Biomedical organizations as cyber targets. Astroturfing and influence.
N2K logoApr 24, 2020

News for the cybersecurity community during the COVID-19 emergency: Friday, April 24th, 2020. Daily updates on how the pandemic is affecting the cybersecurity sector.

Biomedical organizations as cyber targets. Astroturfing and influence.

China says that biomedical organizations should be off-limits to hacking.

The Wuhan Institute of Virology is among organizations receiving the attentions of hackers. Employees' email accounts have been compromised, the South China Morning Post reports. The level-4 research facility has been the subject of repeated speculation (in some fringe quarters speculation reaching the level of subjective certainty) that COVID-19 accidentally escaped from the labs there, and did not originate in the city's wet markets.

FireEye's midweek report describing their recent look at APT32 has prompted a call from Beijing (Reuters reports) urging all nations to condemn any attack on an organization involved in working against the pandemic. There's surely substantial international sentiment for placing biomedical facilities in a protected category, off-limits to cyberattack the way the laws of armed conflict prohibit most deliberate attacks against hospitals. It's not clear, however, that APT32, a threat actor associated with the Vietnamese government, is engaged in destructive or disruptive attacks. FireEye concluded APT32 has been conducting "intrusion campaigns" against Chinese targets involved with responding to the pandemic, especially China's Ministry of Emergency Management and the local government of Wuhan. These seem to be more in the nature of espionage. Vietnam has denied involvement, telling Reuters that the accusations are "baseless."

Czech Republic continues to look toward Russia as the source of recent cyber incidents.

Tension between Prague and Moscow continues, Radio Free Europe | Radio Liberty reports. Removal of a Prague statue of Soviet Marshall Konev, who led the army group that drove through Czechoslovakia in 1945, but who also crushed the Hungarian revolution of 1956 and was instrumental in erecting the Berlin Wall, has given offense to Moscow. So has renaming the street on which Russia's embassy is located in Prague to honor former Russian Deputy Prime Minister Boris Nemtsov. The inveterate critic of President Putin was murdered outside the Kremlin in 2015. Moscow regards both acts as deliberate Czech provocations, and Moscow isn't disposed to take such provocations lightly: the precipitating cause of the 2007 cyberwar (or cyber riot) Russia organized against Estonia was the Baltic country's removal of a Soviet-era monument to the Great Patriotic War. In 2017 Foreign Policy published a 10-year retrospective on that conflict.

On the Czech side, there's widespread outrage over cyber operations—reconnaissance and battlespace preparation for the most part—that affected healthcare facilities during the current pandemic. These activities increasingly look like the work of Russian operators.

Astroturfing, political advocacy, and the propagation of tendentious news.

As we noted yesterday, there's been a surge in the registration of domains related to resuming ("reopening") normal activity in the United States. KrebsOnSecurity reported earlier this week that a great deal of it looked like astroturf.

Domain Tools this morning published their own study of how the domains came to be, and who registered them. Many of the sites, a number of them with Second Amendment themes, appear to Domain Tools to have been established by Aaron Dorr, a consultant who advises political movements on advocacy and organization. Their use of a small set of common templates seemed to derive from another political consultancy, One Click Politics, which further raised suspicion that the apparently local, ostensibly grassroots sites were in fact astroturf.

There's also some countersquatting going on, with other political advocates quickly and preemptively registering domains that seemed to have the kinds of names that would draw Mr. Dorr's attention. Those doing so seem to be in general on the political right, and view association with the operations Domain Tools ascribes to Mr. Dorr as undesirable.

Domain Tools emphasized in a conversation with us that one common feature on the astroturfed sites is a prominent and functioning donation button. This suggests to them that a nontrivial goal of the operation is making money.

In that conversation, Domain Tools also suggested two areas that warrant some attention. First, deep fakes have been generally associated with faked audio or video content. Domain Tools points out that one of the problems of astroturfing and influence operations generally is the production of useful content, at scale. Sometimes this is done through plagiarism or repurposing, sometimes (and this is something Domain Tools noticed in connection with Mr. Dorr's operation) by having some lone Stakhanovite crank out a number of bylined pieces (using the same byline does tend to blow the gaffe, but it happens). Domain Tools suggests that deep-learning tools can be adapted to rapidly produce good-enough written content in the service of influence. This could involve impersonation of real persons or simply generate articles that could be attributed to various sockpuppets.

Second, while most of the astroturf seems based domestically in the United States, there are indications that a few of them may have infrastructure in Hong Kong. That's curious, and deserves further investigation.

More on telework.

British security services have urged the government to avoid using Zoom. The Guardian writes that their specific concern is that traffic over the platform is vulnerable to interception, and specifically to interception by Chinese operators.

Bloomberg reports that several large corporations have also banned or restricted using Zoom for company business. These include Daimler AG, Ericsson AB and NXP Semiconductors NV don't want their personnel using Zoom at all. Bank of America will let them do so under restricted circumstances, and after obtaining company permission.