Russian Cyber Espionage Group is Trying to Steal U.S. COVID-19 Vaccine Research

A cyber-espionage group aligned with Russia has been accused of trying to steal research from organizations hunting for a COVID-19 vaccine.

A coalition of intelligence agencies spanning the U.K., U.S. and Canada have revealed in an assessment report today that a notorious Kremlin-linked unit called APT29, or "Cozy Bear," has been targeting novel coronavirus researchers throughout 2020.

Authorities said that a "malicious campaign" spearheaded by the unit is ongoing against government, diplomatic, think-tank, healthcare and energy targets.

"Throughout 2020, APT29 has targeted various organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines," the assessment read.

It noted that evidence suggests APT29 is "almost certainly" operating as part of Russian intelligence services, echoing previous industry conclusions on the group.

The analysis was released by the U.K's National Cyber Security Center, a fork of signals intelligence outfit GCHQ, while being endorsed by various counterpart agenies in the U.S. and Canada, including the National Security Agency (NSA).

"It is completely unacceptable that the Russian intelligence services are targeting those working to combat the coronavirus pandemic," U.K foreign secretary Dominic Raab said in a statement that was released today alongside the intelligence report. "While others pursue selfish interests with reckless behavior, the U.K. and its allies are getting on with the hard work of finding a vaccine and protecting global health."

According to the assessment, APT29 has been using customized malware known as "WellMess" and "WellMail" in its attacks on COVID-19 vaccine researchers.

It conducted "vulnerability scanning against specific external IP addresses owned by the organizations then used public exploits against vulnerable services identified."

The cyber-espionage group has a history with the U.S., being one of two Russian-linked units associated with the infiltration of Democratic Party systems back in 2015, ahead of a wider campaign that emerged during the 2016 presidential election.

In that instance, a second Russian-linked unit was identified as APT28, or Fancy Bear. Both had exploited politicians by using spearphishing, engaging in an election meddling campaign officials later said was ordered by Russian president Vladimir Putin.

In a statement today, Paul Chichester, operators director of the NCSC, characterized the ATP29 COVID-19-focused campaign as a series of "despicable attacks."

The new report does not name the targets and it remains unclear at the time of writing if any of the research in the crosshairs of the hackers was compromised. It noted APT29 had been "successful using recently published exploits to gain initial footholds."

Earlier this month, FBI director Christopher Wray indicated in a speech at the Hudson Institute that cyber-espionage on COVID-19 research is not limited to Russia.

"At this moment, China is working to compromise American health care organizations, pharmaceutical companies and academic institutions conducting essential COVID-19 research," Wray said, as NBC News reported on July 7.

In the cybersecurity community, APT29 has a well-documented history—and has been described an operating in the interest of the Russian state by multiple firms.

"COVID-19 is an existential threat to every government in the world, so it's no surprise that cyber-espionage capabilities are being used to gather intelligence on a cure," said John Hultquist, senior intelligence director at the cyber firm Mandiant.

"The organizations developing vaccines and treatments for the virus are being targeted by Russian, Iranian and Chinese actors seeking a leg up on their own research.

"We've also seen significant COVID-related targeting of governments that began as early as January. Despite involvement in several high-profile incidents, APT29 rarely receives the same attention as other Russian actors because they tend to quietly focus on intelligence collection. Whereas GRU actors have brazenly... carried out destructive attacks, APT29 digs in for the long term, siphoning intelligence from its target."

Bill Conner, CEO of network security company SonicWall and a GCHQ adviser, told Newsweek in an email: "Russia happens to be the first country placed in the spotlight, but it was only a matter of time before a nation state resorted to cybercrime to influence or control global healthcare during a time of great need.

"As this pandemic expands and evolves, we stand to see similar attacks in the future. It's incredibly valuable information for millions around the world—IP that would catapult a company's economy if seized," Conner continued. "[Cyber] criminals tend to follow the money trail, thus putting a massive bounty on anything vaccine-related."

This article was updated with a comment from SonicWall CEO Bill Conner.

Vladimir Putin
Russian President Vladimir Putin attends the Extended Boards of Interior Ministry on February 26, 2020 in Moscow, Russia. Mikhail Svetlov/Getty