Warning of possible attacks on the biomedical sector

The National Cyber Security Centre SK-CERT warns of the ongoing campaign aimed at biomedical and biotech companies.

The international platform for cooperation of biochemists BIO-ISAC released an advisory regarding the long-term APT campaign called Tardigrade. The attacks are targeting biomedical companies and the biotech manufacturing sector.

Attackers use a new type of malware from the Smokey Bear family named SmokeLoader. It is a multifunctional malware aimed at stealing sensitive and important information, as well as preparing for a ransomware attack. Security researchers have also published information that the malware is compatible with other types of APT malicious codes as well, such as Ryuk, Conti or Cobalt Strike. Conti is currently ranked first in the ransomware gang ranking regarding the number of attacks. In this case, the attackers focus on information related to the COVID-19 vaccine manufacturing.

The initial intrusion vector used for malware infection includes phishing e-mails and infected USB keys that can be found by employees around the workplace. 

The founder of ImmuniWeb Ilia Koločenko explained that pharmaceutical companies are today an important target for cyberattack actors, both nationally and internationally.

“Some offensive campaigns are very sophisticated and may intentionally include false symptoms such as internal person-related incidents. They may serve as a smoke screen aimed at distracting the attention of cybersecurity teams from a much greater breach,” he added. 

The National Cyber Security Centre SK-CERT therefore recommends that biochemical companies apply the following recommendations immediately:

  • Identify your key technologies and systems
  • determine the scope of risk analysis according to your main activities;
  • identify all your key assets that allow you to perform and support your activities;
  • define the threats and vulnerabilities that affect your assets;
  • assess risks based on impact and threat likelihood;
  • take appropriate measures to reduce the risk.
  • Check your network segmentation
  • check whether the key technologies and systems are well separated from other infrastructure.
  • Check the technology and system access settings
  • limit, or the best, disable completely a remote access to the key technologies and systems;
  • set your access policies according to need-to-know and zero trust
  • Apply consistently a backup policy according to best practices
  • create a backup policy, if you do not have one, in which you specify what data is backed up, who has access to them, what media the backups will be stored on, and so on;
  • back up all important information. This is the best possible measure to ensure data security;
  • make backups in different locations and media, while also performing cold backups — backups on media not connected to the network and stored in a protected place (e.g. in a safe, ideally in a completely different building);
  • implement the backup policy that contains all these rules;
  • verify the functionality of the backup policy on a regular basis and update it if necessary;
  • check the backup systems and their functionality on a regular basis;
  • check the backup functionality regularly;
  • test the backup data recovery regularly;
  • practise the backup process and the backup recovery process with the staff on a regular basis.
  • Keep all your devices and systems updated
  • identify all your devices and systems;
  • keep the information about your devices, systems, licenses and support up-to-date;
  • create an update policy that will contain the rules for updating your devices and systems;
  • implement the update policy.
  • Monitor activities in your network to identify and detect cybersecurity incidents.
  • Take preventive measures in your organisation to minimise the threat as much as possible
  • instruct all your employees, including the management, about following the basic principles of cyber hygiene;
  • perform regular trainings aimed at preventing phishing as well as phishing tests.
  • If an incident has occurred
  • identify affected devices and systems and isolate them from the network;
  • if several systems and subnets have been affected, turn off the network at switch level. If it is not possible to disconnect the network at the level of network elements, disconnect individual devices from the network (network cable disconnection, Wi-Fi shutdown and so on);
  • affected devices should be shut down only if they cannot be completely isolated from the network infrastructure. Shutting down the device leads to irreversible destruction of data stored in RAM, which may contain valuable data and the data necessary for more detailed analysis of malware activity and decryption of affected files;
  • in case of any suspicions, do not hesitate to contact the National Cyber Security Centre SK-CERT at incident@nbu.gov.sk and the police.

« Späť na zoznam