Ongoing Stealthy “Spear Phishing” Attack Focused on Publicly Traded Healthcare and Pharmaceutical Industries

by Leonardo M. Tamburello

Security firm FireEye on December 1, 2014 issued a report describing its discovery of an extraordinarily sophisticated and potentially damaging spear-phishing attack which has targeted the healthcare and pharmaceutical sectors with the apparent goal of obtaining advance, non-public information such as that concerning mergers and acquisitions, drug development, insurance reimbursement rates, government approvals, pending legal cases, product information and other data that would likely influence the price of a company’s stock.

Since mid-2013, a group known as “FIN4,” has targeted over 100 publicly traded companies or their advisory firms, of which more than two-thirds were healthcare or pharmaceutical companies, and an additional 20 percent were advisors to public companies on securities, legal and mergers and acquisition (M&A) matters.  The group appears to focus on acquiring information, sometimes months in advance, about ongoing M&A discussions by identifying the individuals most likely involved such as C-level executives, legal counsel, regulatory, risk management and compliance personnel, researchers, scientists and other advisors, and gaining surreptitious access their email accounts.

This attack, which remains ongoing, comes in the heels of another so-called “Advanced Persistent Threat” previously discussed on this blog which resulted in the compromise of “non-medical patient identification data” including names, addresses, birthdates, telephone numbers and social security numbers affecting 4.5 million individuals who were patients in the last five years at Community Health Systems, Inc., which operates over 206 hospitals in twenty-nine states.

FIN4 take advantage of sensitivity over shareholders dissatisfaction and public disclosure of confidential information to entice the target into clicking on a link and providing credentials to be sent to the attackers.  Other lures used include using Microsoft Office macros, fake SEC filing documents and fake Outlook Web App (OWA) login pages to obtain email credentials.  Once an email account is compromised, FIN4 impersonates the owner to send out emails which deploy more lures.  Since these come from an unwittingly compromised email account that is oftentimes trusted by recipients, they are more likely to be trusted by recipients.  Attackers have also been observed to seamlessly inject themselves into email threads while taking steps to obfuscate the fact that they are quietly manipulating and observing communications inside a company.  For example, FIN4 is known to create a rule in compromised Outlook accounts that immediately filters out any messages containing the words that might alert the account owner to that they have been hacked, thus making it more difficult for outsiders to alert the victim to the infiltration.

These attacks, which continue to this date, are as ingenious as they are potentially far-reaching.  Although it cannot be said with certainty what the group does with the information it acquires, the inference is that the information acquired by the group is used by them or resold to others who then profit off fluctuations in the stock prices of the affected companies.

Although FIN4’s tactics of spear phishing and stealing credentials are among the oldest tricks in the cybercrime book, the clandestine nature of the attack increases its success and makes it more difficult to detect.  Users should be cautious about opening even supposedly trusted documents and emails that contain links or request unusual logins or permissions.  Network administrators should consider disabling of macros in Microsoft Office, enabling two-factor authentication for Outlook and other remote access systems and blocking known command-and-control (C2) domains and Tor exit nodes used by FIN4.