Nation-State Espionage Targeting COVID-19 Vaccine Development Firms - The Actions Security Teams Need To Take Now!

By Matthias Maier

Throughout the duration of COVID-19, there have been consistent rumors of increased nation-state espionage. In parallel, many recent ransomware strains have a COVID-19 tie-in.

Now the United Kingdom's National Cyber Security Centre (NCSC), published an advisory report that the threat group APT29 is targeting governmental, diplomatic, think-tank, healthcare and energy targets for intelligence gain which are involved in COVID-19 vaccines development and testing. APT29 is most likely attributed to the Russian intelligence service.

Phase 1: Is My Organization Impacted? Are We Affected?

As an organization within those sectors, you should make sure to establish real-time monitoring and appropriate alerting if you see any Indicator of Compromise (IoC) listed in the NCSC report.

Within your network traffic data you should look if any IP Connection is going to be established to those published malicious IPs. This includes network traffic data from/to default gateways, network egress points such as VPNs, DMZs as well as in Cloud environments such as AWS VPCs
Within your Endpoints, On-Prem Server Systems and Cloud Instances (EC2 etc.) you should validate if any process with the called out hashes are running. In addition, you should check with your endpoint protection solution if those hashes are on the blocklist already. In case they aren’t - add them.
On your proxy servers you should establish monitoring to detect any internet surfing activity quickly against the IPs.
At your public-facing business applications - on which your employees or your customers can log in - you should establish monitoring of any authentication attempts against the source IPs.

Phase 2: Have We Been Affected in the Past?

You should not just look into realtime information - but also look back and correlate the threat intelligence information available today with the data from yesterday and last week or maybe even months back. Even if the attack group cleaned up their trails today you are able to identify if they have been in your network and where potentially they still are in and are sleeping. Also, you can identify patient zero - the host or service that was compromised first to get initial access. Going forward that host might still be the weak point in your environment (at least as long as the cyber group hasn’t patched it which wouldn’t be uncommon ;-)).

Cyber Attack Alert

Security teams should look into uplevelling their security monitoring strategy to not just correlate IoCs - as they are too easy to change for an attacker. They should really look into detecting the behavior and scoring it appropriately.

Phase 3: Mature from IoCs Checks to Detect Tactics, Techniques and Procedures

While you shouldn’t stop looking for IoCs, on the next level you should look into behavior which can be more generally adopted and is way harder for a nation-state or coprorate espionage group to stay hidden.

For example, rather than relying on a list of hash values of malware files (IoCs) you can apply simple analytics such as newly seen or first seen executables based on hash values across your environment. Through this you not just detect brand new malware - you will also quickly detect unwanted programs or updates that went outside your routine process. Similar “new seen” concepts you can apply against data of privileged user logons to systems or applications they never logged on before. The Security Teams at Telia as well as Swisscom are disrupting the kill chain with this data-driven approach. From there you can further develop your prioritization strategy and determine what newly seen activity is worth investigating, or worth investigating first.

If Phase 1 and Phase 2 are happening regularly in your environment and are very time consuming - especially in large heterogeneous technology landscapes, you should think about utilizing SOAR Technology such as Splunk Phantom to automate those actions in a playbook across your cloud and on-prem environments.

Hope this helped you to bring this case to your attention and validate if your organization has been affected.

Best

Matthias

Matthias Maier

Matthias Maier is Product Marketing Director at Splunk, as well as a technical evangelist in EMEA, responsible for communicating Splunk's go-to market strategy in the region. He works closely with customers to help them understand how machine data reveals new insights across application delivery, business analytics, IT operations, Internet of Things, and security and compliance. Matthias has a particular interest and expertise in security, and is the author of the Splunk App for IP Reputation. Previously, Matthias worked at TIBCO LogLogic and McAfee as a senior technical consultant. He is also a regular speaker at conferences on a range of enterprise technology topics.

Security 6 Min Read

UEBA Superpowers: Detect and Eliminate Advanced Threats with Machine Learning

Splunk User Behavior Analytics (UBA) detects advanced attacks and insider threats with unsupervised machine learning.

Security 13 Min Read

From Registry With Love: Malware Registry Abuses

The Splunk Threat Research Team explores the common Windows Registry abuses leveraged by current and relevant malware families in the wild and how to detect them.

Security 2 Min Read

Staff Picks for Splunk Security Reading July 2022

Welcome to the Splunk staff picks blog. Each month, Splunk security experts curate a list of presentations, whitepapers, and customer case studies that we feel are worth a read.

About Splunk

The world’s leading organizations rely on Splunk, a Cisco company, to continuously strengthen digital resilience with our unified security and observability platform, powered by industry-leading AI.

Our customers trust Splunk’s award-winning security and observability solutions to secure and improve the reliability of their complex digital environments, at any scale.