Experts On Russian Hackers Target Covid-19 Vaccine Research

Following the news that Russian state-sponsored hackers (a group known as “APT29” or “Cozy Bear”) targeted Covid-19 vaccine research, cybersecurity experts commented below.

Experts Comments

July 17, 2020
Stuart Reed
UK Director
Orange Cyberdefense
Throughout the pandemic we have continued to see strong demand for our services from businesses, who themselves have been responding to the growing threat from adversaries hoping to capitalise on the crisis. As a result we continue to grow in the UK and have conducted many remote interviews in recent months, with most new employees starting their roles at home rather than in the office. Indeed, lockdown has certainly made many line managers rethink their recruitment approach and whether they.....Read More
Throughout the pandemic we have continued to see strong demand for our services from businesses, who themselves have been responding to the growing threat from adversaries hoping to capitalise on the crisis. As a result we continue to grow in the UK and have conducted many remote interviews in recent months, with most new employees starting their roles at home rather than in the office. Indeed, lockdown has certainly made many line managers rethink their recruitment approach and whether they could realistically widen their net when recruiting by including remote workers that can be based anywhere in the UK. In addition to new recruits, we are also committed to developing our current employees and considering promotion from within, For example, in our security operations centres we are keen to progress our people through the ranks as efficiently as possible by developing their skills. This is in combination with driving entry level recruitment so that we have a constant flow of employees that are moving up – combatting the tight labour market best we can.  Read Less
July 17, 2020
John Hultquist
Director of Intelligence Analysis
FireEye
COVID-19 is an existential threat to every government in the world, so it’s no surprise that cyber espionage capabilities are being used to gather intelligence on a cure. The organizations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian, and Chinese actors seeking a leg up on their own research. We’ve also seen significant COVID-related targeting of governments that began as early as January. Despite involvement in several high-profile.....Read More
COVID-19 is an existential threat to every government in the world, so it’s no surprise that cyber espionage capabilities are being used to gather intelligence on a cure. The organizations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian, and Chinese actors seeking a leg up on their own research. We’ve also seen significant COVID-related targeting of governments that began as early as January. Despite involvement in several high-profile incidents, APT29 rarely receives the same attention as other Russian actors because they tend to quietly focus on intelligence collection. Whereas GRU actors have brazenly leaked documents and carried out destructive attacks, APT29 digs in for the long term, siphoning intelligence away from its target.  Read Less
July 17, 2020
Bill Conner
CEO
SonicWall
Cybercriminals perpetrate their attacks for one or more of four core motives: financial gain, political interference, creating general havoc and stealing intellectual property. Never has this last aim been more apparent than now, at a time when Russia is vying for dominance. The coronavirus vaccine, urgently coveted by all countries, can grant a significant advantage. The Russian intelligence group suspected of deploying this attack, APT29 or ‘Cosy Bear’ has deployed malware strains to.....Read More
Cybercriminals perpetrate their attacks for one or more of four core motives: financial gain, political interference, creating general havoc and stealing intellectual property. Never has this last aim been more apparent than now, at a time when Russia is vying for dominance. The coronavirus vaccine, urgently coveted by all countries, can grant a significant advantage. The Russian intelligence group suspected of deploying this attack, APT29 or ‘Cosy Bear’ has deployed malware strains to access research organisations’ systems, and social engineering attacks like phishing and spear-phishing to trick employees into handing over access credentials. At a time when remote working has rendered everyone more susceptible to social engineering, given the lack of the common ‘safety net’, businesses, higher education and governments — especially those in possession of vital research and information — must remain hyper-vigilant. Keeping in mind that IT teams are strained and security budgets are tight, businesses and organisations need a solution that offers easy, resource-saving centralised management.  Read Less
July 17, 2020
Charity Wright
Cyber Threat Intelligence Advisor
IntSights
The news on Russia hacking into certain projects to steal Coronavirus vaccines does not come as a surprise to me. We are in a world war with the coronavirus and cyber warfare is expected because everyone is in a race to find a vaccine. In the process, multiple vaccines are being/will be developed and certain nations have a tendency to spy and steal information in order to get ahead, and in this case, get the vaccine first. The reasons for this are twofold; not only will the vaccine save lives,.....Read More
The news on Russia hacking into certain projects to steal Coronavirus vaccines does not come as a surprise to me. We are in a world war with the coronavirus and cyber warfare is expected because everyone is in a race to find a vaccine. In the process, multiple vaccines are being/will be developed and certain nations have a tendency to spy and steal information in order to get ahead, and in this case, get the vaccine first. The reasons for this are twofold; not only will the vaccine save lives, but there is profit to be made from developing and deploying the first vaccine in order to sell it on to other countries. APT29 has been known to attack pharmaceutical and healthcare institutions, so the attribution does not come as a surprise, however I have not seen the evidence for the attribution so I personally cannot confirm.  Read Less
July 17, 2020
Paul Bischoff
Privacy Advocate
Comparitech
It's unfortunate that creating a vaccine has become a geopolitical competition rather than an opportunity for global cooperation. Surely a vaccine would have the greatest impact if shared with the whole world including Russia, whether they are friendly or not. So I'm not sure what incentive there is for Russia to steal research, unless it's worried about the UK capitalizing on a vaccine and price gouging Russia for access to it.
July 17, 2020
Ed Macnair
CEO
Censornet
In the midst of the darkest parts of this crisis, cyber crime hasn’t abated. Today’s announcement from the NCSC that Russian hacking groups have been targeting COVID-19 vaccine developers is not shocking but it is concerning. While the objective of this data breach is different to most financially-motivated attacks we see, the tactics the hackers are using are exactly the same. Once again, spear phishing techniques were employed to trick employees into handing over personal information.....Read More
In the midst of the darkest parts of this crisis, cyber crime hasn’t abated. Today’s announcement from the NCSC that Russian hacking groups have been targeting COVID-19 vaccine developers is not shocking but it is concerning. While the objective of this data breach is different to most financially-motivated attacks we see, the tactics the hackers are using are exactly the same. Once again, spear phishing techniques were employed to trick employees into handing over personal information that allowed them to take over accounts. These targeted and personalised attacks are sophisticated and difficult to spot, especially in the strange circumstances we find ourselves in today, so organisations must do everything in their power to mitigate them with technology. As always when combating phishing attacks, although it is important to educate employees on best practice so that they treat all suspicious emails with caution, organisations must take it upon themselves to protect employees from these email attacks in the first instance. Organisations need to use email security that combines algorithmic analysis, threat intelligence and executive name checking to efficiently protect themselves against these evolving attacks.  Read Less
July 17, 2020
Chris Hauk
Consumer Privacy Champion
Pixel Privacy
Coronavirus vaccine research has created an enticing new target for hackers of all types. The use of social engineering (spear phishing) as well as malware have proven over and over as the "go to" methods for hackers to infiltrate networks to steal data. The attacks underscore the need for research groups to educate their users about the risks presented by hackers and how to foil such attacks. It also puts emphasis on the need to keep computer systems up to date to patch security holes used by.....Read More
Coronavirus vaccine research has created an enticing new target for hackers of all types. The use of social engineering (spear phishing) as well as malware have proven over and over as the "go to" methods for hackers to infiltrate networks to steal data. The attacks underscore the need for research groups to educate their users about the risks presented by hackers and how to foil such attacks. It also puts emphasis on the need to keep computer systems up to date to patch security holes used by the bad actors.  Read Less
July 17, 2020
Robert Hannigan
Chairman
BlueVoyant
It is not a surprise to see Russian state agencies trying to steal valuable COVID-19 research. The methodology of APT29 is familiar and exploits known vulnerabilities, for example in remote services and VPNs, usually to steal credentials. The details in the NCSC’s advisory are an important tool for cybersecurity teams to detect this activity.
July 17, 2020
Calvin Gan
Manager
F-Secure
The healthcare sector along with the WHO has been a target throughout the pandemic. The FBI also released an alert in May warning healthcare sector to take additional precaution to secure their systems and research. APT29 has been here for a number of years and, while they have been laying low, it did not mean that they were not updating their arsenal. There has been new malware attributed to APT29 as of June 2019. Moving towards targeting Covid-19 vaccine research now seem to be a valuable .....Read More
The healthcare sector along with the WHO has been a target throughout the pandemic. The FBI also released an alert in May warning healthcare sector to take additional precaution to secure their systems and research. APT29 has been here for a number of years and, while they have been laying low, it did not mean that they were not updating their arsenal. There has been new malware attributed to APT29 as of June 2019. Moving towards targeting Covid-19 vaccine research now seem to be a valuable target, although a first for APT29, as they have targeted other industries in the past. Looking specifically into the advisory, the attacks have been ongoing and appear to continue. It targets vulnerabilities that has already been published earlier with patches made available for a while. This goes to show that the healthcare industry needs help in securing their environment if they are also struggling with proper patch management within the network. We have seen this before with WannaCry on the amount of effort needed to update traditional systems in the sector, and we are still seeing it now with this new batch of vulnerabilities. While we have seen the industry taking new technologies into use and breaking away from traditional setup, having the same root issue of traditional patch management or mindset will likely not solve the problem. To adapt to new technology would also mean to adapt to new process that is constantly changing, which the healthcare sector may not be fully equipped or ready to embrace. On what’s next, besides following the guidance in the advisory, any organisation involved in the healthcare industry should also assist in combatting this by looking into their own systems. These systems may not be directly contributing to the research but could be used as a steppingstone to attain the final target. Just like how humans are used in phishing attacks, systems that are exposed (which may seem unrelated) could be used to further move towards the end goal if they are somehow connected. APT29 has been around for long enough to have built up elite skills to continuously improve and remain stealthy, so the entire industry has to move with the same pace, if not a step ahead.  Read Less
July 17, 2020
Matt Lock
Technical Director
Varonis
The method of attack is absolutely in line with the kill chain – spearphishing to drop a pay load, malware used to run reconnaissance to find sensitive data, and then finally exfiltration by SSH, email, Web or DNS. They’re hoping to fly under the radar and avoid detection. We’ve known these research centres have been targets for some months now. I hope the researchers stopped any data loss and detected these patterns of behaviour – there’s no real excuse not to nowadays. Hackers are .....Read More
The method of attack is absolutely in line with the kill chain – spearphishing to drop a pay load, malware used to run reconnaissance to find sensitive data, and then finally exfiltration by SSH, email, Web or DNS. They’re hoping to fly under the radar and avoid detection. We’ve known these research centres have been targets for some months now. I hope the researchers stopped any data loss and detected these patterns of behaviour – there’s no real excuse not to nowadays. Hackers are like sharks in the water – and critical data is like blood. Organisations are quick to spin up infrastructure to support massive research projects and remote collaboration, but cybersecurity and protecting those critical assets is often an afterthought. Many won’t realise they’ve been hit until the information has already walked out the door, or in this case, quietly siphoned off. Now that the IOCs are available, organisations – whether they’re working on cutting-edge research to battle the coronavirus or other medical or technological breakthroughs -- must ensure they’re protected.  Read Less
July 17, 2020
Tom Kellermann
Head of Cybersecurity Strategy
VMware Carbon Black
APT29 has historically been linked to Russia, which has set a clear precedent of launching cyberattack campaigns against the West. Russia’s alleged interference in the 2016 U.S. Election is, of course, the prime example of a coordinated attack campaign against the U.S.’s critical infrastructure. In this latest, alleged campaign, Russia appears to be following a playbook all too common for cybercriminals – take advantage of a nefarious opportunity. Tactically, it appears Russia has evolved .....Read More
APT29 has historically been linked to Russia, which has set a clear precedent of launching cyberattack campaigns against the West. Russia’s alleged interference in the 2016 U.S. Election is, of course, the prime example of a coordinated attack campaign against the U.S.’s critical infrastructure. In this latest, alleged campaign, Russia appears to be following a playbook all too common for cybercriminals – take advantage of a nefarious opportunity. Tactically, it appears Russia has evolved its attacks to bypass perimeter defenses through the use of custom malware and island hopping through supply chains of the victim organizations. VMware’s own research shows that, during COVID-19, overall cyberattacks and ransomware-specific attacks have both increased by triple digits. These spikes are often directly tied to major events in the COVID-19 news cycle. And, while attribution matters on a geopolitical scale, the primary focus for organizations, particularly in the West, should not be on who is launching these attacks and, rather, what can be done and what kind of security technology can be leveraged to see and stop these attacks before they can cause damage.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.