FBI, CISA warn China targeting orgs conducting Covid-19-related vaccine, treatment research

China is looking to lift American research on coronavirus vaccines and treatments through cyberattacks, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) warned health care, pharmaceutical, and research sectors working on COVID-19 response.

“China’s efforts to target these sectors pose a significant threat to our nation’s response to COVID-19,” the alert said. 

The bureau is investigating the activities of PRC-affiliated cyber actors as well as “non-traditional collectors” targeting and compromising U.S. organizations doing research related to the coronavirus. “These actors have been observed attempting to identify and illicitly obtain valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research,” the FBI said in a separate release, noting that “the potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options.”

Calling the alert "the latest, and perhaps most concerning example of the long-standing efforts by the Chinese to steal intellectual property from the U.S.,” said Jamil Jaffer, vice president for strategy and partnerships at IronNet Cybersecurity, said,With the latest wave of threats, it is increasingly clear that China is trying to advance their agenda to come out of the crisis stronger by being the first out of the gate with a vaccine.”

Data theft is not the only threat, “but also data manipulation, as folks like Congressman Will Hurd (TX-23) have highlighted,” he said. “If the Chinese successfully infiltrate the systems of organizations and universities involved in the development of a vaccine, they have the ability not just to steal data but also to delete or modify it, which can be hugely problematic,” significantly slowing treatment and vaccine progress.

The FBI recommended that organizations targeted by China’s efforts:

  • Assume that press attention affiliating your organization with COVID-19-related research will lead to increased interest and cyber activity.
  • Patch all systems for critical vulnerabilities, prioritizing timely patching for known vulnerabilities of internet-connected servers and software processing internet data.
  • Actively scan web applications for unauthorized access, modification, or anomalous activities.
  • Improve credential requirements and require multi-factor authentication.
  • Identify and suspend access of users exhibiting unusual activity.

Calling the latest move by China “an act of war,” Cyberreason CSO Sam Curry said, “the most amazing thing about the cyber conflict among many amazing things on the Internet is anonymity: there is a complete decoupling of rhetoric from actions.”

While “deny ’till you die is the mantra in cyber and geopolitics,” Curry maintains that “actions speak louder than words,” particularly during pandemic when attacks “on the healthcare and research infrastructure are diabolical.”

Outside of the cyber realm, China’s actions would be considered “a clear act of war and subject to diplomatic, economic and potentially military reprisals,” he said. “Some nation states are treating the COVID crisis as a continuation of the age-old game of tit-for-tat, and it’s shameful.”

Curry warned countries against “playing existential games” during these times. “We might have disinformation and misinformation wars in the propaganda sphere, but cyber-brinksmanship at this time is a whole different game and could render any short-term gains by belligerents moot in a world where they become pariahs once the crisis clears,” he said.

China is hardly the only nation-state that has skin in the game. “We have long seen Iran be a serious and rising threat actor in the cyber arena, particularly with the demonstration of their willingness to steal and destroy data going back to the Las Vegas Sands operation back in 2014,” said Jaffer. “Since then, we’ve seen Iran increase their skill sets and move up in the ranks among countries with strong cybersecurity capabilities.”

Russia, too, after having successfully interfered in the 2016 presidential election will likely reemerge “to create discord and undermine the public’s confidence in our election process, candidates and leadership,” said Jaffer, noting that “the recent increases we've seen in overt and covert messaging from Iran, Russia, and China about COVID-19 simply underlines these concerns.”

If history is any indication, China and others will eventually succeed in accessing systems and tapping intellectual property. “It is safe to assume, and generally understood, that a committed nation-state attacker with virtually unlimited resources will eventually be successful in getting into private sector systems,” said Jaffer, adding that the public and private sectors must collaborate to combat threats from "highly resourced" and capable adversaries.

"Instead of stranding themselves on an information island, organizations and institutions working on COVID-19 treatments and other critical efforts should be constantly sharing actionable threat behaviors with each other," he said. "This approach allows both for the detection of new and novel threats as well as the ability to collaborate in real-time and to leverage decisions made by other entities."

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.