A Russian hacking group that played a role in breaking into Democratic networks during the 2016 election is now trying to steal coronavirus research, according to officials in the U.S., U.K., and Canada.
In a joint cybersecurity advisory released by the three countries, intelligence agencies warned that a Russian hacking ground referred to as “APT29” had “targeted various organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines.”
The group conducted basic vulnerability scanning against specific external IP addresses owned by the organizations. They then deployed public exploits against the vulnerable services identified.
It’s unclear whether the hackers were successful in accessing or stealing any research data, but one British official told The Daily Beast that the joint statement was an attempt to “stop” it from happening.
“We’re not going to comment on operational detail,” the official said. “However, we know that U.K. organizations involved in the COVID-19 response have been targeted. We believe they are targeting organizations to steal information and intellectual property. The [National Cyber Security Centre] has said this group is scanning IT networks looking for ways to get in and access sensitive material. The action from NCSC is intended to help stop that happening.”
APT29, sometimes referred to as “Cozy Bear,” is widely believed to be a government-run hacking group associated with Russia’s Foreign Intelligence Service or SVR and has “a long history of targeting governmental, diplomatic, think-tank, healthcare and energy organizations for intelligence gain,” according to Anne Neuberger, director of the NSA’s Cybersecurity Center.
In 2016, APT29 hackers broke into the Democratic National Committee’s networks alongside hackers from Russia’s Main Intelligence Directorate, known as GRU. Unlike their military intelligence counterparts, APT29 appears to be focused more on traditional espionage rather than carrying out hack-and-leak influence operations.
“They’re there to quietly collect intelligence. If you get targeted by them, you might simply never know that they’re in your network. They're not going to drop something later or blow something up there,” John Hultquist, Director of Intelligence Analysis at the cybersecurity firm FireEye and an expert on Russian hacking groups, told The Daily Beast.
Hultquist says Russian government-linked hackers have been seen targeting pharmaceutical and biotech companies before but the focus in the past was different. “We've seen it more on the disruptive angle or in situations where it just wasn't clear what they were going after.”
In particular, Hultquist points to the NotPetya attack, the single most expensive cyber attack in history in which Russia unleashed destructive malware designed to look like ransomware. The attack primarily targeted networks in Ukraine but companies and countries around the world were affected, including the pharmaceutical giant Merck, which filed a $1.3 billion insurance claim related to losses from the incident.
Biotechnology research has long been a target for countries engaged in economic espionage. In a 2018 report on “Foreign Economic Espionage in Cyberspace,” the U.S. National Counterintelligence and Security Center listed the biotechnology industry as one of the targets in which foreign intelligence services have the “highest interest.”
But the COVID-19 pandemic appears to have changed the targeting priorities of several state-backed hacking groups to a focus on collecting pandemic-related intelligence, according to Hultquist.
“These are extraordinary times. We’re seeing a lot of different actors don’t generally get into the intellectual property space or this type of space showing up,” said Hultquist.
In May, the FBI issued a statement indicating that the bureau was “investigating the targeting and compromise of U.S. organizations conducting COVID-19-related research by [China]-affiliated cyber actors and non-traditional collectors” who sought to steal “valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research.”
Iranian hackers have also reportedly been active in attempting to steal COVID-19 research data. Reuters reported that Iranian-linked hackers posed as journalists in emails as part of an attempt to hack Gilead, which makes the COVID-19-fighting antiviral drug remdesivir. Google’s Threat Analysis Group, which analyzes cybersecurity threats for the company, subsequently announced that it had “found new, COVID-19-specific targeting of international health organizations,” consistent with the Iranian-linked hacking group known as “Charming Kitten,” which “corroborates reporting in Reuters.”
In terms of COVID-19-related espionage, cybersecurity firms like FireEye noticed state-run hacking campaigns begin almost from the start of the pandemic. In January 2020, according to a FireEye report, hackers linked to the Vietnamese government broke into local government networks in Wuhan, China and China’s Ministry of Emergency Management in an apparent attempt to learn more about the pandemic amid efforts by Chinese officials to suppress news of the outbreak.
The combination of a deadly global pandemic and an atmosphere of mistrust means cybersecurity experts don’t expect campaigns like the one called out by the U.S., Britain, and Canada on Thursday to end anytime soon.
“There’s going to be espionage against the research institutions, academia, pharmaceutical companies, local municipalities who have case spikes—there's a tremendous amount of mistrust going on in the world and, given that environment, they're going to deploy this capability,” said Hultquist.