The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency (CISA) have issued a warning about China’s threat to COVID-19-related research.
The FBI is investigating the targeting and compromise of U.S. organizations conducting COVID-19-related research by China’s spies. Beijing’s agents are attempting to obtain valuable intellectual property and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research. According to the Bureau, “The potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options.”
Both agencies have cautioned all organizations conducting research in these areas to maintain dedicated cybersecurity and insider threat practices to deter the PRC’s cyberspies.
They have outlined how weakness in security may occur, and what to do about the challenge. Press attention affiliating an organization with COVID-19-related research leads to increased interest and subsequent cyber activity. To deter the illicit activity, the two counter-intelligence groups urge researchers to strengthen all systems for critical vulnerabilities. Web applications should be scanned for unauthorized access, modification, or anomalous activities. Credential requirements should be upgraded against possible intrusion. When suspicious activity is spotted, the questionable users should be blocked and suspended. And of course, report dangerous activity to the FBI.
A joint U.S.-U.K. international effort to deter Chinese COVID-19 espionage is also raising an alarm. The United States Department of Homeland Security (DHS), the Cybersecurity and Infrastructure Security Agency (CISA) and the United Kingdom’s National Cyber Security Centre (NCSC) warn that there are “indications that advanced persistent threat groups are exploiting the Coronavirus Disease 2019 (COVID-19) pandemic as part of their cyber operations.”
According to officials of the two nations, Anglo-American healthcare bodies, pharmaceutical companies, academia, medical research organizations, and local governments are specifically targeted. The cyberspies collect bulk personal information, intellectual property, sensitive information and related intelligence.
There have been a number of suspected incidents.
These organizations’ global reach and international supply chains increase exposure to malicious cyber actors. Beijing’s agents are exploiting weaknesses in supply chains, a noted security weak link, to achieve their goals. That weakness has grown worse as the pandemic has resulted in the shift to remote working, which has considerably increased vulnerability.
Recently cyberspies have scanned the external websites of targeted companies, looking for vulnerabilities in unpatched software. Known targets include Citrix vulnerability CVE-2019-19781, vulnerabilities in virtual private networks.
International investigators are reviewing large-scale password spraying campaigns conducted by malicious foreign actors.
China’s internet infiltrators are using this type of attack to target healthcare entities in a number of countries—including the United Kingdom and the United States—as well as international healthcare organizations. In the past, they have used password spraying to target a range of organizations and companies across sectors—including government, emergency services, law enforcement, academia and research organizations, financial institutions, and telecommunications and retail companies.
Password spraying is a commonly used style of brute force attack in which the attacker tries a single and commonly used password against many accounts before moving on to try a second password, and so on. This technique allows the attacker to remain undetected by avoiding rapid or frequent account lockouts. These attacks are successful because, for any given large set of users, there will likely be some with common passwords.
Once the malicious cyber actor compromises a single account, they will use it to access other accounts where the credentials are reused. Additionally, the actor could attempt to move laterally across the network to steal additional data and implement further attacks against other accounts within the network.
Frank Vernuccio serves as editor-in-chief of the New York Analysis of Policy and Government.