Which countries and hackers are targeting Covid vaccine developers?
Russia’s best-known hacker groups — Fancy Bear and Cozy Bear — are considered to be linked to the country’s intelligence organisations, according to western security agencies.
Fancy Bear, the better known of the two, is linked to GRU military intelligence and is accused of being behind the hack of US Democratic party computers in the run-up to the 2016 presidential election, the product of which was widely leaked.
Microsoft, which calls the group Strontium, last week accused Fancy Bear of targeting Covid-19 vaccine makers by using “password spray and brute force login attempts” — attacks that use “thousands or millions” of rapid attempts to obtain network access by guessing the password.
Cozy Bear, linked variously to Russia’s domestic FSB and foreign SVR agencies, was accused by Britain’s NCSC agency of targeting drug research labs in the UK, the US and Canada in July. Its goal, NCSC said, was likely to be “stealing information and intellectual property relating to the development and testing of Covid-19 vaccines”.
Hackers in the group sought to gain entry to a wide variety of systems relating to medical research, often by trying to exploit known vulnerabilities left unfixed to try to gain long-term access.
China has been accused of being engaged in hacking activities by the west for many years, with units tied to the country’s People’s Liberation Army formerly in the lead.
In 2015, China’s president, Xi Jinping, and the then US president Barack Obama struck an agreement promising not to “knowingly support cyber-enabled theft of intellectual property” for commercial advantage — which prompted a partial retreat and then a restructuring.
As US-China relations deteriorated, particularly after Donald Trump became president, Chinese activity restarted, this time linked to the country’s ministry of state security (MSS), the country’s principal civilian spy agency.
Chinese groups tend to be more focused on economic rather than political gain, according to researchers at Mandiant FireEye, which last year identified one group known as APT 41, whose “espionage targeting has generally aligned with China’s five-year economic development plans”.
Despite the pandemic, APT 41, sometimes known as Wicked Panda, began the year with substantial campaigns trying to exploit security vulnerabilities in internet-facing corporate IT networks, including UK government systems.
In September, the US FBI filed charges against what it said were five key figures in APT 41, in which it said one of whom had told a colleague he was “very close” to the MSS. China, however, denies it is engaged in hacking related espionage.
Iran, one of the countries worst affected by coronavirus, was accused of targeting the World Health Organization in early April by using phishing techniques, in which emails were sent trying to encourage staff members to click on a link containing malware in an attempt to steal passwords and gain access to systems.
A similar type of Iranian attack on Gilead Research, the US maker of the antiviral drug remdesivir, thought to be a potential Covid-19 treatment, was detected by researchers at the Israeli cybersecurity firm ClearSky. In one case, a senior executive responsible for legal and corporate affairs was on the receiving end of a phishing email.
Cybersecurity researchers say several hacker groups operate from Iran, engaged in both political and economically focused attacks. One researcher said the targeting of Gilead bore similarities to methods used by the Charming Kitten group, previously accused of targeting journalists, academics and human rights activists in Iran, sometimes by posing as journalists themselves.
North Korean hacker groups are linked by western governments to the country’s Reconnaissance General Bureau. Microsoft accused the best-known group, known generally as Lazarus but by the US software company as Zinc, as engaged in spear phishing, or targeted email attacks, against people working at Covid-19 related research organisations.
It said techniques used by Lazarus or Zinc included “spear-phishing lures for credential theft, sending messages with fabricated job descriptions pretending to be recruiters”. Another group, called Cerium by Microsoft, used the same email spear phishing methods, but this time posed as WHO representatives.
Lazarus first emerged in about 2014 in the consciousness of Western cybersecurity groups and before Covid-19 was accused of being involved in a broad range of activities.
Last year, the US Treasury, announcing sanctions against the group, said it had been involved in the destructive WannaCry ransomware attack in 2017, which particularly affected the NHS in the UK, compromising systems in a third of hospitals and 8% of GP practices. British agencies have made a similar attribution.
Other countries have also been named as pursuing Covid-19 secrets via hacking. In Aprl, FireEye said it had detected an operation conducted by a Vietnamese group, carrying out intrusion campaigns against China in the early phases of the pandemic crisis between January and April.
Spear phishing messages were sent to public authorities in Wuhan, the site of the first significant outbreak of the disease, with concealed malware under the guise of a New York Times live blog with latest news from the crisis.