Hackers linked to Russian intelligence services are trying to steal information about coronavirus vaccine research in the U.S., Canada and the U.K., security officials said Thursday.
Officials said a group known as APT29 — also known as "Cozy Bear" — was likely to blame for the attack. They said the group, which is believed to be associated with Russian intelligence, used spear phishing and custom malware to target vaccine researchers.
The U.S. Department for Homeland Security, the Cybersecurity Infrastructure Security Agency, the National Security Agency, Canada's Communications Security Establishment and the U.K.'s National Cyber Security Centre joined forces in accusing Russia of the hacking campaign.
"It is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic," U.K. Foreign Secretary Dominic Raab said in a statement. "While others pursue their selfish interests with reckless behaviour, the U.K. and its allies are getting on with the hard work of finding a vaccine and protecting global health."
"We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic," said Paul Chichester, director of operations for the U.K.'s National Cyber Security Centre, or NCSC. "Working with our allies, the NCSC is committed to protecting our most critical assets and our top priority at this time is to protect the health sector."
"We would urge organisations to familiarise themselves with the advice we have published to help defend their networks."
Kremlin spokesman Dmitry Peskov rejected the allegations Thursday, according to the state-owned TASS news agency. Peskov said that Russia had nothing to do with alleged cyberattacks on pharmaceutical firms and research institutions, adding that the claims were not backed by proper evidence.
The group of hackers used spear-phishing to "obtain authentication credentials to internet-accessible login pages for target organizations," the NCSC said in a report Thursday. Spear-phishing is an attempt whereby cybercriminals send messages that appear as though they're from a trusted source to get their victim to reveal sensitive information.
They also used custom malware known as "WellMess" and "WellMail," according to the NCSC, which said such tools had not previously been associated with APT29. Officials did not identify any of the organizations that had been targeted.
"Covid-19 is an existential threat to every government in the world, so it's no surprise that cyber espionage capabilities are being used to gather intelligence on a cure," said John Hultquist, senior director of intelligence analysis at Mandiant Threat Intelligence.
APT29 was implicated alongside another hacker group, Fancy Bear, in the 2016 cyberattack on the Democratic National Committee. Fancy Bear is believed to be associated with Russian military intelligence agency GRU.
"The organizations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian, and Chinese actors seeking a leg up on their own research. We've also seen significant Covid-related targeting of governments that began as early as January," Hultquist added.
Earlier Thursday, Raab said it was "almost certain" that Russian actors attempted to interfere in Britain's 2019 general election. It comes after the U.K. Parliament's Intelligence and Security Committee agreed to publish a long-delayed report on Russian influence in British politics in the next week.
Russia also slapped down allegations of meddling in the U.K. election, labeling them "foggy and contradictory," according to Reuters, which cited Foreign Ministry spokeswoman Maria Zakharova.