The National Cyber Security Centre (NCSC) in the UK stated this week that several organizations involved in Covid-19 vaccine development in the UK, US, and Canada have been targeted in a cyber attack by a Russian hacking group known as APT29.
The NCSC says that APT29, also known as ‘the Dukes’ or ‘Cozy Bear,’ is “almost certainly” part of the Russian intelligence services and it believes the attacks were carried out “with the intention of stealing information and intellectual property relating to the development and testing of Covid-19 vaccines.”
The Kremlin, however, has rejected association with the hacking group, and says that the Russian government was not involved in the attacks.
APT29 is known for targeting government organizations and was previously accused of hacking the US Democratic National Committee before the 2016 election.
As part of its statement, the NCSC has published an advisory document for research organizations and companies involved in Covid-19 research to help them protect their data, as they believe future attacks are likely.
“Working with our allies, the NCSC is committed to protecting our most critical assets and our top priority at this time is to protect the health sector,” said Paul Chichester, NCSC Director of Operations.
“We would urge organizations to familiarize themselves with the advice we have published to help defend their networks.”
APT29 often scans organizational IP addresses for vulnerabilities and then exploits publicly known software flaws to gain initial access to organizational systems, according to the advisory. It has apparently been using targeted ‘spear-phishing’ — where you trick a target into revealing confidential information by posing as a trusted contact online — and customized malware as part of its attacks, techniques that have not previously been associated with APT29.
No names of targeted organizations were released by the Cyber Security Centre, but potential targets include the University of Oxford in the UK, which is leading the UK’s Covid-19 vaccine effort along with big pharma AstraZeneca. It is also unclear if the hacking group was successful at stealing any data.
Artturi Lehtiö, Director of Strategy and Corporate Development at Finnish cyber-security company F-secure is an expert on APT29.
“[This isn’t] the traditional kind of target organization for APT29 aka Dukes. But Covid-19 is obviously a national security priority and those most definitely are the traditional remit of APT29,” he commented on Twitter.
“If true, [it] suggests Covid-19 is such a major national security priority that capabilities are being retasked…. Although, they’ve targeted [universities] as stepping stones to other targets in the past [and] that could’ve given a head-start,” he added in a second tweet.
Cyber attacks like this one have occurred before in European biotech, though likely not on the same scale. One recent case was the UK regenerative medicine company Tissue Regenix, which had to briefly close its US manufacturing facility in late January this year after a cyber-security breach, though it found no sign of theft of sensitive information.
Images from Shutterstock