The whole world is fighting the spread of COVID-19 and working to return to the lives we had before. Pharmaceutical and medical research teams in different countries are busy searching for a solution to win the battle against the virus. However, cybercriminals and threats don’t rest, even in an international crisis. There are a number of threats that pharmaceutical companies may face as they look for this curative “Holy Grail,” from theft of their research by advanced threat actors to ransomware infections that render their information inaccessible. This publication aims to cover a sampling of these threats, giving details on threat actors, tools and TTPs, and offering some recommendations on how to mitigate these risks in order to be able to focus on the common threat at the moment: COVID-19.
Threats to the Pharmaceutical Industry
Pharmaceutical companies experience many of the same threats as their peers in other industries, with the threat actors behind ransomware attacks and business email compromise (BEC) schemes targeting largely indiscriminately. Intellectual property (IP) theft, both at the hands of nation-state hacking collectives as well as unethical competitors is of particular concern for an industry where research and development of drugs can take decades.
Organizations continue to feel the squeeze of ransomware, and the pharmaceutical industry is no exception. While the period of rampant and widespread ransomware infections that characterized 2017 appears to be behind us, cybercriminals have continued to deploy ransomware in increasingly targeted and potent ways. The past few years have seen the rise in ransomware gangs engaging in “big game hunting,” a term used to describe the technique of electing to go after large targets with the means to pay exorbitant ransoms. This means that any big business, in any industry, is an enticing target to cybercriminals.
Double extortion is another ransomware innovation, popularized in 2019. In these cases, ransomware gangs both steal and encrypt data at the compromised entity. Should the victim decline to pay the ransom, the attackers threaten to publicly publish the stolen information, thereby upping the ante for security teams. Double extortion represents a particularly tricky situation for pharmaceutical companies, as they are often the bearers of a tremendous wealth of sensitive information. As an example, this is what happened to ExecuPharm in March 2020 following an attack by TA505 that utilized Clop ransomware.
Threat actors have been stealing data and using it to extort victims for years, even before the prevalence of ransomware. As stated, the sensitivity of the information held by pharmaceutical companies makes it even more critical to keep control of this data. There are known instances of threat actors compromising organizations, stealing data, and then holding it ransom in hopes of receiving a large payout. For example, the prolific cyber extortionist TheDarkOverlord engaged in various extortion schemes like this that targeted healthcare entities such as dental and medical offices as recently as 2017.
Intellectual Property Theft
That sensitive information is not just useful to cybercriminals hoping to ransom it for money. Nation-state threat groups and perhaps even unethical competitors also have their eyes on this prize. For instance, Chinese nation-state hackers are known to target US pharmaceutical companies. Researchers believe that information stolen in these incidents is likely passed on to Chinese companies in order to try to gain an advantage against their US-based competitors. The amount of time and research that goes into researching and developing new pharmaceuticals makes such IP theft particularly menacing. In the current context of COVID-19, this may mean targeting information such as proprietary manufacturing processes, formulas, recipes, or data from clinical trials related to the development of a vaccine or other medical mitigation measures.
Business Email Compromise (BEC)
Threats need not all be nation-state hacking and sophisticated ransomware gangs, however. Schemes involving BEC are becoming increasingly savvy and lucrative. Researchers at the FBI’s Internet Crime Complaint Center (IC3) found than in 2019 alone, BEC schemes accounted for $1.77 billion USD in losses, up from $1.3 billion in 2018. In a typical BEC scheme, emails belonging to high profile figures at an organization may be stolen or spoofed in order to dupe other employees into trusting the veracity of an order to carry out a large money transfer or some other similar task. The money or other assets (sometimes, for examples, gangs request gift cards) are – unknowingly to the victim carrying out the task – directed into cybercriminal hands. Phishing attacks and BEC activities against the pharmaceutical sector jumped 129% in 2018 according to researchers at Proofpoint, underscoring the increasing prevalence of this threat.
Threat Actors Targeting the Pharmaceutical Sector
Figure 1 – Map of APT41 targets
APT41 is a Chinese state-backed espionage group as well as a financially-motivated criminal enterprise. Their attacks are highly sophisticated, often employing compromised digital certificates and deploying bootkits and rootkits.
During Q1 2020, APT41 exploited critical vulnerabilities in Citrix NetScaler/ADC, Cisco routers, and Zoho ManageEngine in order to target strategic organizations in a wide range of industries, including healthcare, pharmaceutical, manufacturing, and high technology in at least twenty countries.
Australia, Canada, Denmark, Finland, France, India, Italy, Japan, Malaysia, Mexico, Myanmar, Philippines, Poland, Qatar, Saudi Arabia, Singapore, South Africa, Sweden, Switzerland, Thailand, Turkey, United Arab Emirates, United Kingdom, United States.
Figure 2 – Map of APT18 targets
APT18 is a Chinese threat group that has operated since at least 2009 and has targeted a range of industries, including technology, healthcare, manufacturing, government, and human rights groups.
Since at least 2013, APT18 has targeted biotech and pharmaceutical organizations, as well as organizations specializing in cancer research. APT18’s modus operandi is to implant a backdoor in order to stay under the radar while stealing information related to intellectual property (IP), personally identifiable information (PII), and protected health information (PHI), and medical imaging equipment files.
It is widely believed that this threat actor orchestrated the 2014 attack exploiting the OpenSSL vulnerability ‘Heartbleed’ that resulted in the loss of 4.5 million hospital patient records from the US-based Community Health Systems.
Figure 3 – Map of APT10 targets
APT10’s first known activity dates back to 2006 with a massive surveillance campaign targeting more than 45 entities across industries including technology, aerospace, manufacturing, and pharmaceuticals, in addition to US government agencies. This campaign was likely conducted on behalf of the Chinese government.
Between 2014 and 2017, APT10 carried out supply-chain attacks where they infiltrated the networks of managed service providers (MSPs) in order to gather intellectual property and other sensitive data related to the fields of finance, telecommunications, manufacturing, healthcare, biotechnology, and more.
Although the US Department of Justice indicted two members of APT10 in 2018, the threat group remains active and carried out multiple campaigns throughout 2019.
Brazil, Canada, Finland, France, Germany, India, Japan, Sweden, Switzerland, United Arab Emirates, United Kingdom, United States.
TA505 & Silence
Figure 4 – Map of TA505 & Silence targets
TA505 has targeted the research, finance, manufacturing, and pharmaceutical industries with the Clop ransomware. The attackers manage a website dubbed “CL0P^_- LEAKS” where they publish data stolen from the companies that refuse to pay the ransom. The website states that the group has never attacked hospitals, orphanages, nursing homes, and charitable foundations; the group makes an explicit exception for commercial pharmaceutical organizations. According to the threat group, these are the only entities benefiting from the COVID-19 pandemic.
In March 2020, ExecuPharm, a company that provides clinical research support services for the pharmaceutical industry, was hit by TA505. The group used Clop ransomware to steal and leak nearly 19,000 emails and 163 GB of financial and accounting documents as well as employee records.
A group closely tied to TA505 (or perhaps part of it) is Silence, known for stealing approximately $4.2 million USD from financial institutions. In January 2020, researchers reported that Silence switched its targeting and attacked at least two European pharmaceutical and manufacturing companies. In the attack, the cybercriminals used different Silence modules along with the tool TinyMet, and a Local Privilege Escalation (LPE) exploit for CVE-2019-1405 and CVE-2019-1322.
Argentina, Armenia, Australia, Austria, Bangladesh, Belarus, Bulgaria, Canada, Chile, China, Costa Rica, Cyprus, Czech Republic, Georgia, Germany, Ghana, Greece, Hong Kong, India, Indonesia, Ireland, Israel, Italy, Jordan, Kazakhstan, Kenya, Kyrgyzstan, Latvia, Malaysia, New Zealand, Poland, Romania, Russia, Saudi Arabia, Singapore, South Africa, South Korea, Switzerland, Taiwan, Turkey, Ukraine, United Arab Emirates, United Kingdom, United States, Uzbekistan, Vietnam.
Dridex Gang & Trickbot Group
Figure 5 – Map of Dridex Gang & Trickbot Group targets
The Dridex Gang and Trickbot Group are well-known in the cybercrime world because they operate the infamous and eponymous banking Trojans Dridex and Trickbot. However, in the past few years they have also carried out attacks against companies where devices had previously been infected with Dridex or Trickbot. After establishing a foothold in the targeted network, they use different tools like PowerShell Empire or mimikatz to move laterally and identify critical systems in order to deploy their ransomware: BitPaymer in the case of Dridex Gang, and Ryuk in the case of Trickbot Group. Both groups use different techniques to obtain the first infections in the targeted organizations but they both use the malware distribution services provided by the Emotet spambot.
Argentina, Australia, Austria, Brazil, Canada, Chile, Colombia, Denmark, Finland, France, Germany, India, Ireland, Israel, Italy, Japan, Lithuania, Luxembourg, Mexico, Netherlands, New Zealand, Norway, Peru, Singapore, Spain, Sweden, Switzerland, United Arab Emirates, United Kingdom, United States.
Malware & Hacking Tools
Different kinds of hacking tools and malware families are used by advanced and not-so-advanced attackers to target the pharmaceutical industry. Most of these tools help cybercriminals open the door to targeted companies, move laterally within them, and steal sensitive information from the compromised systems. These are the most relevant tools:
PlugX, also known as Sogu, Kaba, or Korplug, is a remote access tool (RAT) that uses different modules to enhance its capabilities. PlugX has been around since at least February 2008, and throughout the years new modules and functionalities have been developed by its author. Its functionalities can permit full control of the infected computer thanks to different plugins, making PlugX more advanced than the average RAT. The malware is usually distributed via spearphishing and it has been used by multiple threat actor groups. It is commonly used by Chinese advanced attackers like APT10 or APT41, among others, against the pharmaceutical industry.
Mimikatz is a well-known post-exploitation tool used to extract plaintext and hashed passwords, PIN codes, and Kerberos tickets from memory. The tool can also perform pass-the-hash, pass-the-ticket or build Golden tickets and it is popular among pentesters and red teams to help them test the security of systems. However, it is also popular among cybercriminals and it is commonly used to dump credentials after an intrusion is made in order to gain access to other systems and services or to elevate privileges.
Meterpreter & TinyMet
Meterpreter is a well-known and advanced payload that is included in the Metasploit Framework and provides an easy way to control a compromised machine. It is a public post-exploitation tool whose purpose is to provide complex and advanced features after a machine has been compromised. Some of its functionalities include dumping credentials, keylogging, screen/video recording, and allowing persistence, among others. Advanced attackers usually use meterpreter to easily control the targeted computers, making it easier to move laterally after the first infection or exploitation. His little brother, TinyMet, is a small meterpreter stager that allows the attacker to change the server and port from which they send commands. TA505 is known to have used TinyMet in their campaigns.
Cobalt Strike & PowerShell Empire
Both Cobalt Strike and PowerShell Empire are post-exploitation frameworks built to facilitate the control of the targeted systems by the adversaries. These tools are used legitimately by red teams to perform their assessments, but threat actors also use them extensively to move laterally after an intrusion. Cybercriminals groups like the Dridex Gang or Trickbot Group usually use them to move within the targeted networks and jump between systems before deploying their targeted ransomware, BitPaymer and Ryuk.
AgentTesla is a type of malware known as infostealer (or simply as a stealer). As its name suggests, its main objective is to steal information from the infected machine, including all type of credentials, payment card information, and files. It is also capable of capturing keystrokes and taking screenshots. This tool and other stealers such as AZORult or KPOT, among others, are generally used by not-too-advanced cybercriminals, but, in some cases, more sophisticated attackers can make use of them in order to easily collect credentials that they might use in a next step of the attack. Agent Tesla has recently been used to target healthcare and pharmaceutical industries as part of a COVID-19-themed phishing campaign.
Emotet is a modular malware which uses stolen credentials to send malicious emails containing attachments and links in order to distribute itself as well as additional malware families like Dridex and Trickbot. Blueliv monitors Emotet activity and can detect when a campaign is targeting a specific company. Within Blueliv’s Emotet dataset, analysts have identified Emotet carrying out campaigns in which malicious emails were sent to pharmaceutical companies such as Roche and GlaxoSmithKline (GSK), among others. As Emotet targeting may be considered the first step before a ransomware incident involving the likes of BitPaymer or Ryuk, it is important to be ready to detect and remediate these activities.
Figure 6 – Malicious email sent by an Emotet botnet to a Roche employee in January 2020
Most relevant TTPs to defend against
This report has already covered the threat actors and malware/tools that are relevant for security teams operating in the pharmaceutical sector. This section will now cover the most important techniques and modus operandi (aka TTPs) that those actors often use to carry out their attacks. Defending against and hindering the efficacy of those techniques will enormously help to decrease the odds of one of those attackers compromising a targeted organization. There is no such thing as 100% secure in security, but as many advanced threat actors use similar tools and techniques, protecting against that handful of commonly utilized TTPs will render a successful intrusion more difficult.
Spearphishing is one of the most popular techniques used by advanced threat actors to gain Initial Access. This technique involves the delivery of malicious emails to specific individuals within the targeted company. Threat actors operating with the objective of stealing intellectual property usually use spearphishing emails with malicious attachments or links in order to infect relevant stakeholders of the targeted organization with malware and subsequently steal information. These techniques are usually tied to T1204 – User Execution, as the victim is needed to execute the malicious document or visit the malicious link. This link might point to a compromised website where T1189 – Drive-by Compromise is used by the attackers, not needing any additional action from the user in order to get infected.
Due to the COVID-19 pandemic, more businesses have more employees working remotely. This unexpected demand has stretched the resources of IT teams as they worked to set up remote infrastructure under tight schedules, perhaps prioritizing availability over security and possibly leaving systems exposed on the Internet. This is something that attackers, advanced and not-so-advanced, will certainly check while preparing an attack. Similarly, the increase in the use of videoconference software had likewise made these applications and platforms a prime target for cybercriminals.
As detailed in Blueliv’s Credential Theft Ecosystem report, a single valid account can be the first step towards the full compromise of an organization. Threat actor groups like APT18, APT41, or the gang behind Emotet have used valid accounts to carry out exploitation tasks related to Initial Access, Privilege Escalation, and Lateral Movement.
Once threat actors have access to a system or systems, the typical behavior is to try to gather all the credentials they can from the system in order to try to move laterally or access the systems easily. As mentioned earlier, attackers targeting the pharmaceutical industry use tools such as mimikatz to accomplish this task.
This is probably one of the most used techniques with regards to advanced attacker intrusions. It is quite common to see actors copying tools and additional malware from their controlled servers onto the victims’ systems in order to support lateral movement. Tools and frameworks described above like Meterpreter, Cobalt Strike, or PowerShell Empire allow the attackers to easily copy files to compromised systems.
This is the main technique employed by threat actors who use targeted ransomware to extort companies. Adversaries choose important systems upon which to drop their ransomware, encrypting those systems and thereby causing a huge disruptive impact on the organization. Threat actors such as TA505 and the Dridex and Trickbot Groups share this modus operandi, and all of them should be considered threats to the pharmaceutical industry.
Figure 7 – ATT&CK TTPs used by threat actors targeting the pharmaceutical industry.
The darker the color red, the more actors use that technique.
Increased connectivity also means increased opportunities for intruders to infiltrate an organization. It is important to make sure that just the needed systems are reachable from the outside and that the ones which need to be there are properly secured in order to keep the attack surface at the minimum. Third-party providers can help to spot those services and systems which should not be there.
Security awareness and training
Investing in awareness training can reduce an organization’s risk of a breach by as much as 70%. Organizations must ensure that all staff have a basic understanding of cyber risk and understand their individual responsibility when it comes to protecting organizational data. To create this culture of security, professionals of all levels should undergo regular cybersecurity training and education. Additionally, the pharmaceutical industry would benefit from sharing cyber risk information with peers, collaborators, and like-minded groups. By taking insights from comprehensive threat intelligence and sharing it with the wider industry, organizations can contribute to the reduction of response times, aid in the prevention of breaches, and help bolster preventative measures, ultimately leading to a smarter, more secure industry.
Good security practices
Pharmaceutical companies should establish standard operating procedures (SOPs) regarding computer passwords and backup procedures. Carrying out regular backups can help to mitigate a data loss disaster and can speed up the Disaster Recovery process tremendously. Keeping backups offline increases the odds of organizations being able to successfully recover from a ransomware attack, as cybercriminals typically attempt destroy or disable backups that they may find during an intrusion.
Patch vulnerabilities to the best extent possible
A recent survey revealed that the pharmaceutical and healthcare industries are struggling to keep on top of patching. Vulnerabilities are not being patched promptly, leaving organizations open to attack. The report revealed that 57% of respondents had experienced at least one data breach where access to the network was gained by exploiting a vulnerability for which a patch had previously been released. Companies should take an unbiased inventory of vulnerability response capabilities leveraging Threat Intelligence to prioritize and strategize their patching operations.
Monitor your leaked documents
Pharmaceutical companies should monitor cloud repositories, public folders, and peer-to-peer networks for data that could represent leaked confidential or sensitive information, thus enabling them to identify data bypassing their existing DLP controls and ensuring compliance with standards such as GDPR.
Monitor your stolen credentials
Proactive Threat intelligence can be used to scour the surface, deep, and dark web for evidence of compromised credentials as well as support the detection of malware infections which could lead to credentials being stolen. Blueliv’s ThreatCompass solution crawls the web and uses sinkholes, honeypots, sensors, and other tools to provide visibility into the C2 servers coordinating attacks, so you’ll be the first to know if they turn their attention towards your organization. The same intelligence can be used to proactively hunt and analyze malware to help fortify cyber-defenses against such threats.
Monitor your network traffic
Pharmaceutical companies should perform automatic email analysis to detect and stop malicious emails. Analyzing network traffic should enable security teams to detect anomalies in the incoming and outgoing traffic. In addition, security practitioners should consult enriched and contextualized threat indicators (IPs, domains, URLs, hashes, and more) to detect global emerging cyberthreats.
Threat Correlation and Contextualization
Incident Response cases and investigations provide important insights to technical teams at pharmaceutical companies. Whether an attacker is successful or not in the execution of an attack, the IR team will have to deal with a long list of IOCs, including hashes, IPs, domains, and URLs. It is crucial to efficiently correlate these IOCs with known actors, campaigns, and tools in order to add context and arrive at the bigger picture. Threat intelligence is able to help identify complex interrelationships between threat actors and indicators and, by correlating CVEs with campaigns and other indicators, can aid in threat actor attribution and threat prioritization. Quick and intuitive access to threat data with pivoting capabilities is a must for pharmaceutical cybersecurity analysts to gather enriched, contextualized insights before, during, and after an attack. This in turn accelerates triage processes and incident response by leveraging information to help orchestration systems prioritize the relevant IOCs and detail needed for forensics.
In terms of cyberattacks, the pharmaceutical industry bears a similar threat profile to other industries. Opportunistic cybercriminals engaged in big game hunting will endeavor to attack any large entity with their targeted ransomware, while not-so-advanced attackers may scan the whole Internet in search of exposed systems using vulnerable software or weak passwords. Recommendations are not any different than those given to any other company in any other sector: have strong security practices and good corporate cybersecurity awareness.
However, the pharmaceutical sector does have some unique threats, chief among them being the theft of intellectual property. Such theft is typically performed by sophisticated threat actors. This is not an easy-to-defend-against scenario, and companies must be willing to invest in the proper resources to defend against it. The current COVID-19 pandemic is making the gains to be made from intellectual property theft more tantalizing. In this situation, a skilled security team with the right Threat Intelligence can help keep the company safe and ensure that the focus is kept on the important task of vaccine development. Unfortunately, the pharmaceutical industry will continue to be the target of advanced attackers even after this pandemic subsides; actionable intelligence and a fast response are the best weapons to defend against these threats.