China targeting Covid-19 researchers through IT suppliers, claims US

Hackers working on behalf of the Chinese government are exploiting customer relationships between IT service providers and the healthcare, pharmaceutical and medical research sectors working on the global Covid-19 coronavirus response, according to a public service announcement issued by the US Cyber security and Infrastructure Security Agency (CISA).

Such supply chain attacks are nothing new from a cyber security perspective, and can be remarkably effective, as service providers will often have highly trusted access to customers’ critical systems.

In the PSA, which was made jointly with the FBI, CISA said: “Chinese government cyber threat actors are actively exploiting trust relationships between IT service providers such as managed service providers and cloud service providers, and their customers.

“The intent of sharing this information is to enable network defenders to identify and reduce exposure to Chinese malicious cyber activity. However, mitigation for this activity can be complex, and there is no single solution that will fully alleviate all aspects of the threat actor activity.”

All known victims of this activity have already been notified by CISA and/or the FBI, but there may be others who remain unidentified, so CISA and the FBI made a number of recommendations for those likely to be at risk of compromise by Chinese agencies.

These include patching critical vulnerabilities in a timely manner, particularly those disclosed on internet-connected servers or software that processes internet data; actively scanning web apps for unauthorised access, modification or other anomalies; improving credential requirements and adopting multi-factor authentication; and tracking user activity for anybody exhibiting unusual behaviour that may suggest they have been compromised by an intelligence agency.

It may also be worth noting that media attention affiliating medical organisations with Covid-19 research could act as a draw for attackers that might otherwise have overlooked them, said CISA.

“Healthcare, pharmaceutical, and research sectors working on the Covid-19 response should all be aware they are the prime targets of this activity and take the necessary steps to protect their systems,” said the agency.

It said that China’s efforts to target these sectors pose a significant threat to the Covid-19 response – and although the PSA is US specific, the same basic guidance applies equally to organisations operating in the UK.

It also equally applies to organisations outside of the healthcare sector, as pointed out by security strategist Sam Humphries of SIEM specialist Exabeam, who said it was highly likely the campaign of industrial espionage was far more diverse.

“The news that two construction companies, Interserve and Bam Construct, are now dealing with attacks, demonstrates that this is part of a broader geopolitical tension – one that seeks to undermine public confidence in a government under significant pressure to show that it is putting lives first,” said Humphries.

“These attacks have all the hallmarks of a nation state-enabled group; they step outside the ‘normal’ increase in traditional social engineering attacks we’re seeing from traditional cyber criminals.”

Humphries added that, unfortunately, it was also likely many of these attacks would be successful, as many organisations “caught in the coronavirus crosshairs” would likely be experiencing the more coordinated and sophisticated attacks associated with nation-state advanced persistent threat (APT) groups for the first time.

“It’s fairly certain that – given the remote working reality we are facing – these groups are taking advantage of the additional threat vectors posed by corporate networks that now extend far beyond the four walls of the office and into employees’ homes. Here, the same standards of controls and security are not easily attainable for most organisations,” she said.

Cybereason CSO Sam Curry said that the attacks were nothing less than an act of war. “The most amazing thing about the cyber conflict among many amazing things on the internet is anonymity: there is a complete decoupling of rhetoric from actions. ‘Deny ’till you die’ is the mantra in cyber and geopolitics. However, actions speak louder than words,” he said.

“The attacks in a time of pandemic on the healthcare and research infrastructure are diabolical. In any other theatre besides cyber, they would be a clear act of war and subject to diplomatic, economic and potentially military reprisals.

“We might have disinformation and misinformation wars in the propaganda sphere, but cyber-brinksmanship at this time is a whole different game and could render any short-term gains by belligerents moot in a world where they become pariahs once the crisis clears. Beware playing existential games at a time like this to all cyber nations.”

While unlikely to lead to a shooting war in the Pacific, CISA’s advisory will clearly not help improve the increasingly troubled relationship between the US and China.

US president Donald Trump and his supporters have exploited the coronavirus crisis to ramp up a deeply personal campaign against China, using social media platforms to spread lies that the virus escaped from a research laboratory.