Sykipot, which was a follow-up from a January 12th blog.  The Sykipot implant (also known as GetKys) has been used in targeted attacks for at least the past couple of years, and unconfirmed traces date back to as early as 2006. While the AlienVault Labs blog identified nine domains that were registered by Sykipot actors, Cyber Squared analysts used ThreatConnect to apply additional enrichments to the Alien Vault data, and were able to grow the data set to more than thirty additional command and control (C2) domains and three email addresses used to register the C2 domains. After analyzing the infrastructure used by the perpetrators of Sykipot, Cyber Squared has confidently determined that these adversaries are targeting the medical industry. Here is a sample of the results of our analysis:

  • One of the thirty domains registered by the Sykipot actor(s) is "nihnrhealth[.]com", which could be easily mistaken by a Sykipot victim as a legitimate domain associated with the National Health Information Network.
  • Another Sykipot command and control domain (server.hostdefense[.]net) resolved to the IP address of a host registered by the Asian Pacific AIDS Intervention Team (APAIT). The APAIT is an organization that positively affects the quality of life for Asian and Pacific Islanders living with or at-risk for HIV/AIDS by providing a continuum of prevention, health and social services, community leadership and advocacy to the Southern California region. APAIT is one of the nation's largest providers of HIV/AIDS prevention and care services for the Asian and Pacific Islander (API) communities. Based in Southern California, APAIT has been providing culturally and linguistically appropriate services to API's since 1987. (Commerce, 2009) It is likely that APAIT networks were a previous target of threat actors, and are being repurposed in subsequent attacks. (Parkour, 2010)
  • Cyber Squared used ThreatConnect to analyze Sykipot domain "e-landusa[.]net", and identified more than twenty other command and control domains had resolved to IP address 24.236.34[.]140.  One of the domains identified was "altchksrv.hostdefence[.]net". AlienVault previously implicated Sykipot actors using "altchksrv.hostdefence[.]net" in attacks that utilized Adobe vulnerability CVE-2011-2462 in December 2011.
  • "Hostdefence[.]net" was registered by the email address "parviz7415 [at] yahoo.com", and has another sub domain of "server.hostdefence[.]net". Both "server.hostdefence[.]net" and "altchksrv.hostdefence[.]net" resolved to 216.2.95[.]195, (the APAIT IP address) for nearly 12 months.
  • A malware sample submitted to ThreatExpert in January 2012 was labeled Sykipot by Kaspersky antivirus signatures, and attempts connections to 216.2.95[.]195.  Victims were exploited to deliver malicious software that enabled a command and control relationship between their compromised systems and the Sykipot actor's infrastructure.  Domains were tailored to the medical community and medical systems that used unwilling participants in exploitation efforts as midpoint hops.
  • While not connected to Sykipot, between December 8, 2011 and January 18, 2012, four other malware samples were submitted to ThreatExpert that had APAIT IP address 216.2.95[.]195 embedded as a command and control destination. All were assessed to be of Chinese origin.
  • Further research shows a 2010 targeted email attack using an APAIT Internet Protocol address to send a malicious spearphishing message.

APT Example 3:
Between June and July of 2012, a group of Chinese threat actors (also known as "VOHO") employed a driveby download campaign to mass compromise their victims.  The targets appeared to be specifically chosen to compromise victims involved in business and local governments in Washington, D.C. and Boston, Massachusetts, as well as organizations involved the development and promotion of the democratic process in non-permissive regions.  The attackers used the Gh0st RAT to interact with their victims.  According to a report by RSA, the attackers compromised a legitimate Taiwanese medical web site, "www.wsdhealty[.]com" to host malicious software that exploited Java and Microsoft vulnerabilities CVE-2012-1889 and CVE-2012-1723.  Cyber Squared was able to identify that the attackers also staged the domain, "nih-gov.darktech[.]org" within associated malicious command and control infrastructure also used within the initial VOHO campaign.  This likely indicates an infrastructure management technique on the part of the VOHO actors in targeting the National Institute of Health (NIH) as part of the VOHO campaign.

Conclusion
The threats posed by resourced and sophisticated threat groups targeting the medical and life sciences industry is very real.  The application of economic espionage within these industries ultimately leaves multi-billion dollar lifesaving research and medical breakthroughs in the crosshairs.  Organizations, who invest their time and resources specializing in advanced life sciences and research, must begin to address the risks posed by sophisticated threats in an effort to minimize intellectual property loss and disruptions to business operations. Those who are unwilling to address the risk posed by persistent cyber threats could face the loss of intellectual property, market share, revenues and much more.

All of the APT examples highlighted above have all been compiled and publicly shared under the Incident "20130313A: Medical Threats Blog" within the ThreatConnect community.  If you represent a medical research or life sciences organization and wish to obtain regular threat intelligence updates within a secure community sharing exchange, please register at ThreatConnect.com for an organizational account. The Medical Case Study, "Medical Industry, A Cyber Victim: Billions Stolen and Lives At Risk", is available on the Cyber Squared downloads page.

More Stories By Rich Barger

Rich is the Chief Intelligence Officer for Cyber Squared and the ThreatConnect Intelligence Research Team (TCIRT) Director.

@ThingsExpo Stories
SYS-CON Events announced today that Evatronix will exhibit at SYS-CON's 21st International Cloud Expo®, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Evatronix SA offers comprehensive solutions in the design and implementation of electronic systems, in CAD / CAM deployment, and also is a designer and manufacturer of advanced 3D scanners for professional applications.
SYS-CON Events announced today that Synametrics Technologies will exhibit at SYS-CON's 22nd International Cloud Expo®, which will take place on June 5-7, 2018, at the Javits Center in New York, NY. Synametrics Technologies is a privately held company based in Plainsboro, New Jersey that has been providing solutions for the developer community since 1997. Based on the success of its initial product offerings such as WinSQL, Xeams, SynaMan and Syncrify, Synametrics continues to create and hone inn...
To get the most out of their data, successful companies are not focusing on queries and data lakes, they are actively integrating analytics into their operations with a data-first application development approach. Real-time adjustments to improve revenues, reduce costs, or mitigate risk rely on applications that minimize latency on a variety of data sources. In his session at @BigDataExpo, Jack Norris, Senior Vice President, Data and Applications at MapR Technologies, reviewed best practices to ...
"Evatronix provides design services to companies that need to integrate the IoT technology in their products but they don't necessarily have the expertise, knowledge and design team to do so," explained Adam Morawiec, VP of Business Development at Evatronix, in this SYS-CON.tv interview at @ThingsExpo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
Digital Transformation (DX) is not a "one-size-fits all" strategy. Each organization needs to develop its own unique, long-term DX plan. It must do so by realizing that we now live in a data-driven age, and that technologies such as Cloud Computing, Big Data, the IoT, Cognitive Computing, and Blockchain are only tools. In her general session at 21st Cloud Expo, Rebecca Wanta explained how the strategy must focus on DX and include a commitment from top management to create great IT jobs, monitor ...
In his Opening Keynote at 21st Cloud Expo, John Considine, General Manager of IBM Cloud Infrastructure, led attendees through the exciting evolution of the cloud. He looked at this major disruption from the perspective of technology, business models, and what this means for enterprises of all sizes. John Considine is General Manager of Cloud Infrastructure Services at IBM. In that role he is responsible for leading IBM’s public cloud infrastructure including strategy, development, and offering m...
No hype cycles or predictions of a gazillion things here. IoT is here. You get it. You know your business and have great ideas for a business transformation strategy. What comes next? Time to make it happen. In his session at @ThingsExpo, Jay Mason, an Associate Partner of Analytics, IoT & Cybersecurity at M&S Consulting, presented a step-by-step plan to develop your technology implementation strategy. He also discussed the evaluation of communication standards and IoT messaging protocols, data...
Recently, WebRTC has a lot of eyes from market. The use cases of WebRTC are expanding - video chat, online education, online health care etc. Not only for human-to-human communication, but also IoT use cases such as machine to human use cases can be seen recently. One of the typical use-case is remote camera monitoring. With WebRTC, people can have interoperability and flexibility for deploying monitoring service. However, the benefit of WebRTC for IoT is not only its convenience and interopera...
Product connectivity goes hand and hand these days with increased use of personal data. New IoT devices are becoming more personalized than ever before. In his session at 22nd Cloud Expo | DXWorld Expo, Nicolas Fierro, CEO of MIMIR Blockchain Solutions, will discuss how in order to protect your data and privacy, IoT applications need to embrace Blockchain technology for a new level of product security never before seen - or needed.
Recently, REAN Cloud built a digital concierge for a North Carolina hospital that had observed that most patient call button questions were repetitive. In addition, the paper-based process used to measure patient health metrics was laborious, not in real-time and sometimes error-prone. In their session at 21st Cloud Expo, Sean Finnerty, Executive Director, Practice Lead, Health Care & Life Science at REAN Cloud, and Dr. S.P.T. Krishnan, Principal Architect at REAN Cloud, discussed how they built...
Nordstrom is transforming the way that they do business and the cloud is the key to enabling speed and hyper personalized customer experiences. In his session at 21st Cloud Expo, Ken Schow, VP of Engineering at Nordstrom, discussed some of the key learnings and common pitfalls of large enterprises moving to the cloud. This includes strategies around choosing a cloud provider(s), architecture, and lessons learned. In addition, he covered some of the best practices for structured team migration an...
The 22nd International Cloud Expo | 1st DXWorld Expo has announced that its Call for Papers is open. Cloud Expo | DXWorld Expo, to be held June 5-7, 2018, at the Javits Center in New York, NY, brings together Cloud Computing, Digital Transformation, Big Data, Internet of Things, DevOps, Machine Learning and WebRTC to one location. With cloud computing driving a higher percentage of enterprise IT budgets every year, it becomes increasingly important to plant your flag in this fast-expanding busin...
"Digital transformation - what we knew about it in the past has been redefined. Automation is going to play such a huge role in that because the culture, the technology, and the business operations are being shifted now," stated Brian Boeggeman, VP of Alliances & Partnerships at Ayehu, in this SYS-CON.tv interview at 21st Cloud Expo, held Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA.
In his session at 21st Cloud Expo, Raju Shreewastava, founder of Big Data Trunk, provided a fun and simple way to introduce Machine Leaning to anyone and everyone. He solved a machine learning problem and demonstrated an easy way to be able to do machine learning without even coding. Raju Shreewastava is the founder of Big Data Trunk (www.BigDataTrunk.com), a Big Data Training and consulting firm with offices in the United States. He previously led the data warehouse/business intelligence and B...
A strange thing is happening along the way to the Internet of Things, namely far too many devices to work with and manage. It has become clear that we'll need much higher efficiency user experiences that can allow us to more easily and scalably work with the thousands of devices that will soon be in each of our lives. Enter the conversational interface revolution, combining bots we can literally talk with, gesture to, and even direct with our thoughts, with embedded artificial intelligence, whic...
Cloud Expo | DXWorld Expo have announced the conference tracks for Cloud Expo 2018. Cloud Expo will be held June 5-7, 2018, at the Javits Center in New York City, and November 6-8, 2018, at the Santa Clara Convention Center, Santa Clara, CA. Digital Transformation (DX) is a major focus with the introduction of DX Expo within the program. Successful transformation requires a laser focus on being data-driven and on using all the tools available that enable transformation if they plan to survive ov...
Smart cities have the potential to change our lives at so many levels for citizens: less pollution, reduced parking obstacles, better health, education and more energy savings. Real-time data streaming and the Internet of Things (IoT) possess the power to turn this vision into a reality. However, most organizations today are building their data infrastructure to focus solely on addressing immediate business needs vs. a platform capable of quickly adapting emerging technologies to address future ...
With tough new regulations coming to Europe on data privacy in May 2018, Calligo will explain why in reality the effect is global and transforms how you consider critical data. EU GDPR fundamentally rewrites the rules for cloud, Big Data and IoT. In his session at 21st Cloud Expo, Adam Ryan, Vice President and General Manager EMEA at Calligo, examined the regulations and provided insight on how it affects technology, challenges the established rules and will usher in new levels of diligence arou...
22nd International Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, and co-located with the 1st DXWorld Expo will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud ...
22nd International Cloud Expo, taking place June 5-7, 2018, at the Javits Center in New York City, NY, and co-located with the 1st DXWorld Expo will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud ...