WASHINGTON — Russian hackers are attempting to steal coronavirus vaccine research, the U.S., British and Canadian governments said Thursday, accusing the Kremlin of opening a new front in its spy battles with the West amid the worldwide competition to contain the pandemic.
The National Security Agency said that a hacking group implicated in the 2016 break-ins into Democratic Party servers has been trying to steal intelligence on vaccines from universities, companies and other health care organizations. The group, associated with Russian intelligence and known as both APT29 and Cozy Bear, has sought to exploit the chaos created by the coronavirus pandemic, officials said.
U.S. intelligence officials said the Russians were aiming to steal research to develop their own vaccine more quickly, not to sabotage other countries’ efforts. There was likely little immediate damage to global public health, cybersecurity experts said.
The Russian espionage nevertheless signals a new kind of competition between Moscow and Washington akin to Cold War spies stealing technological secrets during the space race generations ago.
The Russian hackers have targeted British, Canadian and U.S. organizations using malware and sending fraudulent emails to try to trick their employees into turning over passwords and other security credentials, all in an effort to gain access to the vaccine research as well as information about medical supply chains.
The accusations against Russia were also the latest example of an increasing willingness in recent months by the United States and its closest intelligence allies to publicly accuse foreign adversaries of breaches and cyberattacks. The U.S. government has previously warned about efforts by China and Iran to steal vaccine research.
Attributing such attacks, however, is imprecise, an ambiguity that Moscow takes advantage of in denying responsibility, as it did Thursday.
Still, government officials as well as outside experts expressed strong confidence that Cozy Bear, controlled by Russia’s elite SVR intelligence agency, was responsible for the attempted intrusions into the virus vaccine research.
“We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic,” said Paul Chichester, the director of operations for Britain’s National Cyber Security Center.
The head of the center, Ciaran Martin, told NBC News that the cyberattacks were first detected in February and that no evidence had emerged that data was stolen.
Government officials would not identify victims of the hackings. But the primary target of the attacks appeared to be Oxford University in Britain and the British-Swedish pharmaceutical company AstraZeneca, which have been jointly working on a vaccine, said Robert Hannigan, the former head of GCHQ, the British intelligence agency.
Oxford scientists said Thursday that they had noticed a surprising resemblance between their vaccine approach and the work that Russian scientists had reported.
Though Russia could be seeking to steal the vaccine data to boost its own research, it could also be trying to avoid relying on Western countries for any eventual coronavirus vaccine.
While AstraZeneca has announced it will make the Oxford vaccine available at cost, governments and philanthropies have paid huge sums to the company to secure their place in line, even without any guarantee it will work. The United States has said it will pay up to $1.2 billion to AstraZeneca to fund a clinical trial and secure 300 million doses. Russia could find itself near the back of the line if the vaccine proves successful.
“Russia clearly doesn’t want to disrupt vaccine production, but they don’t want to be dependent on the U.S. or the U.K. for production and discovery of the vaccine,” said Hannigan, now an executive at the BlueVoyant cybersecurity firm. “It not impossible to think Kremlin pride is such that they don’t want that to happen.”
An intense international race is underway to develop a vaccine for the coronavirus that has already killed 580,000 people and upended daily life around the world. More than 155 vaccines are under development, including 23 being tested on humans.
Some vaccines work by altering another common virus to mimic the coronavirus to trigger an immune response without making people sick. The research by Oxford and AstraZeneca is based on one such pathogen, a chimpanzee adenovirus. Russia’s Ministry of Health is trying to use two other adenoviruses but is not as far along in its testing as the Oxford researchers are.
Some officials suggested the Russian attacks have not been hugely successful but were widespread enough to warrant a coordinated international warning.
Across the globe, intelligence services have stepped up their focus on information surrounding the virus. The FBI director, Christopher A. Wray, accused China last week of “working to compromise American health care organizations” conducting COVID-19 research.
“Russia is not alone,” said John Hultquist, the senior director of intelligence analysis at FireEye, a Silicon Valley cybersecurity firm. “A lot of people are in this game even if they haven’t been called out yet. The whole pandemic is absolutely riddled with spies.”Chinese government hackers have long focused on stealing intellectual property and technology. Russia has aimed much of its recent cyberespionage, like election interference, at weakening geopolitical rivals and strengthening its hand.
“China is more well known for theft through hacking than Russia, which is of course better now for using hacks for disruption and chaos,” said Laura Rosenberger, a former Obama administration official who now leads the Alliance for Securing Democracy. “But there’s no question that whoever gets to a vaccine first thinks they will have geopolitical advantage, and that’s something I’d expect Russia to want.”
Still, a Russian intrusion could inadvertently damage some vaccine data and additional security protocols to protect from future cyberattacks could impose a burden on researchers. Private firms are more at risk than the public, said Mike Chapple, a former NSA computer scientist who teaches cybersecurity at the University of Notre Dame.
“The potential harm here is limited to commercial harm, to companies that are devoting a lot of their own resources into developing a vaccine in hopes it will be financially rewarding down the road,” he said.
The Kremlin mocked the announcements Thursday, and Russian officials said they did not know who could have hacked the companies or research centers in Britain. One Russian official said the accusation was an attempt to discredit Moscow’s own work on a vaccine.
Dmitry Peskov, the spokesman for President Vladimir Putin of Russia, told reporters that the accusations were unacceptable. “Russia has nothing to do with these attempts,” he said.Cozy Bear is one of the highest-profile, and most successful, hacking groups associated with the Russian government. It was implicated alongside the group Fancy Bear in the 2016 hacking of the Democratic National Committee. Though Cozy Bear is believed to have breached the committee’s computers, it played no known role in releasing stolen Democratic emails.
Cozy Bear “has a long history of targeting governmental, diplomatic, think-tank, health care and energy organizations for intelligence gain, so we encourage everyone to take this threat seriously,” said Anne Neuberger, the National Security Agency’s cybersecurity director.
The malware used by Cozy Bear to steal the vaccine research included code known as “WellMess” and “WellMail.” The Russian group has not previously used that malware, according to British officials.
But American experts say the tactics used in trying to gain access to the vaccine data bear all the hallmarks of Russian intelligence officials. And U.S. officials said they were confident in attributing the attacks to the Russian hacking group.
The U.S., British and Canadian governments said Cozy Bear used recently publicized weak spots in computer networks to gain a foothold. If organizations do not immediately patch a vulnerability that a software company has identified, their networks can be exposed to hacks.
Once Cozy Bear hackers exploit those gaps to gain entry to a computer system, they create legitimate credentials to maintain access even after the hole is patched.
While the various Russian hacking groups often share similar targets, they are run by different intelligence agencies for different purposes.
Hackers with Cozy Bear are after information but do not generally release it publicly, according to government and outside experts. Fancy Bear, which works for Russian military intelligence and is also known as APT28, will often publicize the information it steals.
Cozy Bear’s ties are to the SVR, the Russian equivalent of the CIA, according to current and former officials. Unlike other Russian hackers, Cozy Bear’s operations are sophisticated, stealthy and hard to detect.
“Their job is quiet, old-fashioned intelligence collection,” said Hultquist, the cybersecurity analyst.