State-sponsored hackers have been targeting COVID-19 vaccine research data in Britain, and the victims and their allies are livid.

Russian hacking group APT-29 has been accused by a group of national security services, including the National Cyber Security Centre (NCSC), of trying to steal Britain’s research into a Covid-19 vaccine, through a state-sponsored cyberattack.

The British media reported that the group had used spear-phishing attacks to target individuals of influence in an attempt to get hold of research into a vaccine. The NCSC noted that the hackers “almost certainly” operated as “part of Russian intelligence services”.

The official state warning was published by an international group of security services:

  • the UK’s NCSC
  • the Canadian Communication Security Establishment (CSE)
  • the United States Department for Homeland Security (DHS) Cyber-security Infrastructure Security Agency (CISA)
  • the US National Security Agency (NSA)

According to cybersecurity expert David Higgins, technical director, CyberArk: “It’s no surprise to see organizations conducting research into a COVID-19 vaccine being targeted by cyberattackers. Since March, both the NCSC and the World Health Organisation (WHO) have advised of criminals using the pandemic to target employees in both the public and private sector through coordinated phishing and spear-phishing attacks”.

Higgins noted that the trend is likely to continue throughout the year. State-sponsored attackers are particularly adept at combining existing, unsophisticated, yet proven, tactics with new techniques to exfiltrate intellectual property, as opposed to just targeting personally-identifiable information or other sensitive data. “Their motive is often to gain competitive advantage, whether by destabilization, experimentation, information wars, or policy influence, as is possible in this case.”

Another view came from Tom Kellermann, Head of Cybersecurity Strategy, VMware Carbon Black: “APT29 has historically been linked to Russia, which has set a clear precedent of launching cyberattack campaigns against the West. Russia’s alleged interference in the 2016 U.S. Election is, of course, the prime example of a coordinated attack campaign against the US’s critical infrastructure. In this latest, alleged campaign, Russia appears to be following a playbook all too common for cybercriminals—take advantage of a nefarious opportunity. Tactically, it appears Russia has evolved its attacks to bypass perimeter defenses through the use of custom malware and island-hopping through supply chains of the victim organizations.”

Kellermann said that overall cyberattacks and ransomware-specific attacks have both increased by triple digits in the pandemic. “These spikes are often directly-tied to major events in the COVID-19 news cycle. And, while attribution matters on a geopolitical scale, the primary focus for organizations, particularly in the West, should not be on who is launching these attacks and, rather, what can be done and what kind of security technology can be leveraged to see and stop these attacks before they can cause damage.”

According to CyberArk’s Higgins, the attack characteristics of nation states will probably involve the exploitation of known vulnerabilities, also using existing malware to harvest credentials and data in an attempt to disguise the attack source—that is, to pass themselves off as cyber criminals. “Nation states, just like less well-funded attackers, will often revert to the path of least resistance: the attacks that the NCSS are reporting bear all the hallmarks of a multitude of previous attempts that have affected the private and public sector. That is to say, exploiting people or a known vulnerability, then seeking to use valid credentials to access the systems or data they are targeting.”