As the coronavirus brought the world to a near standstill in late 2020, BadBlood began its attack. The hacking group, considered a proxy for Iran’s Revolutionary Guards, sent emails to over 20 medical professionals in Israel and the United States. Sent to senior members of a slew of medical research organizations from a seemingly legitimate Gmail account, the emails contained a link to a website that claimed to offer details on Israel’s nuclear program, in order to lure the victims into giving the attackers their details.
The attack targeted specialists in genetics, neurology and oncology, said Sherrod DeGrippo, the director of the threat research department at Proofpoint, the cyberfirm that discovered the attack. The campaign, she said, joins “an escalating trend of medical research being increasingly targeted by threat actors” – an industry term for state-backed hackers.
There are at least three different hacking groups linked to Iran that focus almost exclusively on biomedical and health targets. And though Proofpoint said it “cannot conclusively determine the motivation of actors conducting these campaigns,” it does note that “targeting Israeli organizations and individuals is consistent with increased geopolitical tensions between Israel and Iran.”
BadBlood "routinely attempts to obtain the email credentials of individuals that may possess information aligned with the [Revolutionary Guards’] collection priorities," DeGrippo said. She suggested that the hackers may have an intelligence requirement to collect medical data related to the fields the attack’s targets specialize in, or that the campaign may aim to access the patient information of the personnel targeted or to use their accounts in future phishing campaigns.
Regardless of its goals, the hack joins a concerning trend which has ridden the coattails of the coronavirus pandemic. The past year and a half saw a massive uptick in digital attacks targeting organizations forced to shift to remote working, to the point where some cybersecurity experts have labeled it a “cyberdemic.” The health care industry has been almost doubly exposed, and Israel’s even two-fold more so.
According to cybersecurity firm CheckPoint, there has been a 45 percent increase in attacks targeting healthcare organizations globally. This, it found, was “more than double the overall increase in cyberattacks across all industry sectors worldwide.”
“The health care industry in Israel is by far more targeted in comparison to other countries,” Lotem Finkelstein, head of cyberintelligence at CheckPoint, told Haaretz. The average Israeli health care institute experiences about 1,500 attacks per week, he said, while the global average is 700.
- 'The Plague': Israel Braces for Cyber-doomsday
- Iran's Atomic Sites Targeted by Diplomacy and Sabotage
- Iran Blames Israel for Natanz Blast, Vows Revenge; Nuke Program 'Set Back 9 Months'
Israel’s cyber authority told Haaretz that they, too, have seen attacks focused specifically on medical research centers, both in Israel and abroad. They said that Israel’s Cyber Directorate "was involved and aided in stopping such attacks.”
CheckPoint’s Finkelstein explained that many of the attacks are actually more criminal in nature, adding that information theft – the most common form of attack – is more prevalent among cyberattacks targeting Israel than it is globally. An Israeli health organization, he said, is 38 percent more likely to be targeted than one in another country.
Though it may seem like the health care sector is as targeted as any other, the escalating attacks against it are a new development. “We see that the health care sector is in the top five sectors for ransomware attacks. Especially during the pandemic,” he added.
Israelis are not the only victims of such attacks. On Monday, Pfizer cybersecurity chief Jim LaBonty confirmed that the company, which has provided Israel with the majority of its vaccines and inked a deal with Jerusalem on Monday to see it continue supply Israel until 2022, has hired the Israeli-American cybersecurity firm Claroty to help defend the medical “supply chains through which vaccines and hospital medicines are manufactured and globally distributed.”
And state-driven attackers like BadBlood are not the only ones behind this wave. CheckPoint and other firms have tracked additional threats deployed by cyber criminals over the past year. This includes ransom attacks on medical facilities and attempts to steal coronavirus research and vaccine data, as well as a thriving coronavirus-based market on the so-called darkweb – the non-indexed web inaccessible via Google and classic internet browsers.
CheckPoint reported last month that there was a 300 percent increase in ads on the darkweb for coronavirus vaccines from multiple providers: AstraZeneca, Sputnik, Sinopharm and Johnson & Johnson vaccines sell for prices ranging between $500 and $1,000 per dose. Forged Vaccine passport certificates go for $250 each, and just $25 can buy a fake negative COVID-19 test result.
“It seems that various threat actors and hackers have quickly realized the potential market for fake documents, and have been quick to grab the monetization opportunity,” CheckPoint’s Finkelstein said.
A black market for green passes – Israel’s own vaccine certificate – has arisen as well. CheckPoint warns that these fake passports, which have also cropped up in Spain, Germany, France and Russia, pose a real public health threat. They seem authentic, the firm said, which allows holders to board planes, cross borders and otherwise access spaces and activities restricted to those who have been inoculated.
“This is a fact – attacking the healthcare sector directly and indirectly hurt the global efforts to fight the pandemic and caused loss of life,” Finkelstein said.