Article by: Dmytro Sherenhovskyi, Analytical Center at the Ukrainian Catholic University
The Canadian intelligence says it discovered cyberattacks on laboratories searching for a coronavirus vaccine. And similar incidents with the aim of stealing information have also occurred in the United Kingdom and the United States.
Although hacker attacks, including on medical centers, are nothing new, this case is special.
The intelligence services unanimously declare that it’s highly probable that the APT29 group, also known as Cozy Bear or The Dukes, which works for Russian intelligence, is behind the attacks.
The first official charges
While countries are struggling to invent a vaccine to protect global health, “others pursue their selfish interests with reckless behavior.” This is how British Foreign Secretary Dominic Raab reacted to information about Russian cyberattacks.
Of course, Russia immediately denied all charges. Putin’s spokesman Dmitry Peskov denied Russian involvement in the hacker group, saying there was no evidence.
However, Canadian intelligence has identified that the malicious programs WellMess and WellMail, which were used in attacks on other sites in the world during the pandemic, have a Russian trace.
This is not the first time Canadian laboratories conducting research on the development of a coronavirus vaccine have suffered cyberattacks.
For example, in May national security forces noticed attempts to hack into the databases of such companies, but did not say whether they were able to identify those behind the attacks.
Previous indirect allegations did not have much resonance and consequences. We will see in the near future how the situation will flare up and whether Canada, the United States, and the United Kingdom will take more active action.
Attacks on laboratories
Throughout the COVID-19 pandemic, there have been a number of similar attacks on medical laboratories and research centers with attempts of spying and stealing data on vaccine development.
The biggest problem is that developing vaccines is an expensive and time-consuming endeavour, so laboratories are often networked together by digital means of communication, making them easy targets for cyberattacks.
Back in March, the WHO said that attackers tried to break into the system through e-mail password phishing – one of the most popular methods (about 90% of all cybercrimes occur through e-mail phishing). More than 450 active WHO e-mails and passwords have been stolen with the aim of accessing databases.
This did not affect the operation of the system itself, which had an upgrade, but damaged the previous system, which was still used to communicate with partners and retired staff.
Another situation arose at the University Hospital in Brno, which is the largest coronavirus testing center in the Czech Republic.
As a result of a direct cyberattack in March 2020, the hospital was cut off for two days from access to forwarding and receiving information from the national database. The cyber attack also affected a nearby children’s hospital and maternity hospital.
The Czech security services were not to establish who was behind the attack and whether any information was stolen.
In April, the United States accused China of trying to break into a system of research centers developing a coronavirus vaccine.
One of the most influential companies in the field of cybersecurity, FireEye, said that it was the Chinese hacker group APT41 that carried out this largest cyber attack in recent years. It was partially repelled thanks to the active opposition of the US National Security Agency and the US Cyber Command.
In May, attacks on medical and research centers took place in many countries around the world. In Israel, for example, there was a large-scale attack on websites, which affected lab networks.
Similar situations have arisen in Australia, France, Spain, and other countries.
This activity is nothing surprising. Whoever develops the vaccine first will not only receive reputational bonuses, but also financial success.
This means that any information and research results are desirable for many players in the pharmaceutical market.
However, cases involving government-backed hacker groups look immoral, at the very least.
While governments, private businesses, and international organizations spend heavily on vaccine development, some governments don’t shirk away from not only stealing information but also blocking the development for personal dividends.
However, while Chinese cyberattacks are known primarily for their focus on economic espionage, their Russian counterparts are more often seen in a political context.
A Russian trace
If a hacker group called The Dukes is really involved in this story, it can gain interesting momentum.
This group is not a newcomer to the market of cybercrime and e-espionage. In one combination or another, it has been operating since at least 2008, working and collecting data for Russian intelligence.
The work in Russia is evidenced not only by the “anti-Western” nature of the operations but also by the presence in the codes of the text of errors (error message) in Russian, as well as the time of their main activity – between 9 and 19 hours Moscow time.
In its analytical report, the Finnish software company F-Secure claims that the first operations of the Dukes that could be identified took place in November 2008 under the names “alkavkaz.com20081105” and “cihaderi.net20081112”.
Russian hackers portrayed some sites as Chechen information centers to report “world jihad news,” and distributed malicious programs in an attempt to use the site.
In 2009, a number of campaigns were launched against the Georgian Ministry of Defense and the Ministries of Foreign Affairs of Turkey and Uganda, and most importantly, US-based think tanks, the NATO Information Center in Georgia, and government institutions in Poland and the Czech Republic.
The attacks were carried out by sending e-mails to which specially created documents in Microsoft Word and PDF format were attached, which released Trojans when opened.
These campaigns demonstrate a clear political commitment from The Dukes, as they are thought to have been about gathering information about the location of the US air defense base in Poland and radar in the Czech Republic.
Since 2013, e-mail phishing through infected PDF files became the most common method of hacking attacks.
The F-Secure report mentions that the infections occurred in more than 29 countries, with some government agencies in Ukraine, Belgium, Hungary, Portugal, the Czech Republic and the United States being the biggest targets.However, most campaigns against Ukraine took place on the eve of Euromaidan in 2013.
The most serious cases were when the Ukrainian MFA received a letter from the Dutch embassy, when a letter of the First Deputy Foreign Minister of Ukraine on the 100th anniversary of the beginning of the First World War was infected, and when an infected PDF document titled “Ukraine’s Search for a Regional Foreign Policy” was sent around.
That this group’s goal may be gathering intelligence is evidenced by the fact that their activity in Ukraine took place before Russian aggression. As soon as Russia switched to direct hostilities in Ukraine, The Dukes ceased operations, while other groups, such as Operation Pawn Storm, began operations.
Therefore, it is safe to assume that, in addition to data on a potential vaccine, the current attacks have a goal that’s related more to intelligence than commerce, and may be related to the study of weaknesses that can be used to intervene in political processes.
Russia desperately needs the status of a savior of the world from COVID-19 to promote the need to return Western countries to dialogue with it and lift sanctions.
And for the Kremlin, it’s acceptable to achieve this goal by any means. Even if the price is a delay in the creation of a vaccine that can save hundreds of thousands of lives.
- Beware of Russia’s bilateral cyber world order
- Russia-linked cyber attacks targeted 104 accounts of European think tanks
- The Kremlin’s cyber contractors. Their motives and risks
- How states can get real about Russian cyber attacks: Estonia, the UK, and Poland explain