U.S. and U.K. government officials said a prominent state-backed Russian hacking group is responsible for ongoing cyber espionage against organizations involved in the development of coronavirus vaccines and other healthcare-related work, showing escalating security risks at a crucial time in the global response to the pandemic.
The National Cyber Security Centre, part of the U.K.’s GCHQ electronic-intelligence agency, and backed by U.S. and Canadian security officials, said Thursday they jointly assessed the source of the persistent hacking activity in several countries. The targets, officials said, include governments, think tanks, universities, private companies and other organizations working on vaccine research and testing globally.
The attacks are designed to steal intellectual property related to the response to Covid-19, the officials said. Efforts to develop a vaccine have become an international arms race, with winners seen as benefiting from access to treatments that would help improve national health and economic stability. Those factors make the scientific secrets behind vaccine development valuable.
They identified the hacking group as Russia-supported APT29, which is also known as Cozy Bear. APT29 is widely viewed by cybersecurity experts to be a sophisticated and prolific cyber unit associated with Russian intelligence and has previously been linked to attacks on the White House, the U.S. State Department, the Democratic National Committee, and European governments.
“Throughout 2020, APT 29 has targeted various organizations involved in Covid-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of Covid-19 vaccines,” British, American and Canadian security agencies said jointly in a technical report released Thursday.
The warning — designed to help current and potential targets boost defenses — follows already stepped-up protection of institutions involved in virus research, including vaccine development. The Western allies’ report said the Russian group has shown some success gaining footholds in targeted computer networks by exploiting software vulnerabilities and using spearphishing attacks to compromise login credentials. But U.K. officials said the attacks haven’t thwarted vaccine-related work that they know of.
The U.K. this year stepped up efforts to protect from cyberattacks the University of Oxford and about a dozen Universities battling the virus. Oxford is working with U.K. drugmaker AstraZeneca PLC on a leading vaccine candidate that they say could be ready by this autumn. An Oxford spokesman said the university was working closely with Britain’s National Cyber Security Centre to ensure its research had the best cyber protection. An AstraZeneca spokesman had no immediate comment about the hacking warnings.
Anne Neuberger, director of cybersecurity at the National Security Agency, said foreign actors were trying to take advantage of the pandemic. “We encourage everyone to take this threat seriously and apply the mitigations issued in the advisory,” she said.
The Kremlin refuted the allegations. Presidential spokesman, Dmitry Peskov, told the official state news agency RIA Novosti that Russia “will not accept such allegations, as well as regular allegations of interference with the 2019 election.”
There was no response from Russia’s Federal Security Service, nor from the Ministry of Digital Development, Communications and Mass Media, which deals with cybersecurity.
Russia has mobilized its armed forces and top scientists to develop its own coronavirus vaccine after President Vladimir Putin demanded the country have one by this fall. The rush comes after Russia initially waved over whether to impose lockdowns to curb the spread of the virus.
The U.K. cyber center said it relied on multiple sources to arrive at its conclusion that Russia was behind the activity. It said the attackers used custom-built malware dubbed “WellMess” or “WellMail” to target organizations across the globe working on vaccine research. The NSA supported the attribution of the hacking activity to Russia.
Canada’s Communications Security Establishment, which is in charge of cybercrime, said the attacks hindered the efforts of health-care experts and researchers trying to fight the pandemic. It urged Canadian hospitals and clinics to bolster protections against possible attacks.
The U.S.-based cyber firm CrowdStrike accused the same Russian group of hacking into the Democratic National Committee in the lead-up to the 2016 election, saying the Russian group quietly monitored email and chat conversations for months without detection.
A separate hacking group linked to Russian military intelligence was also accused of breaking into the DNC and implicated in stealing and leaking emails as part of a broader cyber effort that U.S. intelligence agencies later concluded was intended to harm Democratic candidate Hillary Clinton’s campaign. Russia has denied the attacks.
Russia isn’t the only country seeking to steal intellectual property from foreign computer networks, say government and private-security experts involved in responses. In the U.K., authorities noticed a significant uptick in malicious activity in June, much of it they believed to be Russian, according to people briefed on the activity.
In one case, attackers repeatedly tried to hack an entity containing “Oxford” in its name but not part of the university, according to the people. The entity was instead part of the U.K.’s state-run health service. A spokeswoman for the National Health Service declined to comment.
In May, U.S. officials issued a public alert accusing Chinese hackers of targeting American universities and health-care companies in a bid to steal intellectual property, saying that intrusions could jeopardize medical research.
Trump administration officials have also said privately that Iran or its proxies have been targeting similar types of facilities using a relatively crude technique known as password spraying, which attempts to compromise an organization by rapidly guessing common account-login passwords.
Among Iran’s recent targets, people familiar with the matter have said, was the pharmaceutical company Gilead Sciences Inc., which has produced the antiviral drug remdesivir that was given emergency-use authorization by the Food and Drug Administration as a potential Covid-19 treatment.
Security experts also say they have seen several adversaries seek to steal research related to the coronavirus and that such attempts weren’t surprising given the severity of the pandemic.
“Covid-19 is an existential threat to every government in the world right now, so it’s no surprise to see them leveraging their cyber espionage capabilities to gather information on a cure,” said John Hultquist, director of intelligence analysis at U.S.-based cyber firm FireEye and a longtime watcher of APT 29. “We have seen the Russians as well as Chinese and Iranian actors target the pharmaceutical and research space in an effort to gather information on developing vaccines.”
