We strongly advise immediate and ongoing action to secure against live cyber security risks to members of the ME and Long Covid (PASC) research, medical and allied communities. We outline the minimum counter measures that we recommend.
This is further to cyber security events that are outlined below, which have been reported to cyber crime authorities. Particular risk-drivers in the field of ME, Long Covid and the pandemic are also discussed, threats which we expect to remain ongoing for at least the medium term. These provide the primary risk to the professions that Doctors with M.E. serves, abuse of information.
“We will not be providing additional comment regarding these events at this time. Comment may prejudice any action that we may need to take, whether in the event of continued cybercrime or online/offline campaigns of abuse, habitualised defamatory statements or the smearing of the professions that we represent.”Doctors with M.E.
Following interaction by known antiscience proponents, a significant distributed denial of service (DDoS) attack was repelled on Wednesday 14th July. Details regarding this are documented below. This attack occurred immediately alongside impersonation of key communications personnel from third party bodies that can be instrumental to the funding or direction of research. This set of events has been reported to UK cyber crime authorities.
There was no breach of information in any form due to preparedness. Site visitors may have noticed layers of defense triggering. Our infrastructure is designed with multiple defense layers against coordinated DDoS campaigns, hacking or other unlawful acts. Our personnel is also briefed regarding best practice.
What we know
We cannot be sure of the exact source of the attacks we experienced, particularly when traffic passes through the dark web. Where we can be sure, such acts will be pursued directly.
Like all internet connected infrastructure, we face constant probes and attacks, which normally number in hundreds to thousands daily across web and other internet protocols for our systems. Wednesday’s event was of a different degree, meaning that many users will have been aware of the issue before we were:
- Wednesday’s DDoS attack
- Saw a 1100% increase in web based attacks versus the daily average over the preceding 7 days.
- Saw a 2460% increase in web based attacks versus the daily average since website launch at the end of June (this includes our highest traffic period around launch).
- General pattern across all attack surfaces
- The UK is the top source for identified web based threats to our infrastructure on any time frame.
- Non web-based threat detection metrics remained constant during this period.
- Social engineering attack
- The individual targeted alongside the above (who was contacted by the impersonated account) has previously experienced attempted social engineering phishing attacks, but not for an extended period.
- That same target has never experienced contact that is impersonating someone 1) known to them generally nor 2) working within the ME or Long Covid ecosystem.
Advised cyber security measures
- Two factor authentication
- for personal and work email, messaging, storage, social media or other accounts and that of family members.
- Encrypt sensitive files/folders
- via your operating system or other tools to minimise the risk of data exfiltration, including any data that can be miscontextualised for blackmail or smear purposes.
- Encrypt entire storage devices
- laptops, desktops, tablets, mobiles, external drives, etc. have device storage encryption options. Data cannot be accessed at all without storage attached to the correct device or with a startup/disk password (device dependent). Data will be freely accessible after booting up / successful attachment, thus necessitating encryption of files/folders, as per above.
- Encrypt your network traffic
- Do not ignore browser warnings regarding insecure traffic on any website and always use websites that connect via https. and not http alone.
- Backup your data
- multiple backups of data (ideally in the cloud and physical) will allow you to recover from data loss or ransomware attacks rapidly and without being susceptible to blackmail.
- Trust no new contact, addresses or IDs
- If you have the slightest doubt, contact the actual person via previously trusted means, ideally by voice. The target may be you, the other person or both.
- Multi-step social engineering attacks are used to deceive the most alert of technology users in the pursuit of leveragable information (compromat), resalable information or immediate financial gain (such practises are commonly referred to as phishing, spearphishing or whaling)
- Do not use untrusted wifi without use of a VPN (Virtual Private Network)
- Public wifi can be used to intercept / redirect traffic
- VPNs can either be paid services or the facility is included in many commercial and retail internet routers or network attached storage devices (NASs).
Each provider/manufacturer clearly documents how to enable these and other settings on their websites.
Time frame for measures above
The above offers baseline security measures applicable to any internet user on an ongoing basis. Analogous to building security, minimal cyber security practices are a prerequisite for any internet connected device. It is very common that devices are insecurely used, providing ease of opportunity for nefarious actors.
Particular risk-drivers in the field of ME, Long Covid and the pandemic will remain ongoing for at least the medium term. This is due to:
- the long standing disjoint between the scientific community and medical norms, which feeds into the relationship between a) the activities of anti-science proponents and 2) documented campaigns of smearing of researchers and allied communities by established professionals, who are averse to regulatorily affirmed scientific standards.
- medicine’s adoption of the relevant scientific consensus being a gradual and definite process, of which ME research and clinical practice is currently the primary beneficiary
- efforts to place Long Covid sufferers who meet pre-existing ME diagnostic criteria at a clinical and administrative disadvantage (versus improving medical adoption of ME scientific consensus), thus unnecessarily prolonging a) the above disjoint and b) anti-science promotion and smearing of scientists by established professionals.
- the overlap between a) contra-scientific ME medical norms and b) extremist elements of the anti-pandemic-measures political movement, which often uses medically mainstreamed contra-scientific narratives and troll accounts to target Long Covid researchers.
The primary risk to the professions that Doctors with M.E. serves is abuse of information, inaccurately contextualising it and/or its use in blackmail. This risk also comes in the context of unexplained examples of temporary interest in scientific consensus, which is later replaced by highly publicised reversion to very low and regulatorily condemned standards, without scientific accountability.
This risk profile is also accounted for by our application policy within the Doctors with M.E. Code.
The availability of off-the-shelf hacking and DDoS tools facilitates automated mass vulnerability detection and offers easily accessible tools for so-called ‘script kiddies’, due to minimal barriers to entry. Profile impersonation offers bad-actors zero barriers to entry.
As detailed above, this availability does generate a constant and normal flow of probes and breach attempts, numbering several hundred million globally per day. Of these a number are composed of ‘disruption for hire’ services that can be combined with multistep social engineering attacks that seek information of use. This number is large in absolute terms, even as a small proportion.
A DDoS attack can have several objectives. Interruption of service is the most obvious target. A level of data loss from service impact can be achieved, particularly where subsystems are not segmented. Such attacks can also be used to assess a target to determine levels of preparedness.
Notwithstanding preparedness and counter measures, the risk of disruption is always real. Future DwME infrastructure developments will increase functionality beyond our organisational presence – although never with sensitive personally identifiable information or payment details.
Social engineering attacks
As mentioned above, multistep social engineering attacks can deceive the most alert of technology users, with practises commonly referred to as phishing, spearphishing or whaling. The objective of such activity can include leveragable information (compromat), resalable information or immediate financial gain.