
The FBI investigating hacking of Covid research by “PRC-affiliated cyber actors” - kimi
https://www.fbi.gov/news/pressrel/press-releases/peoples-republic-of-china-prc-targeting-of-covid-19-research-organizations
======
smkellat
If you’re doing research of any significance in today’s world and don’t have
an active security program looking for harmful actions by foreign intelligence
your organization opens itself up for all sorts of nasty liabilities. You
don’t even have to have an electronic intrusion. The PRC’s government also
pays people off as the case of this former Cleveland Clinic researcher shows:
[https://www.cleveland.com/crime/2020/05/former-cleveland-
cli...](https://www.cleveland.com/crime/2020/05/former-cleveland-clinic-
researcher-charged-with-fraud-for-failing-to-disclose-china-ties.html)

~~~
thephyber
I'm not sure I agree that it's the responsibility of the people doing research
to protect against foreign nation state attacks (whether cyber or legacy
intelligence).

1st: most people outside of government don't know how much they are
expected/"required" to do to protect their work against foreign nation states.
Except for heavily regulated sectors (government, military, heavy industry,
banking, core telecom, and more recently elections) very few companies will
actually get help from 3-letter-agencies to actively protect against foreign
nation state attacks.

2nd: _many_ people expect that the {NSA, Cyber Command, et al} are actively
defending _all_ US organizations. I don't see evidence of this (although if
there was evidence, I probably wouldn't see it anyway).

3rd: In a national emergency (which the COVID response was declared), there
are limits to the liabilities which would otherwise be enforceable in court.
There are frequently/always legal escape clauses like _force majeure_ and _act
of god_ which would likely alleviate liabilities due to fallout from acts of
war or a severe pandemic, so it's not clear that those "nasty liabilities"
could be enforced. There are currently 2 important cyberinsurance cases[1]
which are winding their way through courts right now which may effectively
decide if cyberinsurance is a viable product (depending on whether).
Violations of HIPAA are possible, but similarly may not amount to much in
terms of prosecution because of the pandemic.

In reality, it's damn near impossible to protect against a motivated+targeted
nation state attack (especially with the resources of PRC). If the liabilities
incentives require all projects (large and small) be able to withstand nation-
state attacks, then all of the project resources go to cybersecurity and none
into research -- your productivity is now zero.

It's important to remember that it's the FBI's job to do counter-intel. If a
medical research group is defrauded by PRC spies and you blame the researchers
for not being able to spot a non-trivial espionage attempt, you are just
victim blaming. I work as a product developer in cybersecurity and I doubt I
could identify most spy craft if it were to happen right in front of me.

[1] [https://www.cpomagazine.com/cyber-security/aig-case-
highligh...](https://www.cpomagazine.com/cyber-security/aig-case-highlights-
complexities-of-covering-cyber-related-losses/)

~~~
AnthonyMouse
> _many_ people expect that the {NSA, Cyber Command, et al} are actively
> defending _all_ US organizations. I don't see evidence of this (although if
> there was evidence, I probably wouldn't see it anyway).

If you keep your confidential research results on an unpatched server with
weak passwords and exposed to the internet, what is the NSA supposed to do
about that?

About the best thing they could do is to scan for and find the vulnerability
before the attackers and notify you about it, which in general they don't. And
it still wouldn't solve most of the problem because there would be objections
if they did more than a cursory scan, which means they won't find most
problems, but the attackers are under no such limitations.

> there are limits to the liabilities which would otherwise be enforceable in
> court

I don't think this is the kind of liability they're talking about. If your
confidential research falls into the hands of economic spies, the problem
isn't so much that someone is going to sue you as that your research and any
relevant patents have now lost their economic value because a knockoff product
will beat you to market.

> cyberinsurance

This is liable to be more of a grant hog than liability would. Not only do you
have to pay the premiums -- which would be high unless researchers adopt good
security practices, which having the insurance would give them the incentive
to do the opposite of -- but you also then have the insurance company imposing
some kind of bureaucratic best practices procedures that gives you even more
compliance costs than you would get from having liability, because the
insurance company has misaligned incentives with respect to the level of
compliance burden to impose, since they don't pay any of it but get all the
benefits.

The reality is, the researchers are the ones operating the systems their
research is on. They're the ones who have to secure them. And they already
largely have the right incentives to want to do that, but they also have a
poor understanding of the necessity of it and the process for doing it.

What would help here are the things that would help in general. Fund
vulnerability research in free software so that the software people are using
(because it's what they can afford) is secure by default, and easy enough to
use that people don't commonly make mistakes, and well-documented. Things like
that. Make it easier to do the right thing so more people do.

------
elliekelly
I appreciate that there’s probably a lot I don’t know or understand about the
national security aspects of this but it seems wrong to not share as much
information as possible with as many researchers as possible in order to help
as many as people as possible. Protecting security interests is one thing but
this press release specifically mentions protecting intellectual property and
that seems kind of tone deaf.

I also wish they would explain _how_ treatment options are jeopardized, even
at a high level:

> The potential theft of this information jeopardizes the delivery of secure,
> effective, and efficient treatment options.

~~~
cat199
> to not share as much information as possible with as many researchers as
> possible in order to help as many as people as possible.

this presumes that the stolen information would be used 'to help as many
people as possible'..

Also, 1st country with viable vaccine/treatment/etc will have a huge
geopolitical bargaining chip & it will likely be used as such no matter the
country of origin.

~~~
jessaustin
_...huge geopolitical bargaining chip..._

Ummm, I'm not sure how to break it to you, but USA is already laughingstock of
world due to our comically misguided reaction to the "pandemic". Everyone
expected Trump to screw up (and he hasn't disappointed), but there isn't any
person or institution in USA that hasn't totally whiffed on this. CDC mandated
tests that didn't work, news media remained unconvinced until late in the game
and now jump from one conspiracy theory to another, in-person elections were
held as late as _April 7_ , some states required that diseased patients be
forced into _nursing homes for the elderly_ , effective masks are still
somehow difficult to acquire, Congress has passed numerous "bailout" laws
representing trillions of dollars yet has somehow not been able to arrange
healthcare for every citizen as most comparable nations have had for decades,
our deaths have passed 100k and seem certain to pass 200k as well, etc.

It's difficult not to see this "investigation" and especially this silly press
release that purports to inform the public about it as just more of the same.
Furious pretend activity with no view of long-term strategy or of benefit to
anyone other than the bureaucrats who wrote the release.

~~~
cat199
relative level of (dis)respect of any country to another doesn't mean that
country won't use something to their advantage

~~~
jessaustin
What is "advantage" in this case? Nations with reliable treatments and
vaccines might use those to improve their citizens' health? Sure that's not
something we'd do in USA but it doesn't seem like a _bad_ idea...

------
bt1a
I've always wondered how you can be so sure it's PRC in the age of easily
being able to mask your true IP address. Perhaps the identified attacks have
been previously linked with the PRC, or another option is that the actors were
not as covert as they thought.

Like remember the indictment of 12 russians (
[https://www.justice.gov/file/1080281/download](https://www.justice.gov/file/1080281/download)
)

The FBI linked a pool of bitcoins used to purchase a VPN service and other
things to the Russians. Probably best to not use a crypto with a public ledger
for criminal activity.

~~~
toshk
Same here. I remember once I was watching the news and they claimed a hack was
done by Russians because they found Russian comments in the code. That didn't
sound very convincing :). The ledger evidence sounds better.

At the same time in this case I would be more surprised if the PRC , since
their need for control, and since the stakes are extremely high, wasn't doing
such things.

~~~
oefrha
Similarly, I recall a strain of malware being attributed to Chinese hackers
because variable names were in Chinese; then when you actually inspect the
code, it's clearly Unicode gibberish generated by an obfuscator... That is to
say, the hackers weren't even trying to be misleading, it was just a result of
obfuscation reminiscent of mojibake. (I read the article on Ars Technica but
don't remember enough details to find the article.)

If I ever code a hacking tool I'll throw in some Korean comments for sure.

~~~
darawk
Do keep in mind that intelligence services are probably not being fully
transparent about how they know the source of an attack. They wouldn't want to
reveal their methods, to avoid them becoming unreliable in the future.

~~~
vkou
Which makes it impossible to have an open, informed discussion on the subject.

Instead, you get tribalist arguments over who believes which secret police.

------
tarkin2
This press release encourages me to think China is covering up something.

This /may/ be the case. But the FBI wants me to come to this conclusion.

It seems a little fishy.

------
nineparts
I know I might be the weirdo here for browsing 4chon, but for the last few
months I have seen a huge incursion of "PRC-affiliated"... "contributions"...
and not only to high traffic and high turnover boards but even to niche ones.
On boards using flags, these "contributions" come mainly from Canada, USA, and
France.

Although I am secretly grateful for this spam, as it cut down my time spent
there from 3-4 hours a week to 3-4 hours a month, it's still disconcerting as
they are highly organized and apparently take huge pleasure in bludgeoning
seals and other harmless creatures. Heck, I am amazed that the boards were
clean even after the US Elections, the shutdown of 8chon and other such
events.

------
pessimizer
Why would they be press-releasing this other than to drive public opinion
against China?

~~~
bt1a
While the admin is currently pushing a very negative image against China, I do
not believe the FBI would do that so lightly.

~~~
boomboomsubban
Why would the FBI be hesitant about faking/sensationalizing this? It's nearly
impossible to prove, China's unlikely to make an issue out of it, and even if
the lie got exposed what punishment would they face?

~~~
Larrikin
Are you an infosec expert? You have said that it is impossible to trace
origins of hacks multiple times but only offer two shallow points that you
would learn about in your first week of a network security class.

There are papers out there that have multiple ways of using language to
identify specific authors, determine multiple authors, and even decode unknown
language. That's my first shallow example and would be a pretty reliable
indicator if you could get your hands on their code. With a budget of millions
of dollar I'm sure they have dozens of ways that can be combined. It would
make no sense to reveal every single method they use to defend against people
on the internet. That also assumes they don't just have a mole who told them
about it, which they also wouldn't reveal.

~~~
boomboomsubban
>You have said that it is impossible to trace origins of hacks

I have not said this. The evidence they have provided makes it equally likely
that they've tracked these hacks (correctly or incorrectly) or that they've
made the whole thing up. You can't rule out either action.

>There are papers out there that have multiple uses of using language to
identify specific authors, determine multiple authors, and even decode known
language. That's my first shallow example and would be a pretty reliable
indicator if you could get your hands on their code

There have been multiple papers on these subjects, with a budget of millions
of dollars I'm sure identifiers could be faked. Particularly with password
spraying, the only method mentioned.

------
orbifold
Just for additional context several super computing sites in Europe were
attacked a few weeks ago and are still down, among them PizDaint at CSCS,
which ranks 6th in the world, several super computing sites in Germany (FZ
Juelich) and so on. I think no-one wishes this to turn into a kinetic war, but
for all we know besides the economic warfare that has been going on for quite
some time, this feels like we are in an all out conflict with China.

~~~
zaxu
These are crypto mining schemes, though. This looks a lot more like run of the
mill money making cybercrime than espionage - I don't think any nation state
would be interested in outing themselves for a pittance in bitcoin.

~~~
orbifold
At least according to this incident report [https://csirt.egi.eu/academic-
data-centers-abused-for-crypto...](https://csirt.egi.eu/academic-data-centers-
abused-for-crypto-currency-mining/), one of the two attacks had "unknown
purpose". In particular it was not tied to crypto mining.

~~~
zaxu
From the site you linked, the one with "unknown" motive has exclusively
attacked Chinese academic victims. It would be extremely bizarre to suggest
that the Chinese government is behind this.

~~~
orbifold
The second one is the attack that spread all the way to a basement HPC cluster
in the Physics Institute at LMU Munich, the IP addresses listed are indicators
to look for that your system might be compromised, not the victims of the
attack.

------
pcbro141
Shouldn't all countries be working together openly on fighting the pandemic?
Given that it's hurting the whole world.

~~~
tree3
Companies across all countries have proprietary data that they are using to
develop treatment options.

------
skrebbel
I love the term "cyber actor". That's basically like Hugh Jackman and Jonny
Lee Miller, right?

~~~
scollet
And my favourite: Rami Malek

------
horsemessiah
How can western leaders condemn China's lack of publishing info related to
COVID-19 and protect private research for curing it at the same time? Research
like this should be public and accessible to everyone. I don't know why I
shouldn't applaud any hackers spreading this information.

~~~
pedroma
Companies will stop working on it the moment they lose incentive, etc etc.

------
OBLIQUE_PILLAR
COVID-19 affects the entire world. Shouldn't all COVID-19 basically be done on
a globally viewable wiki? It's going to take the cooperation of all countries
to get through it. I don't understand why the US should hoard any COVID-19
data it has, besides extremely non altruistic ones.

~~~
mc32
Let’s see who else is putting valuable IP it out there.

------
737min
Does anyone really wonder if we (the US) and China are going to be at war in
the next 10 years?

~~~
nineparts
I come from an ex-communist country. So this is probably (hopefully) the only
moment my talent of spotting this kind of shit is useful. The thing is that
whatever bad behavior the USA committed in the past, and then anxiously
analyzed and mulled over for decades... the Chinese are doing day by day,
routinely, without ANY remorse or second thought. With the Russians it was
different. Sorry to say this, but compared to the Chinese, they had soul. I do
not foresee anything like the collapse of the Soviet Union in China. They are
too "rational" for it. Not to mention their numbers. Our only hope is Jesus
Christ. US and China at war? I don't know. China at war? By their logic of
expansion, I'm afraid it is guaranteed.

~~~
yibg
Seems strange to me to assign any emotion to the political entity of a huge
country. I don’t even mean what it means. What does China / America/ Soviet
Union feeling remorse even look like?

History has shown us that any super power will go to war. The Romans, the
British, the Americans. Maybe we’ve learned our lesson from history or maybe
today things are different due to greater education, multiculturalism and just
rapid communication. Either way we shouldn’t be pinning our hopes on “Jesus
Christ”, as again I don’t know what that means. Would he come down and disarm
everyone or something?

We avoid conflict by having rational open dialog, educating people and
increasing transparency and accountability. The way to increase the
probability of conflict is by having this tribalistic us vs them mentality.
Everything they do is bad, they are evil and we are just.

~~~
nineparts
When that political party is set on dictating not only how every citizen but
how every ethnic should behave... well...

------
737min
[https://foreignpolicy.com/2020/05/22/china-superpower-two-
pa...](https://foreignpolicy.com/2020/05/22/china-superpower-two-paths-global-
domination-cold-war/)

------
troughway
There is a big business opportunity, which I am sure is already fulfilled to
some extent, to provide air-gap and other securities/countermeasures to
businesses and orgs that deal with highly sensitive data, equipment,
specimens, whatever.

Something akin to an anti-Palantir.

------
btrettel
Some of the comments here discuss how an attacker could tamper with data. What
are some good ways for a scientist to ensure the integrity of their data in
this case?

Post it online with a hash, particularly in a way that will get archived by
others?

Keep off-site backups?

~~~
g_p
Where it's possible, perhaps using a deterministic process that can be easily
repeated to verify the groupings haven't been tampered with? (Not to reduce
the importance of backups, though they themselves can be attacked, but just as
an idea for discussion...)

Here's an idea for how this could work for an example given elsewhere in the
thread about the risk of an attacker mislabelling the subjects so the outcomes
are unclear or deliberately skewed.

For a binary double-blind placebo trial (one group gets the medication,
another gets the placebo), compute the hmac of each subject identifier (name,
some participant ID), keyed with a key known to the principal investigator.
Everyone whose hash MSB is above 0x80 gets the treatment, and everyone whose
hash is below 0x80 gets the placebo. If you need more experimental groups,
adjust the thresholds as needed

Clearly this is very restrictive and limited (you might need to ensure a
proper demographic and medical/age profile distribution of subjects between
both groups), but there are likely ways to achieve this by creating multiple
"groups" and doing this process within each demographic balanced group.

You'd get a reproducible outcome, as long as you can recover the patient names
or participant ID numbers, and the PI or experimental lead takes careful note
of the hmac key used.

Just a straw man idea for how at least the patient to group allocation could
be done deterministically. If someone attacked this and muddled patients and
groups around, it could be reproduced just from knowing who the subjects are,
and the hmac key. Clearly this doesn't scale to results or beyond, but I
imagine this is where digital signatures start to help. And with modern
ed25519 signatures we aren't talking massive signatures either.

------
NGRhodes
Related:
[https://www.theregister.co.uk/2020/05/13/uk_archer_supercomp...](https://www.theregister.co.uk/2020/05/13/uk_archer_supercomputer_cyberattack/)

"One of Britain's most powerful academic supercomputers has fallen victim to a
"security exploitation" of its login nodes, forcing the rewriting of all user
passwords and SSH keys."

[https://www.theregister.co.uk/2020/05/05/coronavirus_researc...](https://www.theregister.co.uk/2020/05/05/coronavirus_research_hacking/)

"Foreign state hackers are trying to brute-force their way into pharmaceutical
and medical research agencies hunting for a COVID-19 vaccine, British and
American infosec agencies are warning.

The National Cyber Security Centre (NCSC) and America’s Cybersecurity and
Infrastructure Security Agency (CISA) cautioned of a “password spraying”
campaign targeting healthcare and medical research organisations."

~~~
dntbnmpls
> Foreign state hackers are trying to brute-force their way into
> pharmaceutical and medical research agencies hunting for a COVID-19 vaccine,
> British and American infosec agencies are warning.

I have a hard time believing foreign state hackers are using "script kiddie"
tactics. But that's just me.

------
coliveira
This is information that can save lives, so I support any nation to hack on
COVID research, anywhere in the world. If they patent COVID research, I also
support breaking any patent.

~~~
kube-system
Compromising remote systems puts researchers, their work, and patient rights
at risk. Patents are published publicly and available free of charge, so I'm
not sure how that would be a reasonable justification for compromising other's
computers. "Research" per se isn't patentable anyway.

~~~
pnw_hazor
Patents provide country-by-country protection -- a US Patent doesn't mean
anything in other countries - except for being evidence of prior art in their
own patent offices.

Also, some/many countries have laws that disallow patents or patent
infringement claims associated with medicine.

------
mensetmanusman
Have family that work in encryption, you can think of barriers to entry as
orders of magnitude in cost.

AWS can decipher decade old encryption standards for about $100k brute
computational cost.

Nation states have access to 5-8 zeros of effort if it is valuable enough.
Private entities have no chance against nation-state backed hacking efforts.

It’s one-sided or ‘asymmetric’, because western intelligence refuses to share
commercial intelligence with western businesses (probably because there isn’t
much of value to share... yet).

Only solution is political change.

------
tehwebguy
I mean, who cares? If they aren’t altering data let them read it. We are
surely reading theirs too.

~~~
nineparts
Why would we read it? It's just a copy of our data + some propaganda.

------
dheera
Given today's anti-free-thinker HN climate I'm probably going to get downvoted
to oblivion for saying this, but I feel I need to say it.

I don't think COVID-19 research should be secretive, I think it should be a
global effort, and I'm perfectly happy with the idea of any nation having open
access to all COVID-19 research, vaccines, results, and (anonymized) data.
There should NOT be a concept of intellectual property when there are people
dying in droves from a disease. Please, China, Italy, Spain, everywhere, scoop
up all the COVID-19 research you can find and act upon it to save lives. Copy
ideas. Copy drugs. Re-do and verify tests. Immediately. Don't mind the courts.
They suck, and are sitting in armchairs killing people by delaying the effort
and enforcing intellectual "property".

~~~
mensetmanusman
Someone should profit for figuring out how to stop COVID because otherwise
there is little incentive beyond the government, and they don’t typically work
nights and weekends.

If China succeeds in stealing the solution, that will harm mankind because it
will reduce future incentive to stop these things quickly.

~~~
nineparts
Not to mention that if they find a cure before the world they will mark it as
"strategical advantage" and not shared because it's of "national interest." At
least based on their past history.

~~~
request_id
Are we talking about China or US?

------
narrator
If the PRC gets a workable vaccine first, they can gain influence to get
everyone to use a WHO run global vaccine passport instead of separate national
systems. They can then tie the WHO's databank into their global surveillance
system and franchise out China's surveillance state and social credit score
system throughout the world.

~~~
caseysoftware
Those are good points, I'd add two more:

\- "If you want to buy our vaccine, you need to buy Huawei equipment for all
your communications systems" \- we've already seen that in France with PPE

\- What would that do for investment in vaccine research if you know China can
drop in theirs at any time and address the entire market? Investments dries
up, China pulls back, go back to 1.

------
tehjoker
I can't recall the last time I saw a public statement by the FBI that wasn't a
lie used for some nefarious purpose.

~~~
chrononaut
The FBI lists _many_ public statements per day about all sorts of operations
and arrests:
[https://www.fbi.gov/news/pressrel](https://www.fbi.gov/news/pressrel)

What you're encountering might just be a selection effect since many of these
press releases don't raise people's interests. Perhaps it's the people
amplifying certain stories to drive their narrative than the FBI themselves?

~~~
tehjoker
The FBI is a highly political organization that uses its position of authority
to routinely intervene in politics often at the behest of the state.

Usually I list the interference they do in left wing movements where they spy
and infiltrate spaces to disrupt and discredit vital activities aimed at e.g.
preserving the environment. As a highlight, they tried to get MLK to kill
himself. Much of this was documented by the revelations of COINTELPRO. That
stuff was never punished, so why would they ever stop? It's good for the
integrity of the state.

For a conservative example, the recent "Obamagate" disclosures show how the
FBI was instrumental in creating the now totally discredited Russiagate
conspiracy which raged in the media for two years as a ploy to disrupt the
Trump administration by an insane xenophobic conspiracy that Trump was the
manchurian candidate, going so far as to create speculation that he was some
kind of soviet sleeper agent from the 1980s. He's of course a bad guy, but
this stuff is off the wall.

Now the FBI is being brought under control by the current administration which
is attempting to distract from it's total failure to respond to the pandemic
and its actions which are widely acknowledged to have made it far worse that
it should have been. The United States, the richest most powerful country in
the world, has had one of the worst responses in the world. So the
administration is attempting to clumsily pin the blame on a "foreign enemy" by
saying it's attempting unfairly to do something about the pandemic. What an
incredible world we live in.

EDIT: To conclude: Is withholding medical information in a pandemic for any
reason ethical? What about for making money? Is stealing such information from
such an actor unethical?

~~~
mellow2020
That doesn't make it magically impossible for the PRC to do nefarious things
of their own, which I'm sure you'd agree the FBI would gladly publicize.

