NYT The Morning

Commentary, News

Russia Is Trying to Steal Virus Vaccine Data, Western Nations Say

The hackers have been targeting British, Canadian and American organizations racing to create coronavirus vaccines.

NYT The Morning
A scientist preparing samples last month during research and development trials for a vaccine against the coronavirus at a laboratory in St. Petersburg, Russia.Credit…Anton Vaganov/Reuters

By Julian E. Barnes

  • July 16, 2020

WASHINGTON — Russian hackers are attempting to steal coronavirus vaccine research, the American, British and Canadian governments said Thursday, accusing the Kremlin of opening a new front in its spy battles with the West amid the worldwide competition to contain the pandemic.

The National Security Agency said that a hacking group implicated in the 2016 break-ins into Democratic Party servers has been trying to steal intelligence on vaccines from universities, companies and other health care organizations. The group, associated with Russian intelligence and known as both APT29 and Cozy Bear, has sought to exploit the chaos created by the coronavirus pandemic, officials said.

American intelligence officials said the Russians were aiming to steal research to develop their own vaccine more quickly, not to sabotage other countries’ efforts. There was likely little immediate damage to global public health, cybersecurity experts said.

The Russian espionage nevertheless signals a new kind of competition between Moscow and Washington akin to Cold War spies stealing technological secrets during the space race generations ago.

The Russian hackers have targeted British, Canadian and American organizations using malware and sending fraudulent emails to try to trick their employees into turning over passwords and other security credentials, all in an effort to gain access to the vaccine research as well as information about medical supply chains.

The accusations against Russia were also the latest example of an increasing willingness in recent months by the United States and its closest intelligence allies to publicly accuse foreign adversaries of breaches and cyberattacks. The American government has previously warned about efforts by China and Iran to steal vaccine research.

Attributing such attacks, however, is imprecise, an ambiguity that Moscow takes advantage of in denying responsibility, as it did Thursday.

Still, government officials, as well as outside experts, expressed strong confidence that Cozy Bear, controlled by Russia’s elite S.V.R. intelligence agency, was responsible for the attempted intrusions into the virus vaccine research.

“We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic,” said Paul Chichester, the director of operations for Britain’s National Cyber Security Center.

The head of the center, Ciaran Martin, told NBC News that the cyberattacks were first detected in February and that no evidence had emerged that data was stolen.

Government officials would not identify victims of the hackings. But the primary target of the attacks appeared to be Oxford University in Britain and the British-Swedish pharmaceutical company AstraZeneca, which have been jointly working on a vaccine, said Robert Hannigan, the former head of G.C.H.Q., the British intelligence agency.

Oxford scientists said on Thursday that they had noticed a surprising resemblance between their vaccine approach and the work that Russian scientists had reported.

Though Russia could be seeking to steal the vaccine data to bolster its own research, it could also be trying to avoid relying on Western countries for any eventual coronavirus vaccine.

While AstraZeneca has announced it will make the Oxford vaccine available at cost, governments and philanthropies have paid huge sums to the company to secure their place in line, even without any guarantee it will work. The United States has said it will pay up to $1.2 billion to AstraZeneca to fund a clinical trial and secure 300 million doses. Russia could find itself near the back of the line if the vaccine proves successful.

“Russia clearly doesn’t want to disrupt vaccine production, but they don’t want to be dependent on the U.S. or the U.K. for production and discovery of the vaccine,” said Mr. Hannigan, now an executive at the BlueVoyant cybersecurity firm. “It not impossible to think Kremlin pride is such that they don’t want that to happen.”

An intense international race is underway to develop a vaccine for the coronavirus that has already killed 580,000 people and upended daily life around the world. More than 155 vaccines are under development, including 23 being tested on humans.

Some vaccines work by altering another common virus to mimic the coronavirus to prompt an immune response without making people sick. The research by Oxford and AstraZeneca is based on one such pathogen, a chimpanzee adenovirus. Russia’s Ministry of Health is trying to use two other adenoviruses but is not as far along in its testing as the Oxford researchers are.

Some officials suggested the Russian attacks have not been hugely successful but were widespread enough to warrant a coordinated international warning.

Across the globe, intelligence services have stepped up their focus on information surrounding the virus. The F.B.I. director, Christopher A. Wray, accused China last week of “working to compromise American health care organizations” conducting Covid-19 research.

“Russia is not alone,” said John Hultquist, the senior director of intelligence analysis at FireEye, a Silicon Valley cybersecurity firm. “A lot of people are in this game even if they haven’t been called out yet. The whole pandemic is absolutely riddled with spies.”

Chinese government hackers have long focused on stealing intellectual property and technology. Russia has aimed much of its recent cyberespionage, like election interference, at weakening geopolitical rivals and strengthening its hand.

“China is more well known for theft through hacking than Russia, which is of course better now for using hacks for disruption and chaos,” said Laura Rosenberger, a former Obama administration official who now leads the Alliance for Securing Democracy. “But there’s no question that whoever gets to a vaccine first thinks they will have geopolitical advantage, and that’s something I’d expect Russia to want.”

Still, a Russian intrusion could inadvertently damage some vaccine data and additional security protocols to protect from future cyberattacks could impose a burden on researchers. Private firms are more at risk than the public, said Mike Chapple, a former National Security Agency computer scientist who teaches cybersecurity at the University of Notre Dame.

“The potential harm here is limited to commercial harm, to companies that are devoting a lot of their own resources into developing a vaccine in hopes it will be financially rewarding down the road,” he said.

The Kremlin mocked the announcements Thursday, and Russian officials said they did not know who could have hacked the companies or research centers in Britain. One Russian official said the accusation was an attempt to discredit Moscow’s own work on a vaccine.

Dmitri S. Peskov, the spokesman for President Vladimir V. Putin of Russia, told reporters that the accusations were unacceptable. “Russia has nothing to do with these attempts,” he said.

Cozy Bear is one of the highest-profile, and most successful, hacking groups associated with the Russian government. It was implicated alongside the group Fancy Bear in the 2016 hacking of the Democratic National Committee. Though Cozy Bear is believed to have breached the committee’s computers, it played no known role in releasing stolen Democratic emails.

Cozy Bear “has a long history of targeting governmental, diplomatic, think tank, health care and energy organizations for intelligence gain, so we encourage everyone to take this threat seriously,” said Anne Neuberger, the National Security Agency’s cybersecurity director.

The malware used by Cozy Bear to steal the vaccine research included code known as “WellMess” and “WellMail.” The Russian group has not previously used that malware, according to British officials.

But American experts say the tactics used in trying to obtain access to the vaccine data bear all the hallmarks of Russian intelligence officials. And American officials said they were confident in attributing the attacks to the Russian hacking group.

The American, British and Canadian governments said Cozy Bear used recently publicized weak spots in computer networks to get a foothold. If organizations do not immediately patch a vulnerability that a software company has identified, their networks can be exposed to hacks.

Once Cozy Bear hackers exploit those gaps to gain entry to a computer system, they create legitimate credentials to maintain access even after the hole is patched.

While the various Russian hacking groups often share similar targets, they are run by different intelligence agencies for different purposes.

Hackers with Cozy Bear are after information but do not generally release it publicly, according to government and outside experts. Fancy Bear, which works for Russian military intelligence and is also known as APT28, will often publicize the information it steals.

Cozy Bear’s ties are to the S.V.R., the Russian equivalent of the C.I.A., according to current and former officials. Unlike other Russian hackers, Cozy Bears operations are sophisticated, stealthy and hard to detect.

“Their job is quiet, old-fashioned intelligence collection,” said Mr. Hultquist, the cybersecurity analyst.

Reporting was contributed by Nicole Perlroth from San Francisco, David D. Kirkpatrick and Stephen Castle from London, Andrew Higgins from Moscow, and Charlie Savage from Washington.

(Visited 18 times, 1 visits today)

Leave a Reply