Synthetic security researchers pose a new threat to healthcare cybersecurity

Google's Threat Analysis Group recently exposed a campaign targeting security researchers working on vulnerability research and development. The actors behind this campaign, believed to be a government-backed entity based in North Korea, have created a research blog and multiple Twitter profiles to interact with potential targets.

Why it matters

The creation of synthetic security researchers and the use of social engineering to target security researchers is a significant threat to privacy and security. These fake profiles and malicious code can be used to gain access to sensitive information. This is a concern for all sectors, but the implications for healthcare are particularly significant due to the sensitive nature of patient data.

How they did it

The threat actors took several steps to create synthetic security researchers and target real ones:

1. Established a research blog: The actors created a blog to build credibility and connect with security researchers.
2. Created multiple Twitter profiles: They used these profiles to interact with potential targets, posting links to their blog and videos of their claimed exploits.
3. Posted analysis of vulnerabilities: Their blog contained write-ups and analyses of vulnerabilities that have been publicly disclosed, including "guest" posts from unwitting legitimate security researchers.
4. Faked the success of their claimed working exploit: In at least one case, the actors faked the success of their claimed working exploit. They posted a video on YouTube that purported to show a successful exploit, but a careful review showed the exploit was fake.
5. Targeted specific security researchers: The actors targeted specific security researchers with a novel social engineering method. They would ask the targeted researcher if they wanted to collaborate on vulnerability research, and then provide the researcher with a Visual Studio Project containing malicious code.
6. Used multiple platforms to communicate: The actors used multiple platforms to communicate with potential targets, including Twitter, LinkedIn, Telegram, Discord, Keybase, and email.

The HIPAA angle

The Health Insurance Portability and Accountability Act (HIPAA) mandates the protection of patient health information. In the context of synthetic security researchers, healthcare organizations could fall prey to this threat if they incorporate third-party code or services into their systems without proper vetting. For instance, a healthcare organization might be targeted by a synthetic researcher offering a seemingly beneficial code or service. If this code or service is integrated without a thorough security review and without a business associate agreement (BAA) in place, it could lead to a breach of patient health information, constituting a HIPAA violation.

Related: HIPAA Compliant Email: The Definitive Guide

The risks of synthetic security researchers

Synthetic security researchers pose a unique risk. By creating a semblance of credibility, they can trick individuals and organizations into downloading malicious code. This code could give attackers access to sensitive information, including proprietary code and classified correspondences.

What they're saying

"They put in a decent amount of effort into building personas, if you will, for each of these characters — these actors that who would advertise the GitHub repositories with the actual malware," says William Vu, a security researcher at VulnCheck in a conversation with Dark Reading. "So they put a lot of time and effort into building, really, a fake security company, and that, to me, is kind of new."

Looking ahead

As these threats become more sophisticated, the need for robust privacy measures and adherence to regulations like HIPAA becomes even more critical. Healthcare organizations, in particular, must follow HIPAA compliant best practices, including thorough vetting of third-party services and obtaining BAAs before sharing or accessing protected health information.

The bottom line

The emergence of synthetic security researchers is a wake-up call for all sectors, particularly for healthcare, where the protection of patient data is paramount. Adherence to HIPAA regulations and best practices is not just a legal requirement but a crucial step in safeguarding against evolving threats. As we move forward, the focus must be on developing and implementing robust privacy measures to protect against these new threats.

Preventive measures

Healthcare organizations can take several steps to guard against threats posed by synthetic security researchers:

1. Vetting third-party code: Before incorporating any third-party code or services into their systems, healthcare organizations should conduct a thorough security review. This includes checking the source's credibility and the code's potential security implications.
2. Business associate agreements: Before sharing or accessing protected health information with a third-party, healthcare organizations should ensure a Business Associate Agreement (BAA) is in place. This is a requirement under HIPAA and helps ensure that third parties are also committed to protecting patient data.
3. Staff training: Healthcare organizations should provide regular training to their staff on recognizing and avoiding potential cybersecurity threats. This includes being wary of unsolicited contact or suspicious links, even if they appear to come from credible sources.
4. Compartmentalization: Organizations should compartmentalize their activities, using separate physical or virtual machines for different tasks. This can help prevent a breach in one area from affecting the entire system.
5. Regular system checks: Regular system checks can help detect unauthorized access or suspicious activity. This includes monitoring system logs and using intrusion detection systems.