How Russia’s Cozy Bear hunted for coronavirus vaccine secrets
Investigators working within GCHQ, NCSC and MI5 declare for first time that organisation is an offshoot of Russian intelligence
The Kremlin was cock-a-hoop. Vaccine trials for coronavirus, funded by Russia’s sovereign wealth fund, had gone so well at two separate institutions that Vladimir Putin could look forward to announcing the world’s first approved vaccine for the virus by the end of the year.
Kirill Dmitriev, the chief executive of the powerful Russian Direct Investment Fund, a close ally of President Putin, announced at a press conference in Moscow on Thursday that advanced Phase III trials would begin next month, with a plan to produce 30 million doses of coronavirus vaccine by December.
Lucrative manufacturing deals had been signed with five other countries to produce a further 170 million doses, said Mr Dmitriev.
Almost 2,000 miles away in London, just as Russia was boasting of its breakthrough, intelligence agencies in the UK were painting a different picture, announcing that they had uncovered a plot by “Russian actors” that has targeted coronavirus vaccine development in the UK, the US and Canada.
The National Cyber Security Centre (NCSC), a branch of GCHQ, said it had found evidence that a cyber hacking group – Advanced Persistent Threat 29 (APT29), better known in the cyber sphere as Cozy Bear – had attempted to steal vaccine secrets being developed in the UK at both the University of Oxford and Imperial College London.
Cozy Bear is run by Russian intelligence agencies, either the SVR (equivalent to MI6) or the domestic FSB (formerly the KGB).
The prize is clear, because any country that produces a coronavirus vaccine first will have a huge advantage in getting their economy fully functioning before any other.
APT 29 had also tried to hack into vaccine research centres in the US and Canada, and on Thursday, the three allied countries decided they had had enough and chose to call out the Russians.
Intelligence agencies were guarded about the success of the attacks, which have been launched regularly since the centres first started trying to find a vaccine.
“We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic,” said Paul Chichester, NCSC Director of Operations, in a rare intervention in the normally secret world in which the intelligence agencies operate.
A source said: “APT29’s campaign of malicious activity is ongoing, predominantly against government, diplomatic, think tank, healthcare and energy targets to steal valuable intellectual property.”
Russian hacking incidents
- July 2015Email accounts belonging to Islam TV, a UK-based station, are accessed. The UK’s National Cyber Security Centre (NCSC) says it has “high confidence that the GRU was almost certainly responsible”.
- June-July 2016The United States’ Democratic National Committee (DNC) is hacked, and its documents were published online. The UK’s NSCS says it believes Russian intelligence services are responsible.
- November 2016Election systems in all 50 US states are targeted by Russia, in a hack that was undetected by the states and federal officials at the time.
- June 2017On the day of the 2017 General Election, Russian hackers use fake Microsoft Word documents to break into the computers of people working in the UK energy industry.
- August 2017A number of medical files of international athletes are released after the World Anti-Doping Agency (Wada) is hacked. The NCSC says that Russia’s GRU was almost certainly responsible.
- October 2017Home and small business routers worldwide are infected with malware. The UK Government says the infection could have allowed attackers to control infected devices.
- March 2018The US government releases a report that accuses Russia of a hacking campaign to infiltrate the United States’s “critical infrastructure”: power plants, nuclear generators, and water facilities.
- March 2018Russia’s GRU carries out an attempted “spearfishing” attack on the Foreign Office, the UK Government says, but is repelled.
- April 2018The Ministry of Defence’s Porton Down laboratory are targeted in the wake of the Skripal poisoning in Salisbury. The facility is used to analyse samples from the incident.
- October 2018The GRU is again accused of carrying out a swathe of attacks in the UK and abroad on political institutions, financial systems, transport networks and the media.
- November 2019Jeremy Corbyn brandishes hacked documents from the UK Government as part of Labour’s election campaign. A statement released by Dominic Raab, the Foreign Secretary, yesterday accused “Russian actors” of amplifying the documents
Hackers launched ‘sophisticated’ attacks
The NCSC gave a large amount of detail, even releasing the “digital fingerprints” of the tools used by the Cozy Bear hackers in an attempt to help institutions update their cyber defences to protect themselves against similar attacks.
That information, released on Thursday, included the IP addresses of servers used by the Russian hackers to control their software, as well as other snippets of code which cybersecurity experts can use to update their networks to automatically scan for and remove the malware.
Experts said the attacks were sophisticated, reliant on funding from Russian intelligence to develop Cozy Bear’s cyber weaponry. Cozy Bear had developed two new forms of malicious software – WellMess and WellMail – which allowed them to silently search for research data and funnel it out of the university computer systems without raising alarms.
WellMess acts as a portal to smuggle out stolen documents, while WellMail sends hackers information on the username of whoever is logged in to a computer.
The software had never publicly been named or examined until the disclosure of the coronavirus hacking attempts.
Whitehall sources said there was “nothing audacious” about the attacks. In stark contrast to the Kremlin-sanctioned, attempted assassination in Salisbury of Sergei Skripal using military-grade nerve agent, the hackers have been operating from the safety of Russian soil.
“This is a classic Russian modus operandi of trying to steal our intellectual property,” said a Whitehall security source.
Group declared Russian intelligence offshoot
Reports have suggested the Cozy Bear hackers work from office blocks in St Petersburg and Moscow, as well as universities.
The Putin regime has for years recruited thousands of promising young computer programmers who could use their expertise for hacking into computer systems in other countries, and on Thursday, investigators working within GCHQ, NCSC and MI5 were confident enough to declare for the first time that Cozy Bear is an offshoot of Russian intelligence.
The hackers strike by testing vulnerable systems and finding weak points. They can send out so-called “spear phishing” emails which impersonate someone the target already knows, such as their manager or a university IT administrator.
According to experts, these fake emails tricked targets into logging on to websites which appear to be legitimate university web pages but are actually cleverly designed fakes.
When university researchers logged on to the fake pages, they handed their usernames and passwords to Russian hackers.
The hackers also frequently scanned the internet in search of any stolen passwords and saved up a large database of stolen credentials in case they ever became useful for future hacking campaigns.
British vaccine experts knew of cyber threat
It is not as though Oxford wasn’t aware of the threat. The vaccine research is being carried out at the state of the art Jenner Institute, on the edge of Oxford and a couple of miles from the historic university centre.
Last month, Professor Adrian Hill, the director of the Jenner Institute and the co-leader of the Oxford vaccine project, told The Telegraph that his team were regularly targeted by “nuisance people” sending so-called “phishing” emails.
The NCSC, he said, was helping the university defend its research from cyber attackers.
“You know, there are serious IT people who are giving us a huge amount of priority,” he said. “We treat it very carefully.”
Guards had been placed at entrances to the building. “I guess they’re stopping anyone who might want to break in and steal the vaccine, which we could take as a compliment, I suppose,” he said. “But the main issue is data security. We take it extremely seriously.”
Hack ‘may have changed the course of US presidential election’
Cozy Bear has spent years honing its skills, and has become particularly adept at breaking into organisations in search of classified information.
It first came to public attention when hackers broke into an American research organisation and planted what appeared to be an innocent-looking video of monkeys wearing shirts and ties. But when amused employees shared the video, in the background the file spread malware inside networks that gave hackers access to secret files.
In 2014, the Dutch secret services pulled off an audacious intelligence coup by hacking into the security camera system used in a Moscow university building that housed members of Cozy Bear. Dutch spies watched them plan an attack on a US government network which was subsequently thwarted.
It didn’t stop the group and, in 2016, Cozy Bear hacked into the US Democratic National Committee alongside a rival Russian group, Fancy Bear. The hack may have changed the course of the US presidential election. After that, Cozy Bear went quiet for a couple of years before targeting Eastern European countries.
It is unclear whether the attempts to steal vaccine secrets were successful. There are currently two rival research teams developing coronavirus vaccines in Russia – one at the Gamalei National Research Centre for Epidemiology and Microbiology and another at the Sechenov First Moscow State Medical University.
Sechenov is backed by the Russian health ministry, while vaccine trials at the Gamalei Institute are funded by Russia’s sovereign wealth fund. The Gamalei Institute, it should be stressed, is a reputable research centre.
Russia has denied responsibility. “We do not have information about who may have hacked into pharmaceutical companies and research centres in Great Britain,” said Dmitry Peskov, a spokesman for President Putin.
“We can say one thing – Russia has nothing at all to do with these attempts.”