OTTAWA — Canadian, British and U.S. security services say hackers they believe are working for Russian intelligence have been trying to steal research on COVID-19 vaccines from organizations in all three countries and around the world.
Canada's Communications Security Establishment says the malicious cyberactivities were very likely undertaken to pilfer information and intellectual property relating to the development and testing of vaccines for the novel coronavirus.
The cyberspy agency says the clandestine activity is hindering response efforts at a time when health-care experts and medical researchers need every available resource to help fight the pandemic.
The CSE's Centre for Cyber Security assesses that APT29, also known as "the Dukes" or "Cozy Bear," was responsible, and almost certainly operates as part of Russian intelligence services.
"The group uses a variety of tools and techniques to predominantly target governmental, diplomatic, think-tank, health-care and energy targets for intelligence gain," says a joint advisory from the CSE and its allies.
"APT29 is likely to continue to target organizations involved in COVID-19 vaccine research and development, as they seek to answer additional intelligence questions relating to the pandemic."
This assessment is supported by partners at Britain's Government Communications Headquarters' National Cyber Security Centre, the U.S. National Security Agency, and the Department of Homeland Security's Cybersecurity and Infrastructure Security Agency.
The CSE is urging Canadian health organizations to review a technical advisory on the threat and to take any necessary actions to protect themselves. "We encourage them as well to contact the Cyber Centre if they suspect they have been targeted by cyberactors."
The joint advisory says APT29 targeted COVID-19 vaccine research and development by scanning specific computer IP addresses of interest for vulnerabilities, a tactic that can help the group obtain login credentials to systems.
"This broad targeting potentially gives the group access to a large number of systems globally, many of which are unlikely to be of immediate intelligence value," the advisory says.
"The group may maintain a store of stolen credentials in order to access these systems in the event that they become more relevant to their requirements in the future."
This report by The Canadian Press was first published July 16, 2020.