Getty Images/iStockphoto

DHS CISA, FBI Warn Chinese Hackers Targeting COVID-19 Research Firms

A joint alert from DHS CISA and the FBI warns hackers tied to the People’s Republic of China are targeting and compromising the networks of research facilities working on the COVID-19 response.

Research facilities working on the response to the COVID-19 pandemic are being targeted by hackers tied to the People’s Republic of China, according to a joint alert from the FBI and the Department of Homeland Security Cybersecurity and Infrastructure Agency.

The public service announcement warns organizations researching COVID-19 are likely being targeted and compromised by these nation-state hackers and should be on alert as they’re “prime targets of this activity.” The US accused China of similar attacks last year, with DHS warning Chinese hackers were launching targeted attacks in an effort to exploit the supply chain. The US government previously warned those hackers could use medical research data for blackmail.

The notice follows another joint alert from CISA, the FBI, and the Department of Defense of three new malware variants tied to nation-state actors from North Korea.

The agencies have been actively reporting on cybersecurity threats tied to the Coronavirus, with hackers targeting everything from Virtual Private Networks (VPNs) to launching password-spraying attacks on the healthcare sector and other essential services. The World Health Organization, in particular, has seen a drastic increase in cyberattacks on its workforce amid the COVID-19 response.

The latest advisory explained the FBI is currently investigating these targeted attacks, where the threat actors attempt to identify and illicitly obtain valuable intellectual property and public health data, including information tied to vaccines, treatments, and testing from COVID-19 researchers’ networks and their workforce.

“Healthcare, pharmaceutical and research sectors working on COVID-19 response should all be aware they are the prime targets of this activity and take the necessary steps to protect their systems,” officials warned.

“China’s efforts to target these sectors pose a significant threat to our nation’s response to COVID-19,” they continued. “The potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options.”

In response, the agencies are asking these organizations to be alert for suspicious activity and to report incidents of compromise to their local FBI field office, while CISA officials urged research organizations supporting the COVID-19 response to partner with the agency to protect these COVID-19 efforts.

Further, to mitigate these cyberattacks, organizations should ensure all systems have been patched for critical vulnerabilities. Healthcare notoriously struggles with patch management, which causes serious cybersecurity gaps in its IT infrastructure.

“[Healthcare organizations] have information about a ‘point in time,’ however most would not be aware of a vulnerability and thus a patch, until after a vulnerability scan is complete,” CHIME President, CEO Russell Branzell, and Sean Murphy, AEHIS Advisory Board Chair, told Sen. Mark Warner, D-Virginia, last year.

“In some organizations that run scans 24 hours a day, a need for a patch may not present until 48 hours at the earliest,” they added. “The CIOs and CISOs suggested that while real-time patch status may be known for certain devices, it does not exist for many.”

In light of COVID-19, CISA urges organizations to prioritize timely patching for known vulnerabilities of all internet-connected servers, devices, and software that processes internet data. These research facilities should also be actively scanning web applications for any unauthorized access, modification, or other anomalous activities.

As noted by researchers and federal agencies in the past, credential requirements should be improved, and multi-factor authentication should be required. Microsoft research has shown MFA blocks 99.9 percent of all automated cyberattacks.

Lastly, organizations should both identify and suspend access of users who display any unusual activity.

For more COVID-19 cyber guidance, research organizations could look to a host of resources provided by the Office for Civil Rights and security researchers.

In recent weeks, insights have been shared around human-operated ransomware, business email compromise schemes, VPNs, remote desktop protocol (RDP) servers, cloud and Microsoft Office O365, phishing attacks, telework, and videoconferencing platforms like Zoom.

Next Steps

Dig Deeper on Cybersecurity strategies