On May 13, 2020, the Federal Bureau of Investigation (FBI) and the Cybersecurity and Infrastructure Research Agency (CISA) issued an announcement directed at organizations involved in COVID-19 research to be on increased alert against potential cybersecurity attacks. The announcement stated that actors from the Peoples Republic of China (PRC) have targeted and potentially have compromised organizations involved in COVID-19 research, including those researching potential treatments, vaccines, and tests in an attempt to obtain intellectual property and health data.
The announcement notes that the increased attention an organization associated with COVID-19 research activities has received may result in increased interest by attackers seeking to launch a cyberattack. As a result, the announcement urges organizations conducting COVID-19 research to remain especially vigilant to insider and external cybersecurity threats.
Although the announcement provides little evidence that the threats are unique to the PRC, it reminds us that cybersecurity attacks not only originate from malicious individuals and other organized hacking groups, but they may also be launched from well-funded nation-state actors. Unlike individuals or organization hacking groups who are often looking to monetize information or bring down an organization, nation state actors may have additional motivations, including industrial espionage and other types of economic incentives. This is especially true for COVID-19 research, where the economic impacts of an organization’s research, if successful, may be significant and world-changing. The modification of information may drive research in the wrong direction and the unavailability of data could set back advances at a critical time. Therefore, organizations should not only be on alert for attacks that impact the confidentiality of critical research data, but also for attacks that may impact the integrity or availability of this data.
The FBI’s warning should prompt organizations involved in COVID-19 research (or almost any organization) to review and update its security measures, including:
- Actively scanning your systems for unauthorized system or data access, modifications, or other anomalous activities.
- Ensure that alerts issued by network security devices are promptly investigated and addressed. With an increase in external access due to “stay at home” orders leading to significantly more alerts, it is important to strike the correct balance between “noise” and alerts that may be an early indication of an attack.
- Review system configurations to ensure that reasonably detailed log files are being maintained for a reasonable period. These log files may indicate the origin and scope of an attempted or successful security incident. Organizations may need to take additional steps to preserve log files for cloud-based enterprise systems, such as O365.
- Patch all systems (including network devices) for critical vulnerabilities; prioritize systems based on the severity of known vulnerabilities, exposure to the public internet, and the criticality of the data stored or accessed by those systems.
- Identify and suspend access to any user that displays unusual activity.
- Enable multi-factor authentication for all external access to the network where possible. This may be especially difficult with current shelter in place orders.
- Enable multi-factor authentication for privileged access to the network and eliminate any external access where possible.
- Create regular, offline backups to defend against ransomware attacks and other similar attacks that may affect not only the confidentiality of data but also the availability and integrity of the data.
- Review access control configurations to ensure that users with access to the information systems only have the least amount of privileges required to do their job functions. Pay close attention to service accounts that cannot be disabled.
- Where possible, use data integrity technology to quickly detect unauthorized modifications to critical data.
- Malicious actors with physical access can destroy or contaminate research samples or use virus samples for terrorist activities. Restrict access to physical facilities that contain these samples to individuals that need such access. If visitors must be allowed access to facilities, only permit supervised access to the minimum area required.
- Review your incident response plan to make sure that your organization can promptly and effectively respond to a security incident with diminished on-site staff.
For more information about these security measures or in the event of a confirmed or suspected security incident, please contact your Foley relationship partner. For additional web-based cybersecurity resources, CISA offers additional COVID-19 related cybersecurity resources that can be found here.
Foley has created a multi-disciplinary and multi-jurisdictional team, which has prepared a wealth of topical client resources and is prepared to help our clients meet the legal and business challenges that the coronavirus outbreak is creating for stakeholders across a range of industries. Click here for Foley’s Coronavirus Resource Center to stay apprised of relevant developments, insights and resources to support your business during this challenging time. To receive this content directly in your inbox, click here and submit the form.
