Share this article on:
The biomedical community is working hard to develop vaccines against SARS-CoV-2 and discover new treatments for COVID-19 and nation-state hackers and cybercriminal organizations are targeting those organizations to gain access to their research data.
Recently, security agencies in the United States, Canada, and the United Kingdom issued alerts about state-sponsored Russian hackers targeting organizations involved in COVID-19 research and vaccine development. The security agencies had found evidence that the Russian hacking group APT29 was actively conducting scans against the external IP addresses of companies engaged in COVID-19 research and vaccine development, and that it was almost certain that the hackers were working with the Russian intelligence services.
An joint alert was also issued by the U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency and the FBI indicating hackers linked to China were conducting similar attacks on pharmaceutical companies and academic research facilities to obtain intellectual property and sensitive data related to COVID-19. There have also been reports that hackers in Iran are conducting similar attacks.
In light of the recent attacks and targeting of research facilities, BitSight conducted a study to determine how well COVID-19 vaccine manufacturers and biomedical companies are performing at protecting their systems and data from hackers. BitSight researchers assessed 17 companies for the study, each of which has a major role in COVID-19 research and vaccine development. Those companies ranged from small firms with fewer than 200 employees to large companies with more than 200,000 employees.
BitSight found several security vulnerabilities that could be exploited by hackers to gain access to intellectual property and vaccine and COVID-19 research data. The security vulnerabilities were divided into four areas: Open ports, unpatched vulnerabilities, web application security, and systems that had already been compromised.
BitSight found 8 of the 17 companies had their systems compromised in the past year and had computers that were part of a botnet, and 7 companies had computers added to a botnet in the past 6 months. BitSight searched for software running on systems that the companies likely did not install. These Potentially Unwanted Programs (PUPs) were found on 9 company systems and 8 companies had PUPS installed in the past 6 months. Five companies had computers that were sending spam and the researchers identified unsolicited communications at three companies. Compromised systems show the companies’ security controls have failed and that the companies could, or already have been, hacked by adversaries seeking access to COVID-19 data.
The majority of companies had open ports which exposed insecure services over the internet, including 7 companies with exposed Microsoft RDP and a further 7 with LDAP exposed. 5 companies had exposed MySQL, MS SQL or Postgres SQL databases and a further 5 had an exposed Telnet service. The exposed Microsoft RDP was of particular concern, since hackers and ransomware gangs are actively searching for exposed RDP devices.
14 of the 17 companies were found to have unpatched vulnerabilities that could potentially be exploited remotely by hackers. 10 companies had more than 10 unpatched vulnerabilities and 6 had unpatched vulnerabilities with a CVSS score greater than 9.
Web application security issues were also common, such as insecure redirects from HTTPS to HTTP, insecure authentication, and a mixture of secure and insecure content on web pages. Many of the companies had more than one web application security issue. These security issues placed the companies at risk of man-in-the-middle and cross-site scripting attacks, which could potentially result in hackers capturing sensitive data, obtaining credentials, and compromising email systems.
“In light of these risks, the bioscience community must step up its cyber vigilance. It only takes a misconfigured piece of software, an inadvertently exposed port, or an insecure remote office network for a hacker to gain entry to systems that store scientific research, intellectual property, and the personal data of subjects involved in clinical trials,” warned BitSight. “[Companies] must revisit basic cybersecurity hygiene practices and find proven and efficient ways to continuously discover and manage risk exposure — across the extended attack surface and third-party ecosystem. Only then can remediation be prioritized, and life-saving science innovation assured.”