Russian cyberops are targeting COVID-19 vaccine R&D, intelligence agencies warn

Natasha Lomas
·5-min read
Researchers work on a vaccin against the new coronavirus COVID-19 at the Copenhagen's University research lab in Copenhagen, Denmark, on March 23, 2020. - At Copenhagen university, a team of about 10 researchers is working around the clock to develop a vaccine against Covid-19 that could apply for clinical trial before within nine months. The vaccine will be based on two components : the protein which is on the surface of the coronavirus, called the spike protein that researchers express in the lab and then attach it on the surface of a virus-like particle. (Photo by Thibault Savary / AFP) (Photo by THIBAULT SAVARY/AFP via Getty Images)
Researchers work on a vaccin against the new coronavirus COVID-19 at the Copenhagen's University research lab in Copenhagen, Denmark, on March 23, 2020. - At Copenhagen university, a team of about 10 researchers is working around the clock to develop a vaccine against Covid-19 that could apply for clinical trial before within nine months. The vaccine will be based on two components : the protein which is on the surface of the coronavirus, called the spike protein that researchers express in the lab and then attach it on the surface of a virus-like particle. (Photo by Thibault Savary / AFP) (Photo by THIBAULT SAVARY/AFP via Getty Images)

Western intelligence agencies say they've found evidence that Russian cyber espionage is targeting efforts to develop a coronavirus vaccine in a number of countries.

In an advisory report, the UK's National Cyber Security Centre (NCSC) said the Russia-linked cyber espionage group commonly known as ‘APT29’ -- which is also sometimes referred to as ‘the Dukes’ or ‘Cozy Bear’ -- has targeted various organisations involved in medical R&D and COVID-19 vaccine development in Canada, the US and the UK throughout 2020.

Per the report, APT29 is using custom malware known as ‘WellMess’ and ‘WellMail’ to target a number of organisations globally, including those involved with COVID-19 vaccine development.

WellMess and WellMail have not previously been publicly associated to APT29, it notes.

The NCSC, which is a public facing branch of the UK's GCHQ intelligence agency, said it believes it "highly likely" that the intention of the malware attacks is to steal information and IP related to the development and testing of COVID-19 vaccines.

The findings in the report are also endorsed by Canada’s Communications Security Establishment (CSE) and the US National Security Agency (NSA).

"In recent attacks targeting COVID-19 vaccine research and development, the group conducted basic vulnerability scanning against specific external IP addresses owned by the organisations. The group then deployed public exploits against the vulnerable services identified," the advisory adds.

It concludes by assessing APT29 is "likely" to continue to target organisations involved in COVID-19 vaccine R&D -- as "they seek to answer additional intelligence questions relating to the pandemic".

"It is strongly recommended that organisations use the rules and IOCs [indicators of compromise] in the [report] appendix in order to detect the activity detailed in this advisory," it adds, flagging compromise indicators and detection and mitigation advice contained in the document.

Responding to the advisory the UK government condemned what it called Russia's "irresponsible" cyber attacks against COVID-19 vaccine development.

"It is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic," said foreign secretary, Dominic Raab, in a statement. "While others pursue their selfish interests with reckless behaviour, the UK and its allies are getting on with the hard work of finding a vaccine and protecting global health."

"The UK will continue to counter those conducting such cyber attacks, and work with our allies to hold perpetrators to account," he added.

Last month EU lawmakers named Russia and China as states behind major disinformation campaigns related to the coronavirus which they said had targeted Internet users in the region.

The European Commission is working on a pan-EU approach to tackling the spread of damaging falsehoods online.

Russian election meddling

The NCSC advisory follows hard on the heels of an assertion by Raab that Russia attempted to influence the 2019 UK election via the online amplification of leaked documents.

“On the basis of extensive analysis, the government has concluded that it is almost certain that Russian actors sought to interfere in the 2019 general election through the online amplification of illicitly acquired and leaked government documents,” Raab said in a statement yesterday.

The Guardian reports that UK intelligence agencies have spent months investigating how a 451-page dossier of official emails ended up with the opposition Labour party during the election campaign -- providing an opportunity for then leader Jeremy Corbyn to make political capital out of details related to UK-US trade talks.

Back in 2017 former UK and Conservative prime minister, Theresa May, also warned publicly that Russia was trying to meddle in Western elections. However she failed to act on a series of recommendations from a parliamentary committee that scrutinized the democratic threats posed by online disinformation.

https://platform.twitter.com/widgets.js

The timing of this latest flurry of Russian cyberops warnings from UK state sources is especially interesting in light of a much delayed report by the UK parliament's Intelligence & Security Committee (ISC) into Russia's role in election interference.

Publication of this report was blocked last year on orders of prime minister, Boris Johnson. But, this week, an attempt by Number 10 to install Chris Grayling, a former secretary of state for transport, as chair of the ISC was thwarted after Conservative MP Julian Lewis sided with opposition MPs to vote for himself as new committee chair instead.

Publication of the long delayed Russia report is now imminent, after the committee voted unanimously for it to be released next week before parliament breaks for the summer.

Last November The Guardian newspaper reported that the dossier examines allegations Russian money has flowed into British politics in general and to the Conservative party in particular; as well as looking into claims Russia launched a major influence operation in 2016 in support of Brexit.

In 2017, under pressure from the DCMS committee, Facebook admitted Russian agents had used its platform to try to interfere in the UK’s referendum on EU membership — though it claimed not to have found "significant coordination" of ad buys or political misinformation targeting the Brexit vote.

Last year, former ISC chair, Dominic Grieve, called for the Russia report to be published before election day -- saying it contained knowledge "germane" to voters.

Instead, Johnson blocked publication -- going on to be elected with a huge Conservative majority.