Hackers 'try to steal Covid vaccine secrets in intellectual property war'

Agencies point finger at state-sponsored hackers from China, Russia, Iran and North Korea

State-sponsored hackers from China, Russia, Iran and North Korea are engaged in concerted attempts to steal coronavirus vaccine secrets in what security experts describe as “an intellectual property war”.

They accuse hostile-state hackers of trying to obtain trial results early and seize sensitive information about mass production of drugs, at a time when a range of vaccines are close to being approved for the public.

Previously the hackers’ primary intention was to steal the secrets behind the design of a vaccine, with hundreds of drug companies, research labs and health organisations from around the world targeted at any one time.

The cyber struggle involves western intelligence agencies, including Britain’s National Cyber Security Centre, who say they are committed to protecting “our most critical assets”. But they discuss only a fraction of their work in public.

Instead they work behind the scenes with drug companies, research labs and cybersecurity specialists, who are more easily able to describe the everyday hacking attempts in what amounts to a worldwide battle.

Adam Meyers, senior vice-president at the IT security specialists Crowdstrike, said countries including Russia and China had been engaged in hacking western companies and agencies “for the past 20 years”, but since March had “become focused on one topic”, referring to Covid-19.

“What you are seeing here is the latest stage in a long-running intellectual property war, but one where there is much more at stake to those involved. This has become a matter of national pride – who can develop vaccines first.”

Yet, western governments remain reluctant to point the finger of blame in all cases of hacking attacks for fear of diplomatic repercussions, with the UK, for example, particularly cautious about accusing China.

All of the countries accused deny involvement in hacking. Russia has said it has “no knowledge” of hacking attempts, while China has argued its vaccine research is so far ahead it has “no need to steal what others are doing”. Iran denies engaging in cyberwarfare.

Experts in the private and public sector argue otherwise, saying that state-sponsored hacker groups typically have links to spy or defence agencies. This year, the UK’s National Cyber Security Centre said Covid vaccine research labs were being targeted in the UK, US and Canada by Cozy Bear Russian state hackers linked to the FSB internal security agency.

Vaccines in development

Western experts add that attacks come as frequently from China, Iran and North Korea. In September, Chinese hackers were accused by Spain of stealing Covid research secrets from labs in a “particularly virulent” campaign.

Hackers linked to Iran were accused of trying to steal secrets from US drugmaker Gilead Research in May, in one instance using a fake email log-in page to try to lure a senior executive into giving access to company systems.

British sources indicate they do not believe there has been a successful hack against UK targets – although the assertion is impossible to prove – but it is acknowledged that some cyber-attacks have been successful around the world.

The trend has, however, changed, with hostile-state hackers increasingly targeting production methods and data around the success of trials. It is the kind of information considered of huge importance to nation states as a number of vaccines are poised for global rollout.

Drug companies are typically well-resourced and defended, but some academic institutions less so and researchers have to be educated about the risks, security experts said. “Sometimes researchers are quite surprised when you tell them what can go on,” one IT security specialist added.

Typical attacks include “password spraying” – a simple method used particularly by Russian actors – where generic passwords such as “password123” or “2020” followed by a common word are tried out on a large numbers of accounts.

More sophisticated is the use of “spear phishing” – creating personally targeted emails that invite a person to click a link that installs malware into a company system. It could come in the guise of a Covid-related news item or a message from a would-be recruiter.

At the end of last week, Microsoft said it had detected cyber-attacks from “three nation-state actors targeting seven prominent companies” who were directly involved in researching vaccines and treatments for Covid-19.

Two were judged to have come from North Korea, which used spear phishing lures. One sent “fabricated job descriptions pretending to be recruiters” while the second tried to lure researchers “while masquerading as a World Health Organization representative” according to Tom Burt, a corporate vice-president.

Actors linked to China have also tried to recruit people via LinkedIn, typically posing as an Anglicised young woman with a western first name and a Chinese surname, targeting older men. The hackers pose as a recruiter and try to start a dialogue, eliciting further information that could lead to a phishing attack.

The tactics employed by criminal gangs, who typically threaten to cripple a company’s systems or who encrypt corporate data and demand money for it to be restored in a ransomware attack, have not been used. There is also no evidence of a black market in vaccine secrets.

Jamie Collier, a cyberthreat intelligence consultant at IT security firm FireEye Mandiant, said at state level the focus is “information theft, data exfiltration” in attacks that develop gradually over several phases once entry to a system is achieved. “We don’t see state actors exhibiting a destructive element,” he added.

Martin McKee, a professor of public health at the London School of Hygiene and Tropical Medicine, said he wondered why some states tried to steal vaccine secrets given that so much information about Covid research was put into the public domain.

But he acknowledged that some countries placed a high value on developing hacking capabilities and liked to deploy them. “One plausible interpretation is that these people are doing it simply because they can,” he added.


Dan Sabbagh Defence and security editor

The GuardianTramp

Related Content

Article image
World leaders pledge €7.4bn to research Covid-19 vaccine
EU-hosted talks tout cooperation but is not addressed by India, Russia or US

Patrick Wintour Diplomatic editor

04, May, 2020 @6:24 PM

Article image
'Do not let this fire burn': WHO warns Europe over Covid-19
Europe now centre of pandemic, says WHO, as Spain prepares for state of emergency

Jon Henley in Paris and Sam Jones in Madrid

13, Mar, 2020 @9:58 PM

Article image
Hostile states trying to steal coronavirus research, says UK agency
Experts say Russia, Iran and China likely to be behind cyber-attacks on universities

Jamie Grierson and Hannah Devlin

03, May, 2020 @3:12 PM

Article image
WHO conditionally backs Covid-19 vaccine trials that infect people – as it happened
20m Americans lost their jobs in April; WHO conditionally backs Covid-19 vaccine trials that infect people; international tourism to plunge by 80%

Rebecca Ratcliffe (now), Molly Blackall Frances Perraudin, Simon Murphy,Alexandra Topping and Helen Sullivan (earlier)

09, May, 2020 @12:45 AM

Article image
Coronavirus may have been in Italy for weeks before it was detected
Test results worry experts as new cases emerge in Nigeria, Mexico and New Zealand

Hannah Devlin, Peter Beaumont, Lorenzo Tondo in Palermo and Jason Burke in Johannesburg

28, Feb, 2020 @6:07 PM

Article image
Worldwide Covid-19 deaths pass 290,000 – as it happened
Spain to quarantine overseas travellers; Trump walks out of press conference; White House staff ordered to wear masks. This blog is now closed

Helen Sullivan (now and earlier); Kevin Rawlinson , Damien Gayle, and Jessica Murray

12, May, 2020 @11:33 PM

Article image
Coronavirus cases pass 100,000 globally as Iran threatens force to restrict travel
WHO calls on countries to make containing spread their highest priority, as Trump signs emergency spending bill

Sam Jones in Madrid and Patrick Wintour

06, Mar, 2020 @5:34 PM

Article image
Global Covid-19 deaths near 355,000 – as it happened
Qatar Covid-19 app ‘exposed 1m people’s personal details’; WHO sounds alarm over surge of Covid-19 cases in Latin America. This blog is now closed

Helen Sullivan (now and earlier); Damien Gayle, Caroline Davies, and Nick Ames

28, May, 2020 @12:02 AM

Article image
Russian state-sponsored hackers target Covid-19 vaccine researchers
UK National Cyber Security Centre says drug firms and research groups being targeted by group known as APT29

Dan Sabbagh and Andrew Roth

16, Jul, 2020 @5:14 PM

Article image
Italy sees lowest increase in Covid-19 infections for a month – as it happened
Leader of Ireland’s Sinn Féin tests positive; confirmed cases in Africa pass 15,000. This blog is now closed.

Helen Sullivan (now and earlier); Kevin Rawlinson ,Damien Gayle, Frances Perraudin, and Gregory Robinson

14, Apr, 2020 @11:46 PM