Russian hackers trying to steal coronavirus vaccine research, intelligence agencies say

Julian E. Barnes, The New York Times

Posted at Jul 17 2020 04:18 AM

WASHINGTON — Russian hackers, opening a dangerous new front in intelligence battles, are attempting to steal coronavirus vaccine research, the US and British and Canadian governments said Thursday.

The National Security Agency said that a hacking group implicated in the break-ins into Democratic Party servers in 2016 has been trying to steal intelligence on vaccines from health care organizations. The group, known as both APT29 and Cozy Bear and associated with Russian intelligence, has sought to exploit the chaos created by the coronavirus pandemic, officials said.

The Russian hackers have targeted British, Canadian and US organizations using malware and sending fraudulent emails to try to trick people into turning over passwords and other security credentials, all in an effort to access the research as well as information about medical supply chains.

“We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic,” said Paul Chichester, director of operations for Britain’s National Cyber Security Center.

The Russians are not alone in trying to steal vaccine information from the United States and other countries. The US government has previously warned about efforts by China and Iran to steal vaccine research.

There was likely little immediate damage to global public health, said Mike Chapple, an associate professor who teaches cybersecurity at the University of Notre Dame and a former National Security Agency computer scientist.

“The potential harm here is limited to commercial harm, to companies that are devoting a lot of their own resources into developing a vaccine in hopes it will be financially rewarding down the road,” he said.

Cozy Bear is one of the highest-profile, and most successful, hacking groups associated with the Russian government. It was blamed alongside the group Fancy Bear in the 2016 hacking of the Democratic National Committee.

“APT29 has a long history of targeting governmental, diplomatic, think-tank, health care and energy organizations for intelligence gain, so we encourage everyone to take this threat seriously,” said Anne Neuberger, the National Security Agency’s cybersecurity director.

While the ties between Cozy Bear and Russian spy services are not always clear, the National Security Agency called Cozy Bear a Russian intelligence group Thursday and the British government said that the hackers are almost certainly part of the Russian intelligence services.

The US government did not say how much vaccine information the Russian group has stolen, or what damage to research efforts the hacking may have caused. Some officials suggested the attacks have not been hugely successful but are widespread enough to warrant a coordinated international warning.

The three governments’ cyberdefense arms published advisories aimed at helping health care organizations bolster their computer network defense.

The National Security Agency and the British cybersecurity center declined to identify victims of the hacks, although academic organizations and labs doing vaccine research appear have been their focus. Imperial College London, which has taken a leading role in COVID-19 research, issued a statement saying it takes appropriate security measures and has “benefited from government advice” to provide extra protection for its vaccine work.

The malware used by Cozy Bear to steal the vaccine research included code known as “WellMess” and “WellMail.”

The Russian group has not previously used that malware, according to British officials. But U.S. officials said they were confident in attributing the attacks to the Russian hacking group.

US officials declined to comment on the precise intent of the Cozy Bear hack.

Dmitry Peskov, the spokesperson for President Vladimir Putin of Russia, said Thursday that Russia has no knowledge of or involvement in attempts by hackers to steal coronavirus vaccine research in the United Kingdom.

“We do not have any information about who might break into pharmaceutical companies and research centers in Great Britain,” Peskov told RIA-Novosti, a state news agency. “We can say only that Russia has nothing to do with these attempts.”

Outside experts said it appeared that the Russians were simply copying information, not trying to damage the research organizations.

“It wouldn’t surprise me if intelligence services of all nations are doing this same kind of thing and using the information to advance their research against coronavirus,” Chapple said.

The three governments said Cozy Bear used recently published exploits to gain a foothold. If organizations do not immediately patch a vulnerability after a software company makes it public alongside a fix, corporate networks can be vulnerable.

Once Cozy Bear uses the malware to get access, it creates legitimate credentials to maintain access to a system even after it is patched.