China may be targeting medical firms for IP data

Very little companies can do to defend themselves against state-sponsored attacks, says Storm Guidance director Sarb Sembhi.

China may be targeting medical firms for IP data
China may be targeting medical firms for IP data

Bloomberg has an interesting analysis on the reported theft of personal data from Community Health Systems (CHS), the second largest US for-profit hospital chain.

It concludes that the attack has come from a Chinese state-sponsored attack group, who are interested in intellectual property (IP) from medical and pharma companies.

The newswire quotes Aaron Shelmire, a threat researcher for Dell SecureWorks, as saying that the Chinese group have been accessing pharmaceutical labs through their connections with university researchers, scooping up trial data and other trade secrets.

The CHS attack, however, says Shelmire, may be the first time the Chinese attack group has targeted consumer data - an area that is usually the preserve of cybercriminals in Eastern Europe and elsewhere

"The efforts of the Chinese group has forced medical technology and drug companies to make huge new investments in computer security, and left the US$ 160 billion (£96.5 million) US medical device market worrying about what may be done down the line with the pilfered data," says Bloomberg.

Allegations that the Chinese are behind the IP harvesting attacks on medical and pharma companies were - as you might expect - refuted by the Chinese embassy in Washington, which says the allegations are based on unprovable and fabricated evidence.

According to Fran Howarth, a senior analyst with Bloor Research, however, the healthcare sector is well-known for having under invested in security and this makes rich pickings for highly sophisticated criminals, who are apparently as well funded and organised as large multinationals - if not better.

"Stealing trade secrets is highly lucrative, but is not something that organisations need to make public knowledge. Therefore, we cannot know how widespread this is. But the high levels of growth, for example of China's medical device industry, as quoted, make it seem that this may well be a very serious problem," she explained.

Sarb Sembhi, a director with Storm Guidance, said that state-sponsored and targeted attacks from China have been widely reported, but pointed out that western nations are also likely to be carrying their own state-sponsored attacks.

These attacks, he says, are typically carried out by western nations where the government has close links with the companies that operate within its territory - and the government is seeking to protect the interests of those firms.

"Usually this is where the country concerned is less democratic - and you tend to find that the government and corporate concerns of such countries are quite closely aligned. If there is no democracy to hold this sort of behaviour in check, then this is where state-sponsored attacks can prosper," he said, adding that that there was a report in the media earlier this month that effectively accused Germany of surveilling the activities of around 27 other countries.

"If you believe these reports - and those of the Chinese state-sponsored attacks - then it is not unreasonable to presume that almost all countries are carrying out these types of attacks. Quite frankly, I'd be surprised if this wasn't the case," he explained.

Against this backdrop, Sembhi, who is also a leading light in ISACA, the not-for-profit IT security association, says there is little that companies being targeted for IP theft can do to counter a state-sponsored attack.

"This is because, if you are the target of such an attack, then the attackers will almost certainly get your data one way or another," he said, adding that companies are better off investing in defences against more conventional cybercriminal attacks, on the basis that is possible to defend against these attempted incursions.

Confirmation bias dangers

Professor Peter Sommer, a digital forensics specialist, was sceptical about Bloomberg's `take' on the attack - and cautioned against reading too much into the analysis.

"If we go back to the Mandiant APT1 report on Chinese state-sponsored attacks of early last year, I find it very difficult to believe that the researchers were able to pinpoint the attacks down to a single building in China. As with all research of this nature, there is a danger of what we call `confirmation bias' when analysing the results of the research," he said.

"This basically means that, if someone requests a researcher to analyse a given set of data with the aim of proving a given link, then there is a danger that the researcher will subconsciously `prove' that link, even where it does not actually exist. A classic case is where a member of a security service is asked to enhance a poor-quality digital image to `prove' that a certain person is in the photo," he added.

Sommer, a visiting professor with de Montfort University, went on to say that, when this happens, the researcher may end up with a freehand `enhanced drawing' that proves the presence of the person in the digital image, mainly because the original picture does not have many pixels of data to analyse.