As some scramble to find a cure for the global pandemic, Western intelligence services have uncovered multiple attempts to steal data surrounding vaccines in development. According to cybersecurity experts, these malicious acts are carried out under the aegis of China, Russia, Iran and North Korea.
In particular, the hackers involved are trying to obtain as quickly as possible the results of the latest trials and other sensitive information concerning the mass production of future vaccines. Since the start of the pandemic, hundreds of pharmaceutical companies and other health organizations around the world have been the targets of cyber attacks; several hospitals were notably victims of ransomware. One of these attacks even indirectly led to the death of a patient in Germany.
As several vaccines are on the verge of approval, the phenomenon has intensified. The intelligence agencies evoke a real world war, an “intellectual property war”. Adam Meyers, senior vice president at IT security specialist Crowdstrike, said countries like Russia and China have embarked on hacking Western companies twenty years ago, but since March , they “focused on one topic”, in other words, COVID-19.
A matter of national pride
For months, laboratories around the world have been at war. Recent announcements from Pfizer / BioNTech, Moderna and AstraZeneka / Oxford - who will give the highest percentage of efficiency - give the last few weeks an air of "final sprint" after months of research. A sprint for which we do not yet know the winner. Number one will benefit from exceptional economic benefits; But according to Adam Meyers, it's not just about that: “ The stakes are much higher for the people involved. It has become a matter of national pride ”. After all, it's almost about "saving the world" ...
Becoming the first nation to offer the vaccine is a title that many covet; hence the upsurge in data theft attempts. But the subject is particularly delicate. Despite the cyberattacks they suffer, Western governments remain reluctant to blame either country, mainly for fear of diplomatic repercussions. For their part, the countries singled out deny any involvement in these acts of piracy.
Russia thus declared that it had "no knowledge" of these attempts. Ditto for Iran, which denies having engaged in such a cyber war. China, meanwhile, said it had no interest in engaging in such acts: “ China's research and development on COVID-19 vaccines is ahead of other countries. We don't need to steal what others are doing to get access to a vaccine, ”said Wang Wenbin, spokesperson for China's Foreign Ministry.
IT security experts say the opposite, however. According to them, in practice, government “sponsored” pirate groups generally have ties to national spy or defense agencies. This year, the UK's National Cyber Security Center said COVID vaccine research labs were being targeted in the UK, US and Canada by Cozy Bear Group hackers - a group of hackers linked to Russian intelligence, notably the FSB (the successor to the Soviet KGB).
As early as May already, hackers linked to Iran were accused of attempting to steal data from US drugmaker Gilead Research , while the company was working on a treatment for COVID-19; the latter used a fake e-mail login page to encourage certain staff members to give them access to company systems (a phishing attempt in short).
In September, the Spanish daily El País reported that Chinese hackers had repeatedly attacked companies in the health and pharmacy sectors. The Spanish National Intelligence Center (CNI) then reported a "particularly virulent campaign" against laboratories, and not only in Spain. Paz Esteban, head of the CNI, also stressed that the remote work of many people - imposed by the health situation - had unfortunately increased exposure to cyber attacks.
The situation was also reported by Tom Burt, vice president of security and customer trust at Microsoft, who said earlier this month in a statement that the company had "detected cyber attacks from three actors in the United States. nations targeting seven leading companies directly involved in research into COVID-19 vaccines and treatments ”. According to the firm, targets include pharmaceutical companies and researchers located in Canada, France, India, South Korea and the United States. These attacks come from the Russian hacker group Strontium (also named Fancy Bear, APT28, Pawn Storm among other aliases), and two groups from North Korea, named Zinc (alias Lazarus Group) and Cerium
Various techniques for stealing information
Did these various attacks achieve their ends? British sources have claimed that no act of piracy against the UK has been successful - although in reality this remains impossible to prove. Given the frequency of attacks and the highly variable security levels from one company to another, it is very likely, on the contrary, that several of these attacks have achieved all or part of their objective.
In recent weeks, the threat has only grown, mainly focused on production methods and data related to the success of various candidate vaccine trials. Pharmaceutical companies are well aware of the risk and generally have sufficient resources to defend against cyber attacks. On the other hand, some university institutions are not so well prepared for this kind of scenario. “ Sometimes researchers are quite surprised when you tell them what can be happening ,” notes a computer security specialist.
A typical attack is called "password spraying", used especially by Russian hackers. It consists of testing the most common passwords (“123456”, “coucou2020”, “password”, etc.) on a certain number of different accounts and services to access as much sensitive data as possible. Namely, this type of attack escapes most detection techniques, because from a user's perspective, it just looks like an isolated login failure. It is easy to avoid it, but how many people today do not make the effort to choose a password with a high degree of security?
Spear phishing is a slightly more sophisticated attack used by the Zinc and Cerium groups. It consists of creating personalized emails, inviting the recipient to click on a link that will install malicious code in the company's system. The messages intercepted by security experts at Microsoft, for example, took the form of a recruitment offer or were supposedly sent by representatives of the World Health Organization. Likewise, a group of hackers linked to China attempted to recruit scientists through LinkedIn; Once the dialogue has started, it is relatively easy to obtain information that could lead to a phishing attack.
To date, no ransomware-type attack - where the target has to pay a sum of money to be able to regain control of its systems and data - has, however, been used to extract data surrounding future vaccines. It appears that once they enter the system, hackers focus on the theft and exfiltration of data, without harming the system in place.
Much like Martin McKee, professor of public health at the London School of Hygiene and Tropical Medicine, one might wonder why some states are trying to steal data, when so much information and research around COVID-19 is published in the public domain. In reality, some countries simply attach great importance to developing their hacking capabilities and therefore like to deploy them. “ These people do it just because they can, ” concludes McKee.