BioPharma, Policy

Russian hackers suspected in Covid-19 vaccine intellectual property theft, report says

A joint report by cybersecurity agencies in the U.K. and Canada, endorsed by their U.S. counterparts, states that the hacker group Cozy Bear had been targeting organizations involved with Covid-19 vaccine development efforts.

Computer hackers “almost certainly” part of Russian intelligence services have a new target: Covid-19 vaccine development efforts.

In a report Thursday, the U.K.’s National Cyber Security Centre and Canada’s Communications Security Establishment said that the hacker group APT29, also known as “Cozy Bear” and “The Dukes,” had been targeting various organizations involved with Covid-19 vaccine development in the U.S., Canada and the U.K. throughout 2020, likely with the intent of stealing information and intellectual property. APT is a commonly used acronym for advanced persistent threat, a cybersecurity term for hacker groups that are usually sponsored by national governments.

The NCSC and CSE led the report, and they said the U.S. National Security Agency agreed with it, while another U.S. agency, the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, endorsed the technical detail and mitigation advice.

The report does not mention any specific organizations that have been targeted. However, vaccine development efforts are underway in multiple countries and by multiple for-profit companies and research institutions. The World Health Organization currently lists 23 vaccines in clinical development and another 140 in preclinical evaluation. The list includes Russian organizations, such as the Gamaleya Research Institute in Moscow and other academic institutions there and in St. Petersburg.

According to the report, Cozy Bear likely seeks to obtain authentication credentials using publicly available exploits. In targeting Covid-19 vaccine research and development, the report states that it did “basic vulnerability scanning” against external IP addresses owned by the organizations and then used public exploits when it found vulnerabilities. In certain cases, it also used custom malware programs known as WellMess and WellMail. WellMess was first reported in July 2018.

This isn’t the first time that government cybersecurity agencies have warned of the risks to organizations involved in the fight against Covid-19. In May, the NCSC, NSA and CISA issued a joint statement warning of so-called “password spraying” attacks – whereby hackers attempt to gain access to accounts with commonly used passwords – against medical research organizations and healthcare bodies, including biopharma companies. The agencies had said in April that attacks related to the coronavirus would likely become more frequent in the coming months. Citing unnamed American and British officials, Reuters had reported that Russian and Chinese hackers were suspected, though governments from both countries, as well as Iran, denied that was the case.

Photo: weerapatkiatdumrong, Getty Images