LONDON – Hackers linked to a Russian intelligence service are trying to steal information from researchers working to produce coronavirus vaccines in the United States, Britain and Canada, security officials in those countries said Thursday.
The hackers, who belong to a unit known variously as APT29, “the Dukes” or “Cozy Bear,” are targeting vaccine research and development organizations in the three countries, the officials said in a joint statement. The unit is one of the two Russian spy groups that penetrated the Democratic Party’s computers in the lead-up to the 2016 presidential election.
“It is completely unacceptable that the Russian intelligence services are targeting those working to combat the coronavirus pandemic,” British Foreign Secretary Dominic Raab said.
The announcement comes as reported coronavirus cases globally have topped 13.5 million, deaths have surpassed the half-million mark, and the stakes for being first to develop a vaccine are high.
Officials did not divulge whether any of the Russian efforts have been successful, but, they said, the intention is clear.
“APT29 has a long history of targeting governmental, diplomatic, think tank, health-care and energy organizations for intelligence gain, so we encourage everyone to take this threat seriously and apply the mitigations issued in the advisory,” said Anne Neuberger, cybersecurity director for the U.S. National Security Agency.
Moscow has denied the allegations.
“We have no information on who could have hacked pharmaceutical companies and research centers in Britain,” Kremlin spokesman Dmitry Peskov told the Tass state news agency. “We can only say this: Russia has nothing to do with these attempts.”
U.S. officials say a desire for global prestige and influence also is driving nations’ actions.
“Whatever country’s or company’s research lab is first to produce that [vaccine] is going to have a significant geopolitical success story,” Assistant Attorney General for National Security John Demers said earlier this year.
Canada’s Communications Security Establishment, responsible for gathering foreign signals intelligence and the Canadian equivalent of the NSA, said the attacks “serve to hinder response efforts at a time when health-care experts and medical researchers need every available resource to help fight the pandemic.”
A CSE bulletin said that a Canadian biopharmaceutical company was breached by a foreign actor in mid-April, “almost certainly attempting to steal its intellectual property.”
The agency also said in May that it was investigating possible security breaches at Canadian organizations working on coronavirus-related research, but did not indicate whether the alleged breaches were state-sponsored.
“We’ve seen some compromises in research organizations that we’ve been helping to mitigate,” Scott Jones, head of the CSE’s Cyber Center, told a parliamentary committee. “We’re still continuing to look through what’s the root cause of those.”
The joint announcement comes two months after the FBI and Department of Homeland Security warned that China was also targeting covid-19 research, and that health-care, pharmaceutical and research labs should take steps to protect their systems.
“It’s not unusual” to see “cyber activity” traced to China soon after a pharmaceutical company or research institution makes an announcement about promising vaccine research, FBI Director Christopher A. Wray said last week. “It’s sometimes almost the next day.”
Attorney General William P. Barr said Thursday that Beijing, “desperate for a public relations coup,” is perhaps hoping “to claim credit for any medical breakthroughs.”
The “biggest thing to keep in mind is Russia’s not alone,” said John Hultquist, director of intelligence analysis for the cybersecurity firm FireEye. “We’ve seen Iranian and Chinese actors targeting pharmaceutical companies and research organizations involved in the covid-19 response. This is an existential threat to almost every government on Earth and we can expect that tremendous resources have been diverted from other tasks to focus on this virus.”
U.S. officials say Russian government hackers have penetrated energy and nuclear company business networks
The Russian hacker group scanned computer IP addresses owned by the organizations and then deployed malware to try to gain access, officials with Britain’s National Cyber Security Centre said. In some cases, the hackers used custom malware known as “WellMess” and “WellMail” to conduct further operations on a victim’s system, British officials said.
Paul Chichester, director of operations at the NCSC, said in a statement that APT29 launched “despicable attacks against those doing vital work to combat the coronavirus pandemic.”
The World Health Organization reports that of the more than 160 vaccines being developed, 23 have begun clinical trials in humans – including top candidates being developed by academics, national laboratories and pharmaceutical companies in Britain, Canada and the United States.
Russia is developing 26 vaccines, Russian Deputy Prime Minister Tatyana Golikova said Wednesday, but only two are undergoing clinical trials. A month-long trial on 38 people for one of the vaccines concluded this week. Kirill Dmitriev, head of the Russian Direct Investment Fund, the country’s sovereign wealth fund, told reporters that a larger trial with several thousand people is expected to begin in August.
“We will produce 30 million doses of the vaccine in Russia, or 50 million if necessary, which means that Russia may complete vaccinations early next year,” Dmitriev said.
Alongside their legitimate efforts, the Russians are probably cheating, Western analysts say.
“I have absolutely no doubt that if there was the slightest probability of stealing it, the Russians would do it,” said Jonathan Eyal, international director at the Royal United Services Institute, a London-based think tank.
“Mr. Putin has not had a good pandemic,” Eyal said. “He has devolved the handling of it to regional governments to try and escape responsibility. He’s nowhere to be seen. The figures about the numbers who have died are clearly manipulated.”
The Russian hacking group APT29 is well known to cyber experts. U.S. intelligence officials say it is part of the SVR, Russia’s foreign intelligence service. That outfit hacked the White House and State Department email systems in 2014. It also infiltrated the Democratic National Committee servers in summer 2015, many months before the Russian military spy agency GRU did, investigators said.
The GRU funneled hacked emails to the anti-secrecy group WikiLeaks, which released them online, in an attempt to sow discord in the party. The SVR, by contrast, hacked the party’s servers apparently for classic espionage purposes – to glean insights into the plans and policies of the potential next U.S. president.
“They quietly steal information from their targets, and if you are hit by this actor, you may never know it,” Hultquist said. “We’re talking about an intelligence collection operation where Russia quietly leverages the research of others to advance their own.”
How the Russians hacked the DNC and passed its emails to WikiLeaks
Britain’s Raab also told a parliamentary intelligence committee Thursday that “Russian actors” sought to interfere in the United Kingdom’s 2019 general election by acquiring unpublished documents used in trade talks between the U.S. and Britain, and then leaking the material via social media.
“Sensitive government documents relating to the U.K.-U.S. Free Trade Agreement were illicitly acquired before the 2019 General Election and disseminated online via the social media platform Reddit,” Raab said in a written statement to Parliament.
The foreign secretary added, “It is almost certain that Russian actors sought to interfere in the 2019 General Election through the online amplification of illicitly acquired and leaked Government documents.”
Moscow called the charges of election interference “unfounded.”
“The British administration is making the same anti-Russian mistake again and thus not only further undermining bilateral relations with Moscow, but also its own authority,” Leonid Slutsky, head of the Russian State Duma’s foreign affairs committee, told reporters Thursday, according to the Interfax news agency.
“Raab is using the phrase ‘highly likely’ again,” Slutsky said. “That is, a criminal case is again being initiated on the basis of ‘highly likely,’ in the absence of specific evidence, which the head of the Foreign Office admits. What happened to the presumption of innocence? Where is the evidence?”
After the trade documents emerged online, they were used during the December 2019 election by the opposition Labour Party and its leader, Jeremy Corbyn, who accused Prime Minister Boris Johnson and his Conservative Party of preparing to “sell off” precious access to the National Health Service to U.S. companies.
The charges were a hot-button issue at the time but did not change the outcome: Johnson won the election in a landslide.
A much-delayed report into allegations of wider Russian interference in Britain’s democracy is due next week.
Booth reported from London and Coletta from Toronto. The Washington Post’s Isabelle Khurshudyan in Moscow, Karla Adam in London and Adam Taylor in Washington contributed to this report.