A Russian hacking group is targeting novel coronavirus vaccine research in Canada, the U.S. and the U.K., according to a joint statement from the three countries’ cybersecurity agencies.
The Communications Security Establishment (CSE) said in a statement Thursday that the group APT29 — also known as Cozy Bear and The Dukes — is behind the malicious activity and “almost certainly operates as part of Russian intelligence services.”
“These malicious cyber activities were very likely undertaken to steal information and intellectual property relating to the development and testing of COVID-19 vaccines and serve to hinder response efforts at a time when health-care experts and medical researchers need every available resource to help fight the pandemic,” the statement said.
READ MORE: Canadian COVID-19 research faces ‘elevated’ foreign threat of hacking, spy agencies warn
The CSE said the threat assessment is “supported” by the U.K.’s Government Communications Headquarters (GCHQ) and the U.S. National Security Agency (NSA) and Department of Homeland Security’s Cybersecurity and Infrastructure Agency.
U.K. Foreign Secretary Dominic Raab said his government stands with Canada and the U.S. “against the reckless actions of Russia’s intelligence services, who we have exposed today for committing cyber attacks against those working on a COVID-19 vaccine.”
“It is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic,” Raab said in a statement.
“While others pursue their selfish interests with reckless behaviour, the UK and its allies are getting on with the hard work of finding a vaccine and protecting global health.”
Defence Minister Harjit Sajjan and Foreign Affairs Minister François-Philippe Champagne said in a joint statement that during a global pandemic it’s “more important to defend our own health care organizations, national interests, and that of our allies” from “malicious state actors” but did not mention Russsia by name.
“We must call out irresponsible state behavior that violates the rules-based international order and strive to live and work in a cyber environment that is open, stable, peaceful and secure,” the statement said.
The CSE declined to say whether any hacking attempts targeting Canadian facilities were successful, noting the agency is “not able to comment on or confirm details about specific cybersecurity incidents.”
“In our recent Cyber Threat Bulletin: Impact of COVID-19 on Cyber Threat Activity, we provided a notable example that in mid-April 2020, a Canadian biopharmaceutical company was compromised by a foreign cyber threat actor, almost certainly attempting to steal its intellectual property,” a CSE spokesperson said in an email.
The U.K. National Cyber Security Centre (NCSC) published an advisory Thursday that details activity by the Russian hacking group. Cozy Bear is one of two hacking groups believed to have accessed the Democratic National Committee’s internal systems and stole emails in the lead-up to the 2016 U.S. election.
APT29 uses a variety of tools and techniques, including “spear phishing” and custom malware known as WellMess and WellMail, according to the NCSC. Spear phishing involves delivering malicious software through emails that appear to come from a trusted source.
“Throughout 2020, APT29 has targeted various organizations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines,” said the NCSC, which is the U.K.’s lead technical authority on cybersecurity.
READ MORE: 1st Canadian human trial for coronavirus vaccine is underway. Here’s what that means
APT29 conducts widespread scanning and looks for publicly vulnerable systems at organizations like hospitals, research laboratories, health-care providers and pharmaceutical companies.
“This broad targeting potentially gives the group access to a large number of systems globally, many of which are unlikely to be of immediate intelligence value,” the NCSC said. “The group may maintain a store of stolen credentials in order to access these systems in the event that they become more relevant to their requirements in the future.”
A spokesperson with the Embassy of Russia in Ottawa called the allegations by Western cyber defence agencies “fake news.”
Meanwhile, NSA Cybersecurity Director Anne Neuberger said Thursday that APT29 has a “long history of targeting governmental, diplomatic, think tank, healthcare and energy organizations for intelligence gain.”
“We encourage everyone to take this threat seriously and apply the mitigations issued in the advisory,” she said. “The NSA, along with our partners, remains steadfast in its commitment to protecting national security by collectively issuing this critical cybersecurity advisory as foreign actors continue to take advantage of the ongoing COVID-19 pandemic.”
In May, the CSE and the Canadian Security Intelligence Service warned that Canada’s research on the response to the COVID-19 pandemic is at an “elevated level of risk” for state-sponsored hacking and espionage. The agency warned organizations to take further actions to protect their information.
Ottawa has pledged more than $1 billion towards fighting COVID-19 through a national medical and research strategy that has labs across the country studying how the virus spreads and possible treatments, including a vaccine.
A Quebec-based biopharmaceutical company, Medicago, announced this week that it’s begun an early-stage clinical trial of its plant-based coronavirus vaccine, making it the first vaccine from Canada to be tested in humans.
The company said it was “aware of the cyber-attacks” targeting organizations involved in COVID-19 vaccine development and was taking the threat “seriously.”
“Medicago has a strong cybersecurity infrastructure in place, and we continue to be in contact with authorities to further secure our network and infrastructure,” a spokesperson said.
Comments