LONDON — Security officials announced Thursday that hackers linked to Russia's intelligence services were actively trying to steal information from researchers working to produce coronavirus vaccines in the United States, Britain and Canada.
Paul Chichester, director of operations at Britain’s National Cyber Security Centre (NCSC), said the government-backed hackers launched “despicable attacks against those doing vital work to combat the coronavirus pandemic.”
The British urged organizations working on vaccines and antivirals “to defend their networks,” Chichester said in a statement.
Britain’s cybersecurity agency, alongside the National Security Agency in the United States, said that a group named APT29, also known as “the Dukes” or “Cozy Bear,” has targeted British, American and Canadian vaccine research and development organizations.
Barr claims China-linked hackers of trying to steal coronavirus vaccine information
Attorney General William P. Barr on July 16 accused hackers linked to the Chinese government of trying to steal information related to covid-19. (Reuters)
British officials said there was 95 percent certainty that APT29 was part of the Russian intelligence services. U.S. and Canadian experts concurred.
“APT29 has a long history of targeting governmental, diplomatic, think-tank, healthcare and energy organizations for intelligence gain so we encourage everyone to take this threat seriously and apply the mitigations issued in the advisory,” Anne Neuberger, cybersecurity director for the U.S. National Security Agency, said in a statement.
It was highly likely that the group was trying to collect information on vaccine development or research on the virus itself, Britain’s Foreign and Commonwealth Office said.
The Russian spying is ongoing, with British, American and Canadian cyber experts working to defend laboratories and research data, according to the Government Communications Headquarters, commonly known as GCHQ, Britain’s intelligence and security branch.
“It is completely unacceptable that the Russian intelligence services are targeting those working to combat the coronavirus pandemic,” British Foreign Secretary Dominic Raab said.
Canada’s Communications Security Establishment, the agency responsible for the country’s foreign signals intelligence, said in a statement that the attacks “serve to hinder response efforts at a time when health-care experts and medical researchers need every available resource to help fight the pandemic.”
The agency said in May that it was “near certain” that state-sponsored actors had “shifted their focus” during the pandemic and that Canadian intellectual property represented a “valuable target” for them.
It later said that it was investigating possible security breaches at Canadian organizations working on coronavirus-related research, but it did not indicate whether the alleged breaches were state-sponsored.
“We’ve seen some compromises in research organizations that we’ve been helping to mitigate,” Scott Jones, head of the Communications Security Establishment’s Cyber Center, told a parliamentary committee. “We’re still continuing to look through what’s the root cause of those.”
The British, Canadian and American intelligence officials did not divulge what — if anything — might have been stolen from the incursions. But the intention, officials said, is there.
In recent efforts targeting vaccine developers, the Russian hacker group scanned computer IP addresses owned by the organizations and then deployed malware to try to gain access, British officials said. In some cases, the hackers used custom malware known as “WellMess” and “WellMail” to conduct further operations on a victim’s system, they said.
The World Health Organization reports that of the more than 160 vaccines being developed, 23 have begun clinical trials in humans, including top candidates being developed by academics, national laboratories and pharmaceutical companies in Britain, Canada and the United States.
Russia is developing 26 vaccines, Russian Deputy Prime Minister Tatyana Golikova said Wednesday, but only two are undergoing clinical trials. A month-long trial on 38 people for one of the vaccines concluded this week, and Kirill Dmitriev, head of the Russian Direct Investment Fund, the country’s sovereign wealth fund, told reporters that a larger trial with several thousand people is expected to begin in August.
“We will produce 30 million doses of the vaccine in Russia, or 50 million if necessary, which means that Russia may complete vaccinations early next year,” Dmitriev said.
Despite their own efforts, the Russians are cheating, Western cyber sleuths say.
“I have absolutely no doubt that if there was the slightest probability of stealing it, the Russians would do it,” said Jonathan Eyal, international director at the Royal United Services Institute, a London-based think tank.
“Mr. Putin has not had a good pandemic,” Eyal said, “He has devolved the handling of it to regional governments to try and escape responsibility. He’s nowhere to be seen. The figures about the numbers who have died are clearly manipulated.”
The Russian hackers in APT29 are well known to cyber experts. The group was one of the two Russian intelligence actors that hacked Democratic National Committee servers during the 2016 U.S. presidential campaign.
U.S. intelligence officials say that APT29 is part of the SVR, Russia’s equivalent of the CIA. That outfit infiltrated the DNC servers in summer 2015, many months before the Russian military spy agency GRU did, investigators said.
“They quietly steal information from their targets, and if you are hit by this actor you may never know it,” said John Hultquist, director of intelligence analysis for the cybersecurity firm FireEye. “It’s not going to be some hack and leak or destructive operation. We’re talking about a quiet intelligence collection operation where Russia quietly leverages the research of others to advance their own.”
The allegations of Russian spying on virus researchers comes two months after the FBI and Department of Homeland Security warned that China was also targeting covid-19 research, and that health-care, pharmaceutical and research labs should take steps to protect their systems.
“The biggest thing to keep in mind is Russia’s not alone,” Hultquist said. “This is an existential threat to almost every government on Earth, and for Russia, China and Iran, we can expect that tremendous resources have been diverted from other tasks to focus on stealing research.”
U.S. officials say a desire for geopolitical influence is also driving nations’ actions.
“Having been caught covering up the coronavirus outbreak, Beijing is desperate for a public relations coup, and may hope that it will be able to claim credit for any medical breakthroughs,” Attorney General William P. Barr said Thursday in a speech in Michigan.
And John Demers, assistant attorney general for national security, said earlier this year: “Whatever country’s or company’s research lab is first to produce that is going to have a significant geopolitical success story.”
Last week, FBI Director Christopher A. Wray said that “it’s not unusual” to see “cyber activity” traced to China soon after a pharmaceutical company or research institution makes an announcement about promising vaccine research. “It’s sometimes almost the next day,” he said.
Britain’s foreign secretary also told a parliamentary intelligence committee Thursday that “Russian actors” sought to interfere in the United Kingdom’s 2019 general election by acquiring unpublished documents used in trade talks between the United States and Britain, and then leaking the material via social media.
“Sensitive government documents relating to the UK-US Free Trade Agreement were illicitly acquired before the 2019 General Election and disseminated online via the social media platform Reddit,” Raab said in a written statement to Parliament.
The foreign secretary added, “It is almost certain that Russian actors sought to interfere in the 2019 General Election through the online amplification of illicitly acquired and leaked Government documents.”
Moscow called the charges of election meddling “unfounded.”
“The British administration is making the same anti-Russian mistake again and thus not only further undermining bilateral relations with Moscow, but also its own authority,” Leonid Slutsky, head of the Russian State Duma’s foreign affairs committee, told reporters Thursday, according to the Interfax news agency.
“Raab is using the phrase ‘highly likely’ again,” Slutsky said. “That is, a criminal case is again being initiated on the basis of ‘highly likely,’ in the absence of specific evidence, which the head of the Foreign Office admits. What happened to the presumption of innocence? Where is the evidence?” 
After the trade documents emerged online, they were used during the December 2019 election by the opposition Labour Party and its leader, Jeremy Corbyn, who accused Prime Minister Boris Johnson and his Conservative Party of preparing to “sell off” precious access to the National Health Service to U.S. companies.
The charges were hot-button at the time but did not change the outcome: Johnson won the election in a landslide.
A much-delayed report into allegations of wider Russian interference in Britain’s democracy is due next week.
Nakashima and Taylor reported from Washington. Isabelle Khurshudyan in Moscow, Amanda Coletta in Toronto and Karla Adam in London contributed to this report.