Network Health: Advanced Cyber Threats to the Medical & Life Sciences Industries

Billions stolen & Lives at Risk

In a 2011 report to Congress on Foreign Economic Collection and Industrial Espionage released by the Office of the National Counterintelligence Executive, the authors stated that "Healthcare services and medical devices/equipment will be two of the five fastest growing international investment sectors according to a US consulting firm. The massive research and development (R&D) costs for new products in these sectors, up to $1 billion for a single drug, the possibility of earning monopoly profits from a popular new pharmaceutical, and the growing need for medical care by aging populations in China, Russia, and elsewhere are likely to drive interest in collecting valuable US healthcare, pharmaceutical, and related information."

Cyber Squared is actively tracking sophisticated cyber threats, some of which are targeting the medical and life sciences industries, in ThreatConnect.com.  In  recent years, cyber threat groups have increasingly demonstrated a growing interest in these industries.  Due to this identified trend, Cyber Squared has developed a case study that examines targeted attacks and describes the motives behind the victimization of the medical industry by these specific threat groups.

Because attacks within the medical industry rarely make headlines, one may not be aware of its appeal to attackers but there are several reasons why it is a prime target. Those within the medical industry who research, develop, sell products, or provide services to consumers need to understand why they are being targeted, that they are faced with an increasing risk, and how they can better protect their assets. The following examples identify specific APT threat groups that are targeting medical and health related organizations today.

APT Example 1:
In October of 2012, a Chinese threat actor staged the domains geneoptix[.]com, bioduroinc[.]com, and accsenture[.]com to host a malicious Internet Explorer (IE) zero day exploit (CVE-2012-4969).  Links to these malicious websites were most likely used within targeted spearphishing campaigns and/or within targeted driveby download attacks.  The staged domain names resembled the domains of the legitimate companies GenOptix, BioDuro and Accenture, all of whom provide advanced medical, drug, and life sciences research. The identified malicious infrastructure co-existed at overlapping points in time, which indicates that there were likely multiple concurrent targeting campaigns occurring.

Screenshot of the malicious BioDuro website

Cyber Squared was able to confirm that the attackers mirrored the legitimate BioDuro website with a driveby attack site that used a malicious iframe redirecting users to a CVE-2012-4969 IE zero day exploit.  BioDuro is a Drug Discovery and Life Science Research company located in Beijing.  Upon compromise the victims were subsequently infected with a downloader variant of Destroy Remote Access Trojan (RAT) known as Win32/Thoper.B aka Sogu aka TVT.

The attackers would have had the ability to leverage the malicious infrastructure to directly target a variety of individuals such as personnel within the legitimate companies, their parent companies, partners, affiliates and competitors. Any individual within a target organization who would have recognized and trusted the BioDuro brand would have been an ideal target.  Persistent access to cutting edge research or competitive information could have allowed the attackers to leverage their remote accesses to provide an advantage to the benefactors of any compromised data.

APT Example 2:
On July 2, 2012, AlienVault Labs published a blog about a family of malware called Sykipot, which was a follow-up from a January 12th blog.  The Sykipot implant (also known as GetKys) has been used in targeted attacks for at least the past couple of years, and unconfirmed traces date back to as early as 2006. While the AlienVault Labs blog identified nine domains that were registered by Sykipot actors, Cyber Squared analysts used ThreatConnect to apply additional enrichments to the Alien Vault data, and were able to grow the data set to more than thirty additional command and control (C2) domains and three email addresses used to register the C2 domains. After analyzing the infrastructure used by the perpetrators of Sykipot, Cyber Squared has confidently determined that these adversaries are targeting the medical industry. Here is a sample of the results of our analysis:

  • One of the thirty domains registered by the Sykipot actor(s) is "nihnrhealth[.]com", which could be easily mistaken by a Sykipot victim as a legitimate domain associated with the National Health Information Network.
  • Another Sykipot command and control domain (server.hostdefense[.]net) resolved to the IP address of a host registered by the Asian Pacific AIDS Intervention Team (APAIT). The APAIT is an organization that positively affects the quality of life for Asian and Pacific Islanders living with or at-risk for HIV/AIDS by providing a continuum of prevention, health and social services, community leadership and advocacy to the Southern California region. APAIT is one of the nation's largest providers of HIV/AIDS prevention and care services for the Asian and Pacific Islander (API) communities. Based in Southern California, APAIT has been providing culturally and linguistically appropriate services to API's since 1987. (Commerce, 2009) It is likely that APAIT networks were a previous target of threat actors, and are being repurposed in subsequent attacks. (Parkour, 2010)
  • Cyber Squared used ThreatConnect to analyze Sykipot domain "e-landusa[.]net", and identified more than twenty other command and control domains had resolved to IP address 24.236.34[.]140.  One of the domains identified was "altchksrv.hostdefence[.]net". AlienVault previously implicated Sykipot actors using "altchksrv.hostdefence[.]net" in attacks that utilized Adobe vulnerability CVE-2011-2462 in December 2011.
  • "Hostdefence[.]net" was registered by the email address "parviz7415 [at] yahoo.com", and has another sub domain of "server.hostdefence[.]net". Both "server.hostdefence[.]net" and "altchksrv.hostdefence[.]net" resolved to 216.2.95[.]195, (the APAIT IP address) for nearly 12 months.
  • A malware sample submitted to ThreatExpert in January 2012 was labeled Sykipot by Kaspersky antivirus signatures, and attempts connections to 216.2.95[.]195.  Victims were exploited to deliver malicious software that enabled a command and control relationship between their compromised systems and the Sykipot actor's infrastructure.  Domains were tailored to the medical community and medical systems that used unwilling participants in exploitation efforts as midpoint hops.
  • While not connected to Sykipot, between December 8, 2011 and January 18, 2012, four other malware samples were submitted to ThreatExpert that had APAIT IP address 216.2.95[.]195 embedded as a command and control destination. All were assessed to be of Chinese origin.
  • Further research shows a 2010 targeted email attack using an APAIT Internet Protocol address to send a malicious spearphishing message.

APT Example 3:
Between June and July of 2012, a group of Chinese threat actors (also known as "VOHO") employed a driveby download campaign to mass compromise their victims.  The targets appeared to be specifically chosen to compromise victims involved in business and local governments in Washington, D.C. and Boston, Massachusetts, as well as organizations involved the development and promotion of the democratic process in non-permissive regions.  The attackers used the Gh0st RAT to interact with their victims.  According to a report by RSA, the attackers compromised a legitimate Taiwanese medical web site, "www.wsdhealty[.]com" to host malicious software that exploited Java and Microsoft vulnerabilities CVE-2012-1889 and CVE-2012-1723.  Cyber Squared was able to identify that the attackers also staged the domain, "nih-gov.darktech[.]org" within associated malicious command and control infrastructure also used within the initial VOHO campaign.  This likely indicates an infrastructure management technique on the part of the VOHO actors in targeting the National Institute of Health (NIH) as part of the VOHO campaign.

The threats posed by resourced and sophisticated threat groups targeting the medical and life sciences industry is very real.  The application of economic espionage within these industries ultimately leaves multi-billion dollar lifesaving research and medical breakthroughs in the crosshairs.  Organizations, who invest their time and resources specializing in advanced life sciences and research, must begin to address the risks posed by sophisticated threats in an effort to minimize intellectual property loss and disruptions to business operations. Those who are unwilling to address the risk posed by persistent cyber threats could face the loss of intellectual property, market share, revenues and much more.

All of the APT examples highlighted above have all been compiled and publicly shared under the Incident "20130313A: Medical Threats Blog" within the ThreatConnect community.  If you represent a medical research or life sciences organization and wish to obtain regular threat intelligence updates within a secure community sharing exchange, please register at ThreatConnect.com for an organizational account. The Medical Case Study, "Medical Industry, A Cyber Victim: Billions Stolen and Lives At Risk", is available on the Cyber Squared downloads page.

More Stories By Rich Barger

Rich is the Chief Intelligence Officer for Cyber Squared and the ThreatConnect Intelligence Research Team (TCIRT) Director.

Latest Stories
"With Digital Experience Monitoring what used to be a simple visit to a web page has exploded into app on phones, data from social media feeds, competitive benchmarking - these are all components that are only available because of some type of digital asset," explained Leo Vasiliou, Director of Web Performance Engineering at Catchpoint Systems, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
21st International Cloud Expo, taking place October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA, will feature technical sessions from a rock star conference faculty and the leading industry players in the world. Cloud computing is now being embraced by a majority of enterprises of all sizes. Yesterday's debate about public vs. private has transformed into the reality of hybrid cloud: a recent survey shows that 74% of enterprises have a hybrid cloud strategy. Me...
SYS-CON Events announced today that DXWorldExpo has been named “Global Sponsor” of SYS-CON's 21st International Cloud Expo, which will take place on Oct 31 – Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Digital Transformation is the key issue driving the global enterprise IT business. Digital Transformation is most prominent among Global 2000 enterprises and government institutions.
SYS-CON Events announced today that Datera, that offers a radically new data management architecture, has been named "Exhibitor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Datera is transforming the traditional datacenter model through modern cloud simplicity. The technology industry is at another major inflection point. The rise of mobile, the Internet of Things, data storage and Big...
Kubernetes is an open source system for automating deployment, scaling, and management of containerized applications. Kubernetes was originally built by Google, leveraging years of experience with managing container workloads, and is now a Cloud Native Compute Foundation (CNCF) project. Kubernetes has been widely adopted by the community, supported on all major public and private cloud providers, and is gaining rapid adoption in enterprises. However, Kubernetes may seem intimidating and complex ...
"Outscale was founded in 2010, is based in France, is a strategic partner to Dassault Systémes and has done quite a bit of work with divisions of Dassault," explained Jackie Funk, Digital Marketing exec at Outscale, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We focus on SAP workloads because they are among the most powerful but somewhat challenging workloads out there to take into public cloud," explained Swen Conrad, CEO of Ocean9, Inc., in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We are still a relatively small software house and we are focusing on certain industries like FinTech, med tech, energy and utilities. We help our customers with their digital transformation," noted Piotr Stawinski, Founder and CEO of EARP Integration, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"I think DevOps is now a rambunctious teenager – it’s starting to get a mind of its own, wanting to get its own things but it still needs some adult supervision," explained Thomas Hooker, VP of marketing at CollabNet, in this SYS-CON.tv interview at DevOps Summit at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We've been engaging with a lot of customers including Panasonic, we've been involved with Cisco and now we're working with the U.S. government - the Department of Homeland Security," explained Peter Jung, Chief Product Officer at Pulzze Systems, in this SYS-CON.tv interview at @ThingsExpo, held June 6-8, 2017, at the Javits Center in New York City, NY.
"We're here to tell the world about our cloud-scale infrastructure that we have at Juniper combined with the world-class security that we put into the cloud," explained Lisa Guess, VP of Systems Engineering at Juniper Networks, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
Your homes and cars can be automated and self-serviced. Why can't your storage? From simply asking questions to analyze and troubleshoot your infrastructure, to provisioning storage with snapshots, recovery and replication, your wildest sci-fi dream has come true. In his session at @DevOpsSummit at 20th Cloud Expo, Dan Florea, Director of Product Management at Tintri, provided a ChatOps demo where you can talk to your storage and manage it from anywhere, through Slack and similar services with...
As enterprise cloud becomes the norm, businesses and government programs must address compounded regulatory compliance related to data privacy and information protection. The most recent, Controlled Unclassified Information and the EU’s GDPR have board level implications and companies still struggle with demonstrating due diligence. Developers and DevOps leaders, as part of the pre-planning process and the associated supply chain, could benefit from updating their code libraries and design by in...
"Peak 10 is a hybrid infrastructure provider across the nation. We are in the thick of things when it comes to hybrid IT," explained Michael Fuhrman, Chief Technology Officer at Peak 10, in this SYS-CON.tv interview at 20th Cloud Expo, held June 6-8, 2017, at the Javits Center in New York City, NY.
SYS-CON Events announced today that Calligo, an innovative cloud service provider offering mid-sized companies the highest levels of data privacy and security, has been named "Bronze Sponsor" of SYS-CON's 21st International Cloud Expo ®, which will take place on Oct 31 - Nov 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA. Calligo offers unparalleled application performance guarantees, commercial flexibility and a personalised support service from its globally located cloud plat...