Russia is facing renewed scrutiny for its cyber espionage efforts after the U.S., Great Britain and Canada alleged Thursday that a Kremlin-linked hacking group is attempting to steal research related to coronavirus vaccine developments and testing.
The hacking group known as APT29, or “Cozy Bear,” is largely believed to operate as part of Russia’s security services, and the three countries allege that it is carrying out a persistent and ongoing cyber campaign to steal intellectual property about a possible coronavirus vaccine.
According to cybersecurity group CrowdStrike, the group was also one of two Russian cells that hacked into Democratic National Committee networks between 2015 and 2016 in the lead up to the presidential election.
The United Kingdom’s National Cyber Security Centre (NCSC) first revealed the findings in a report posted online Thursday that warned APT29 has targeted research and development organizations in the U.K., U.S. and Canada using a variety of tools, including spear-phishing techniques and custom malware to help in their hacking attempts.
Top intelligence lawmakers including Sen. Mark Warner (D-Va.), the vice chairman of the Senate Intelligence Committee, are calling for more powerful responses to Russian’s virtual aggressions.
“It should be clear by now that Russia’s hacking efforts didn’t stop after the 2016 election,” Warner said in a statement to The Hill. “Moving forward, the United States and the western world need to be prepared for increasingly aggressive cyber-attacks from Russian actors.”
House Intelligence Committee Chairman Adam Schiff (D-Calif.) linked the hacking efforts to a sign of desperation by Russian President Vladimir Putin.
“With an economy one-tenth the size of ours and a scientific research and development capacity that has withered in the decades since the fall of the Soviet Union, it is not surprising that Vladimir Putin reportedly would resort to theft as a way of trying to secure every possible advantage as Russia and other countries vie with the United States and others in the search for a vaccine,” Schiff said in a statement.
Still, some security experts say Russia is hardly alone in such efforts.
“COVID-19 is an existential threat to every government in the world, so it’s no surprise that cyber espionage capabilities are being used to gather intelligence on a cure,” said John Hultquist, director of intelligence analysis for FireEye.
“The organizations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian and Chinese actors seeking a leg up on their own research,” Hultquist continued.
Theresa Payton, who served as White House chief information officer during the George W. Bush administration, told The Hill that she was not surprised by the news of Russian targeting, noting that any nation state with sufficient cybersecurity capability would likely do the same.
“I wish I could say I was surprised, but I’m not,” said Payton, CEO of cybersecurity consultancy group Fortalice Solutions. “I don’t believe that Russia will be the only one to conduct those campaigns.”
APT29 is considered a savvy, active and persistent hacking group that is known for its espionage efforts and top intelligence officials are warning to take the threat seriously.
“APT29 has a long history of targeting governmental, diplomatic, think-tank, healthcare and energy organizations for intelligence gain so we encourage everyone to take this threat seriously and apply the mitigations issued in the advisory,” National Security Agency Cybersecurity Director Anne Neuberger said in a statement.
NCSC warned that governments, the diplomatic corps, the health care industry, energy sector, and think tanks and other research organizations are among the targets.
And while security experts generally advise against assuming motivations for hackers’ spear-phishing expeditions, to these experts and lawmakers their motivation rang clear: a vaccination for the coronavirus pandemic is among one of the most highly sought developments worldwide as countries continue to grapple with millions of cases of COVID-19 and stalled economies.
“APT29 is likely to continue to target organizations involved in COVID-19 vaccine research and development, as they seek to answer additional intelligence questions relating to the pandemic,” concludes the NCSC report, saying it is “highly likely” the group intends to steal COVID-19 vaccine information.
The joint alert on Thursday was not the first effort by top security agencies to sound the alarm on foreign espionage threats against COVID-19 vaccine development efforts.
The FBI and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) warned in May that Chinese government-backed hackers were targeting groups involved in COVID-19 treatment research.
“These actors have been observed attempting to identify and illicitly obtain valuable intellectual property and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research,” the agencies warned in the alert. “The potential theft of this information jeopardizes the delivery of secure, effective, and efficient treatment options.”
The warning came on the heels of a separate alert from CISA and the NCSC that advanced persistent threat (APT) groups were using the COVID-19 pandemic to target organizations seen as vulnerable, including hospitals, medical research groups, academia and local governments.
Following these alerts, CISA Director Christopher Krebs warned that he expected to see “every intelligence service” attempt to target and steal coronavirus-related research.
“The Chinese have obviously been one of the more brazen in terms of their approach, but others are in the game, too,” Krebs said on the CBS News “Intelligence Matters” podcast. “This is a very active space.”
Concerns around Russian hacking efforts are particularly pressing with only months to go until the next presidential election.
And Russian efforts to sow discord during the 2016 election are still fresh in many minds within the beltway.
During the heated 2016 presidential race, Russian actors launched a sweeping interference campaign that aimed to flame divisiveness and sway the election toward now-President Trump.
They used a multipronged approach, including targeting election infrastructure in all 50 states, pushing out misinformation on social media, and hacking the Democratic National Committee as well as other campaign-related email accounts.
Experts also observed APT29 carrying out a widespread phishing campaign following the 2018 midterm elections after the House flipped to a Democrat majority, in which the U.S. federal government, media outlets and think tanks were targeted.
Secretary of State Mike Pompeo this week noted that he was “confident” foreign adversaries, including Russia, would attempt to interfere in elections this year, while also emphasizing that the Trump administration was aware of the threat.
“The American people should rest assured that whether it’s Chinese interference, Iranian interference, Russian interference, or North Korean interference, any country, or even non-state actors who now have capabilities to try to meddle in our elections, know that this administration takes seriously its responsibility to make sure every American’s vote is counted, counted properly, and that foreign influence is minimized,” Pompeo said during a virtual event hosted by The Hill.