Britain, U.S., Canada accuse Russia of hacking coronavirus vaccine trials

A subject receives a shot in a vaccine trial
A subject receives a shot in the first-stage safety study in the clinical trial of a potential vaccine by Moderna for COVID-19 in Seattle on March 16, 2020.
(Associated Press)

Western governments accused hackers believed to be part of Russian intelligence of trying to steal valuable private information about a coronavirus vaccine on Thursday, calling out the Kremlin in an unusually detailed public warning to scientists and medical companies.

The alleged culprit is a familiar foe. Intelligence agencies in the United States, United Kingdom and Canada alleged that the hacking group APT29, also known as Cozy Bear and blamed for American election interference four years ago, is attacking academic and pharmaceutical research institutions involved in COVID-19 vaccine development.

It was unclear whether any useful information was stolen. But British Foreign Secretary Dominic Raab said, “It is completely unacceptable that the Russian intelligence services are targeting those working to combat the coronavirus pandemic.”


He accused Moscow of pursuing “selfish interests with reckless behavior.”

Sticking to more general language, White House Press Secretary Kayleigh McEnany said, “We worked very closely with our allies to ensure that we would take measures to keep that information safe and we continue to do so.”

The allegation that hackers linked to a foreign government are attempting to siphon secret medical research during the pandemic is not entirely new. U.S. officials as recently as last week have accused China of virtually identical conduct. But the latest public warning was startling for the detail it provided, attributing the targeting by name to a particular hacking group and specifying the software vulnerabilities the hackers have been exploiting.

Also, Russian cyberattacks strike a particular nerve in the U.S., given the Kremlin’s sophisticated campaign to influence the 2016 presidential election.

The coordination of the new warning across continents seemed designed to add heft and gravity to the announcement and to prompt the Western targets of the hackers to protect themselves.

“I think [the governments] have very specific intelligence that they can provide,” said John Hultquist, senior director of analysis at FireEye Mandiant Threat Intelligence. “The report is full of specific operational information that defenders can use” to protect their networks, he said.

Russian President Vladimir Putin’s spokesman, Dmitry Peskov, rejected the accusations, saying: “We don’t have information about who may have hacked pharmaceutical companies and research centers in Britain.”

“We may say one thing: Russia has nothing to do with those attempts,” Peskov said, according to the state news agency Tass.


The U.S. Department of Homeland Security’s cybersecurity agency warned in April that cybercriminals and other groups were targeting COVID-19 research, noting at the time that the increase in people teleworking because of the pandemic had created potential avenues for hackers to exploit.

The persistent attacks are seen as an effort to steal intellectual property rather than to disrupt research. Individuals’ confidential information is not believed to have been compromised.

The accusations come at a tenuous time for relations between Russia and both the U.S. and U.K. Besides political ill will, especially among Democrats, over the 2016 election interference, the Trump administration is under pressure to confront Russia over intelligence information that Moscow offered bounties to Taliban fighters to attack coalition fighters.

House Intelligence Committee Chairman Adam B. Schiff (D-Burbank) said that “it’s clear that Russia’s malign cyberoperations and other destabilizing activities — from financial and other material support to nonstate actors in Afghanistan to poisoning dissidents in democratic countries — have persisted, even when exposed.”

He urged President Trump to condemn such activities.

Relations between Russia and the U.K. have plummeted since former spy Sergei Skripal and his daughter were poisoned with a Russian-made nerve agent in the English city of Salisbury in 2018, though they later recovered. Britain blamed Moscow for the attack, which triggered a round of retaliatory diplomatic expulsions between Russia and Western countries.

More broadly, Thursday’s warning speaks to the vulnerability created by the pandemic and the global race for a vaccine.

Profit-motivated criminals have exploited the situation and so have foreign governments “who also have their own urgent demands for information about the pandemic and about things like vaccine research,” Tonya Ugoretz, an FBI deputy assistant director, said at a cybersecurity conference last month.

“Some of them are using their cyber capabilities to, for example, attempt to break into the networks of those who are conducting this research as well as into nongovernmental organizations to satisfy their own information needs,” Ugoretz said.

The alert did not name the targeted organizations or say how many were affected. But it did say they were in the U.S., U.K. and Canada.

Britain’s National Cyber Security Center said its assessment was shared by the U.S. Department of Homeland Security, the Cybersecurity and Infrastructure Security Agency and the National Security Agency, and by the Canadian Communications Security Establishment.

The vaccine assessment came two years to the day after Trump met with Putin in Helsinki and appeared to side with Moscow over U.S. intelligence agencies about the 2016 election interference. The U.K. statement did not say whether Putin knew about the vaccine research hacking, but British officials believe such intelligence would be highly prized.

A 16-page advisory prepared by Western agencies and made public Thursday accuses the hacking group tied to Russian intelligence services and known colloquially as Cozy Bear of using custom malicious software to target a number of organizations globally. The malware, called WellMess and WellMail, has not been previously associated with the group, the advisory said.

“In recent attacks targeting COVID-19 vaccine research and development, the group conducted basic vulnerability scanning against specific external IP addresses owned by the organizations. The group then deployed public exploits against the vulnerable services identified,” the advisory said.

Cozy Bear is one of two hacking groups suspected of separate break-ins of computer networks of the Democratic National Committee before the 2016 U.S. election. Stolen emails were then published by the anti-secrecy website WikiLeaks in what U.S. intelligence authorities say was an effort to aid Trump’s campaign against Democratic rival Hillary Clinton.

A report on Russian election interference by former special counsel Robert S. Mueller III called out another group, Fancy Bear, in the hack-and-leak operation. Cozy Bear, though, operates “quietly gaining access and gathering intelligence,” said Hultquist of the Mandiant cybersecurity firm.

“Their job is good, old-fashioned espionage,” he said.

Separately, Britain on Thursday accused “Russian actors” of trying to interfere in its national election in December by circulating leaked or stolen documents online. Unlike in the vaccine report, the U.K. did not allege that the Russian government was involved in the political meddling.