Covid-19 and the reality of digital espionage
Wed 17 Jun 2020 | James Orme

Recent attacks on institutions researching Covid-19 are a stark reminder that everything is up for grabs in today’s world of cyber espionage
Finding a vaccine for the novel coronavirus is priority number one in the healthcare community. While an increasing number of countries appear to have joined China in getting the virus under control, there are legitimate fears that a second-wave could take many nations back to square one. Put simply, the surest way of preventing a Covid-19 resurgence is to develop and test an effective vaccine.
Developing a vaccine is a complex and challenging undertaking at the best of times. But to make matters even more complicated, experts on the frontline of these efforts have been subject to rampant cyber attacks in recent weeks.
To understand the motivation behind these attacks and how organisations researching Covid-19 should respond, Techerati spoke to two of the UK’s leading cybersecurity experts: Steve Moore, Chief Security Strategist at Exabeam, and Mick Jenkins, CISO of Brunel University, London.
Password spraying
The attacks against medical research and healthcare organisations studying Covid-19 became public in May after UK’s National Cyber Security Centre (NCSC) and US Cybersecurity and Infrastructure (CISA) published an alert claiming they had detected large-scale “password spraying” campaigns against numerous organisations, which they allege were conducted by state-sponsored hacking groups.
Password-spraying refers to the automated process of using collected accounts and known harvested passwords (typically collected from previous successful attacks) to try to break into a network. This is often followed by gradual attempts to escalate access – known as an advanced persistent threat campaign (or APT for short).
Healthcare bodies, pharmaceutical companies, academia are ripe targets, as they are often entwined with sprawling international supply chains that increase exposure to malicious actors. As noted in the alert, hackers typically begin their attacks in supply chains’ weakest links to obtain access to better-protected targets. And with many of these organisations shifting to remote working, even more links were exposed.
US and UK security agencies stopped short of naming suspects, but previous campaigns geared towards seizing intellectual property in the West have been attributed to China, Russia and Iran. On this occasion, less familiar nations in the Indian sub-continent and the Far East are also rumoured to be involved. What we do know is that the attackers were hunting for vaccine and public health data related to treatments and testing, and data sets that revealed what other nations knew about the disease that they didn’t.
The new normal
Mick Jenkins says anyone familiar with the rise in state-sponsored cyber crime should not be surprised by these events. Today’s spies are increasingly reliant on yesterday’s geeks and espionage is now a “hybrid” world with digital minded experts and their command teams bolstering traditional infiltration on the ground. States seeking intelligence now do so with highly-trained digital armies. It just so happens that Covid-19 intelligence is currently the world’s most prized commodity.
“The world of Covid-19 is no different to nations stealing any other intellectual property – it is valuable, highly sought after data,” he says. “It really isn’t any different to a nation state infiltrating industry, science and governments to find and steal any intellectual property data. Which today is a daily occurrence.”
“It’s essential to understand this behaviour is simply a new campaign that’s part of a much larger ongoing cyber and human-based intrusion set,” adds Moore. “Said plainly, this is nothing new – just the subject has changed.”
Nevertheless, the scale and the velocity of the attacks are dispiriting, given that the pandemic affects all nations. The sad reality is that while world leaders call for collaboration and community, their intelligence agencies are scouring neighbours’ research efforts for intelligence that can give them an edge.
“There is of course lots of international collaboration, but other nations will seek to bulk up their knowledge through digital espionage, as well as other methods of intelligence collection,” Jenkins says.
Moore notes that these incentives are entirely rational. “It’s the mission of many governments to collect information that could benefit the home country,” says Moore. “Let’s not forget that collection of Covid-19 information could accelerate research time to find treatments and a cure and there’s also deep value in understanding the logistics of testing.”
The dangers
At this stage the success of the attacks is unclear. Thankfully, due to the close support research institutes receive from government agencies, organisations affected were swiftly alerted and advised to change internal passwords en masse. Until more forensic analysis is complete, it’s unclear how much data was seized.
In the meantime, research organisations must plough on with their vital work. And as there’s no reason to believe the attacks have or will cease, new passwords are ultimately a stop-gap measure that must be reinforced with more concrete cyber protection. Moore says any organisation researching Covid-19 should recognise they are a potential target and take steps to shore up defences.
“Executive leadership must ask and be ready to receive an honest answer about the quality of their core security programs,” he says. “Operationally, there must be capabilities that allow for the detection, disruption, and response to these attacks, including possible insider threats.”
Jenkins adds that institutes should look to “Zero Trust” Environments, where trust is never assumed inside a network. In other words, verification and confirmation are always required to access any and all data sets.
Aside from rigorous access controls, he says new innovations in investigative technology can help organisations gain a “clear intelligence and an investigative picture of what has been happening in their networks and platforms.” Next-generation SIEMs powered by AI also provide clear and early visibility and threats to contain, he says.
“Such APT and nation-state activity is a timely reminder to all businesses and industries, that corporate and nation-state espionage is a big enterprise,” says Jenkins. “And of course, it’s worth reminding ourselves that no network or platform is without the ability for exploitation, and indeed many can be used to pivot into other industries through varying technical means.”
Even if they are inevitable, it’s ultimately in everyone’s interest that state-sponsored Covid-19 espionage doesn’t spiral out of control, regardless of the “success” of individual attacks. If campaigns become too aggressive, Jenkins warns, it may not only disrupt promising research but accelerate already-simmering geopolitical tensions, potentially leading to sanctions or retaliation. While Moore says an international agreement to share helpful vaccine research could effectively deter future attacks.
One thing is for sure, these events have again confirmed that everything is up for grabs in today’s world of cyber espionage and any organisation who presides over valuable data must prepare for the worst.
Written by James Orme Wed 17 Jun 2020