Why are Russian hackers targeting COVID-19 vaccine laboratories?

The Canadian intelligence says it discovered cyberattacks on laboratories searching for a coronavirus vaccine. And similar incidents with the aim of stealing information have also occurred in the United Kingdom and the United States. Although hacker attacks, including on medical centers, are nothing new, this case is special. The intelligence services unanimously declare that it’s highly probable that the APT29 group, also known as Cozy Bear or The Dukes, which works for Russian intelligence, is behind the attacks.

The first official charges

While countries are struggling to invent a vaccine to protect global health, "others pursue their selfish interests with reckless behavior." This is how British Foreign Secretary Dominic Raab reacted to information about Russian cyberattacks. Of course, Russia immediately denied all charges. Putin's spokesman Dmitry Peskov denied Russian involvement in the hacker group, saying there was no evidence. However, Canadian intelligence has identified that the malicious programs WellMess and WellMail, which were used in attacks on other sites in the world during the pandemic, have a Russian trace. This is not the first time Canadian laboratories conducting research on the development of a coronavirus vaccine have suffered cyberattacks. For example, in May national security forces noticed attempts to hack into the databases of such companies, but did not say whether they were able to identify those behind the attacks. Previous indirect allegations did not have much resonance and consequences. We will see in the near future how the situation will flare up and whether Canada, the United States, and the United Kingdom will take more active action.

Attacks on laboratories

Throughout the COVID-19 pandemic, there have been a number of similar attacks on medical laboratories and research centers with attempts of spying and stealing data on vaccine development. The biggest problem is that developing vaccines is an expensive and time-consuming endeavour, so laboratories are often networked together by digital means of communication, making them easy targets for cyberattacks. Back in March, the WHO said that attackers tried to break into the system through e-mail password phishing - one of the most popular methods (about 90% of all cybercrimes occur through e-mail phishing). More than 450 active WHO e-mails and passwords have been stolen with the aim of accessing databases. This did not affect the operation of the system itself, which had an upgrade, but damaged the previous system, which was still used to communicate with partners and retired staff. Another situation arose at the University Hospital in Brno, which is the largest coronavirus testing center in the Czech Republic. As a result of a direct cyberattack in March 2020, the hospital was cut off for two days from access to forwarding and receiving information from the national database. The cyber attack also affected a nearby children's hospital and maternity hospital. The Czech security services were not to establish who was behind the attack and whether any information was stolen.   In April, the United States accused China of trying to break into a system of research centers developing a coronavirus vaccine. One of the most influential companies in the field of cybersecurity, FireEye, said that it was the Chinese hacker group APT41 that carried out this largest cyber attack in recent years. It was partially repelled thanks to the active opposition of the US National Security Agency and the US Cyber ​​Command. In May, attacks on medical and research centers took place in many countries around the world. In Israel, for example, there was a large-scale attack on websites, which affected lab networks. Similar situations have arisen in Australia, France, Spain, and other countries. This activity is nothing surprising. Whoever develops the vaccine first will not only receive reputational bonuses, but also financial success. This means that any information and research results are desirable for many players in the pharmaceutical market. However, cases involving government-backed hacker groups look immoral, at the very least. While governments, private businesses, and international organizations spend heavily on vaccine development, some governments don’t shirk away from not only stealing information but also blocking the development for personal dividends. However, while Chinese cyberattacks are known primarily for their focus on economic espionage, their Russian counterparts are more often seen in a political context.

A Russian trace

If a hacker group called The Dukes is really involved in this story, it can gain interesting momentum. This group is not a newcomer to the market of cybercrime and e-espionage. In one combination or another, it has been operating since at least 2008, working and collecting data for Russian intelligence. The work in Russia is evidenced not only by the "anti-Western" nature of the operations but also by the presence in the codes of the text of errors (error message) in Russian, as well as the time of their main activity - between 9 and 19 hours Moscow time. The most serious cases were when the Ukrainian MFA received a letter from the Dutch embassy, when a letter of the First Deputy Foreign Minister of Ukraine on the 100th anniversary of the beginning of the First World War was infected, and when an infected PDF document titled "Ukraine's Search for a Regional Foreign Policy" was sent around. That this group’s goal may be gathering intelligence is evidenced by the fact that their activity in Ukraine took place before Russian aggression. As soon as Russia switched to direct hostilities in Ukraine, The Dukes ceased operations, while other groups, such as Operation Pawn Storm, began operations.

Therefore, it is safe to assume that, in addition to data on a potential vaccine, the current attacks have a goal that’s related more to intelligence than commerce, and may be related to the study of weaknesses that can be used to intervene in political processes. Russia desperately needs the status of a savior of the world from COVID-19 to promote the need to return Western countries to dialogue with it and lift sanctions. And for the Kremlin, it’s acceptable to achieve this goal by any means. Even if the price is a delay in the creation of a vaccine that can save hundreds of thousands of lives.

Read more:

• Beware of Russia’s bilateral cyber world order
• Russia-linked cyber attacks targeted 104 accounts of European think tanks
• The Kremlin’s cyber contractors. Their motives and risks
• How states can get real about Russian cyber attacks: Estonia, the UK, and Poland explain