According to a U.K. government agency, a Russian hacking group that was previously accused of breaking into the Democratic National Committee’s computer network before the 2016 U.S. election, is now trying to steal COVID-19 vaccine research.
The United Kingdom’s National Cyber Security Centre, in a July 16 advisory, accused the Russian hacking group APT29, also known as “the Dukes” and “Cozy Bear,” of targeting COVID-19 research organizations. Members of APT29 “almost certainly operate as part of Russian intelligence services,” the U.K. agency said.
The July advisory follows a similar warning from the FBI and the Department of Homeland Security in May that accused Chinese hackers of targeting vaccine research.
NCSC Director of Operations Paul Chichester urged vaccine organizations to step up their cybersecurity efforts, saying that protecting health research organizations is a top priority.
“We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic,” he said in the advisory.
Targets of APT29 include vaccine research organizations in the United States, the U.K., and Canada, the center said. The hacking group uses various tools and techniques, including targeted spear-phishing attacks and custom malware, the NCSC added.
NCSC’s APT29 assessment is supported by the Canadian Communications Security Establishment, the DHS, the U.S. Cybersecurity and Infrastructure Security Agency, and the U.S. National Security Agency, it said.
Several security experts urged research organizations to pay more attention to cybersecurity. In addition to extensively using encryption and antivirus software, research groups should limit access to vaccine data to only the people who need it, said Roger Lewis, CEO of CMIT Solutions, an information technology vendor focused on data security.
There may be diplomatic or other responses to the attacks from governments, but research organizations should concentrate on securing their data, he added. “Research and security professionals can only control what they can, and going to the highest security measures to protect data is where their focus should be,” Lewis said.
Research organizations need to adapt to deal with cyberthreats continually, added Adam Levin, the founder of CyberScout, a cybersecurity vendor. “No industry is safe from the threats of hacking and cyberattacks, and even the most robust cybersecurity protocols can be improved,” he said. “The protection of medical research is no exception.”
Small pharmaceutical companies are frequent targets of hackers, added Mark Sangster, vice president and industry security strategist at eSentire, another cybersecurity vendor.
The theft of pharmaceutical intellectual property is a “lucrative business to fuel counterfeit drugs,” he said. “Many of these organizations are much smaller than the mega pharma brands we think about. Smaller firms test new molecules of drugs, and the large brands then bring them to market.”
Smaller research organizations are “extremely” vulnerable, he added. “They hide in a false sense of anonymity but often become the victim of cyberattacks targeting their intellectual property,” Sangster said. “Their focus puts the funds towards research and laboratory gear, and cybersecurity suffers.”
Nations such as Russia, China, and North Korea “will use every weapon in their arsenal short of full-out military engagement,” he added. “Attacks on COVID-19 labs are the pinnacle of these tactics. Stolen vaccine IP, delayed distribution to those who need the drug, economic destabilization, and even political embarrassment are all successful results.”
Meanwhile, some groups and medical professionals have urged research organizations to share their data to find a russians hack more quickly.
COVID-19 vaccine research should be shared widely, said D. Greg Scott, a cybersecurity professional and author. “Operating in the open, wins in cybersecurity will also win with COVID research,” he said.
Research organizations should also be open about the security measures they use, he said. “Publish it, present it at conferences, and subject it to a gauntlet of scrutiny. … Then, go back and refine it based on feedback. Publicly prepare before incidents happen, and publicly respond after incidents happen.”
Levin agreed that there’s a case for sharing COVID-19 research. “There is a difference, of course, between sharing data and stealing it,” “The techniques deployed by hacking collectives have the potential to disrupt research and hamper communications, leaving targets vulnerable to further distractions at a time when their focus and unimpeded work could save millions of lives.”
