Russian Hackers Blamed for Attacks on Coronavirus Vaccine-Related Targets
A prominent state-backed Russian hacking group was blamed Thursday by U.S., U.K. and Canadian government officials for ongoing cyber espionage against organizations involved in the development of coronavirus vaccines and other health-care-related work, reflecting an escalation of security risks at a crucial time in the global response to the pandemic.
Western intelligence officials said that they jointly assessed Russia as the source of the persistent hacking activity in several countries. The targets, officials said, include governments, think tanks, universities, private companies and other organizations working on vaccine research and testing globally.
The attacks are designed to steal intellectual property related to the response to Covid-19, the U.S. National Security Agency, along with its British and Canadian counterparts, said.
Efforts to develop a vaccine have become an international arms race, with winners seen as benefiting from access to treatments that would help improve national health and economic stability. Those factors make the scientific secrets behind vaccine development valuable.
The accusation comes as coronavirus cases have surged in the U.S., with confirmed cases climbing to more than 3.5 million a little over a week after crossing the 3 million mark, and as newly reported infections around the world reached a record. The U.S., which saw a single-day record 67,417 new confirmed cases Tuesday, added about 66,300 on Wednesday, according to Johns Hopkins University.
The Western officials identified the hacking group as Russia-supported APT29, which is also known as Cozy Bear. APT29 is widely viewed by cybersecurity experts to be a sophisticated and prolific cyber unit associated with Russian intelligence and has previously been linked to attacks on the White House, the U.S. State Department, the Democratic National Committee and European governments.
“Throughout 2020, APT 29 has targeted various organizations involved in Covid-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of Covid-19 vaccines,” British, American and Canadian security agencies said in a technical report.
The warning—designed to help current and potential targets boost defenses—follows already stepped-up protection of institutions involved in virus research, including vaccine development. The Western allies’ report said the Russian group has shown some success gaining footholds in targeted computer networks by exploiting software vulnerabilities and using spearphishing attacks to compromise login credentials. But U.K. officials said the attacks haven’t thwarted vaccine-related work of which they know.
The U.K. this year stepped up efforts to protect the University of Oxford and about a dozen universities battling the virus from cyberattacks. Oxford is working with U.K. drugmaker AstraZeneca PLC on a leading vaccine candidate that they say could be ready by this autumn. An Oxford spokesman said the university was working closely with Britain’s National Cyber Security Centre to ensure its research had the best cyber protection. An AstraZeneca spokesman had no immediate comment about the hacking warnings.
Anne Neuberger, director of cybersecurity at the National Security Agency, said foreign actors were trying to take advantage of the pandemic. “We encourage everyone to take this threat seriously and apply the mitigations issued in the advisory,” she said.
Russian presidential spokesman Dmitry Peskov told the official state news agency RIA Novosti that Russia “will not accept such allegations.”
There was no response from Russia’s Federal Security Service, nor from the Ministry of Digital Development, Communications and Mass Media, which deals with cybersecurity.
Russia has mobilized its armed forces and top scientists to develop its own coronavirus vaccine after President Vladimir Putindemanded the country have one by this fall. The rush comes after Russia initially wavered over whether to impose lockdowns to curb the spread of the virus.
The U.K. cyber center said it relied on several sources to arrive at its conclusion that Russia was behind the activity. It said the attackers used custom-built malware dubbed “WellMess” or “WellMail” to target organizations across the globe working on vaccine research. The NSA supported the attribution of the hacking activity to Russia.
Canada’s Communications Security Establishment, which is in charge of cybercrime, said the attacks hindered the efforts of health-care experts and researchers trying to fight the pandemic. It urged Canadian hospitals and clinics to bolster protections against possible attacks.
The U.S.-based cyber firm CrowdStrike accused the same Russian group of hacking into the DNC in the lead-up to the 2016 election, saying it quietly monitored email and chat conversations for months without detection.
A separate hacking group linked to Russian military intelligence was also accused of breaking into the DNC and implicated in stealing and leaking emails as part of a broader cyber effort that U.S. intelligence agencies later concluded was intended to harm Democratic candidate Hillary Clinton’s campaign and boost Mr. Trump. That finding was corroborated by former special counsel Robert Mueller and a bipartisan report by the Senate Intelligence Committee. Russia has denied the attacks.
In the U.K., authorities noticed a significant increase in malicious activity in June, much of which they believed to be Russian, according to people briefed on the activity.
In one case of apparently mistaken identity, attackers repeatedly tried to hack a health-care entity containing “Oxford” in its name but not part of the university, according to the people.
Russia isn’t the only country seeking to steal intellectual property from foreign computer networks, say government and private-security experts involved in responses.
In May, U.S. officials issued a public alert accusing Chinese hackers of targeting American universities and health-care companies in a bid to steal intellectual property, saying that intrusions could jeopardize medical research.
Trump administration officials have also said privately that Iran or its proxies have been targeting similar types of facilities using a relatively crude technique known as password spraying, which attempts to compromise an organization by rapidly guessing common account-login passwords.
Among Iran’s recent targets, people familiar with the matter have said, was the pharmaceutical company Gilead Sciences Inc., which has produced the antiviral drug remdesivir that was given emergency-use authorization by the Food and Drug Administration as a potential Covid-19 treatment.
Security experts also say that they have seen several adversaries seek to steal research related to the coronavirus and that such attempts weren’t surprising given the severity of the pandemic.
“Covid-19 is an existential threat to every government in the world right now, so it’s no surprise to see them leveraging their cyber espionage capabilities to gather information on a cure,” said John Hultquist, director of intelligence analysis at U.S.-based cyber firm FireEye and a longtime watcher of APT29. “We have seen the Russians as well as Chinese and Iranian actors target the pharmaceutical and research space in an effort to gather information on developing vaccines.”
Photo: Russia's President Vladimir Putin has demanded the country have a coronavirus vaccine by the fall. - PHOTO: ALEXEI DRUZHININ/KREMLIN/REUTERS