US, UK accuse Russian intelligence of trying to steal covid vaccine research

It is unclear whether research facilities have been damaged or if the vaccine programs have been set back as a result of the hacks but officials warned that the cyber attacks are ongoing.

In a dramatic statement on Thursday, Britain’s National Cyber Security Centre (NCSC) said vaccine and therapeutic sectors in multiple countries have been targeted by a group known as APT29, which it said is “almost certainly" part of Russian state intelligence. Security agencies in the U.S. and Canada later issued their own statements backing up the findings.

“It is completely unacceptable that the Russian intelligence services are targeting those working to combat the coronavirus pandemic," British Foreign Secretary Dominic Raab said. “While others pursue their selfish interests with reckless behavior, the U.K. and its allies are getting on with the hard work of finding a vaccine and protecting global health."

The intelligence bombshell came at a delicate time in geopolitics with a combative U.S. election looming in November and the pandemic plunging the world economy into recession. Coronavirus has launched a global race for a vaccine, in which researchers in the U.K. have made progress recently.

Back in Moscow, President Vladimir Putin’s popularity is a record low and the Russian leader has taken steps to ensure he can remain in power until 2036. Russia has repeatedly dismissed claims it meddles in elections despite repeated allegations of interference.

Cozy Bear

The NCSC said APT29, which also goes by the name of Cozy Bear or The Dukes, has targeted U.K., U.S. and Canadian vaccine research and development organizations. The campaign of malicious activity is ongoing, predominantly against government, diplomatic, think-tank, healthcare and energy targets to steal valuable intellectual property, according to the NCSC.

“We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic," NCSC Director of Operations Paul Chichester said in an emailed statement. “Working with our allies, the NCSC is committed to protecting our most critical assets and our top priority at this time is to protect the health sector."

Researchers have long linked APT29 to Russian intelligence agencies. For more than a decade, the group has carried out hacking campaigns that have targeted dozens of governments, research institutes, and corporations around the world, according to an analysis published in March by cybersecurity firm Carbon Black.

The group was first identified in November 2008 using malware to target Chechens, according to a March 2015 report published by the Finnish security firm F-Secure. Later, APT29 broadened its targets. It attempted to hack government departments in Georgia, Turkey, Uganda, and appeared to be trying to gather information about the activities of NATO, according to the F-Secure report.

In 2016, US cybersecurity firm Crowdstrike linked APT29 to hack of the Democratic National Committee. The Russian hackers penetrated the DNC’s servers in the summer of 2015, and maintained access to the organization’s data for about a year, according to Crowdstrike researchers. Crowdstrike CEO Shawn Henry told the House Intelligence Committee in December 2017 that he had a “high degree of confidence it was the Russian Government" behind that attack.

Unusual

Artturi Lehtiö, director of strategy and corporate development for F-Secure, has closely followed APT29’s activities. He said that if the group has been targeting Covid research organizations, it was “slightly unusual," as the group usually targets foreign and security policy-related organizations.

“They traditionally go after intelligence that would inform policy and their interactions with other nations," he said. But the group sometimes deviates from those targets, he said, and involves multiple state actors in Russia with differing priorities.

But Britain’s findings were supported by partners at the Canadian Communication Security Establishment (CSE), the U.S. Department for Homeland Security (DHS), Cybersecurity Infrastructure Security Agency (CISA) and the National Security Agency (NSA).

The NSA said organizations in the U.S. involved in vaccine development were also targeted by the hackers. The objective of the hacking was “likely to steal information and intellectual property relating to the development and testing of Covid-19 vaccines," according to the NSA statement.

The announcement has political implications because President Donald Trump has been criticized for seeking to downplay controversy with the Russian government. It also comes as Trump is under criticism for failing to respond to a warning from U.S. intelligence that the Russian government may have offered to pay the Taliban to kill U.S. soldiers in Afghanistan.

The Canadian government also released a statement, confirming Ottawa is working with Westminster and Washington to stop the “malicious cyber activities." It said the hacks “serve to hinder response efforts at a time when healthcare experts and medical researchers need every available resource to help fight the pandemic."