Cozy Bears and Hidden Cobras: The hackers targeting COVID-19 vaccine researchers
As COVID researchers around the world race to develop vaccines in record times, they're being quietly tailed by spies and thieves.
Secretive crews of cyber-mercenaries and state-sponsored hackers with names like Cozy Bear and Hidden Cobra are watching and waiting.
Last week, the target was the European Medicines Agency, which had confidential documents about the Pfizer vaccine stored on its server.
It's not clear when or how the attack took place, or who was responsible, but it was at least partly successful — some of these documents were unlawfully accessed.
Cyber attacks on COVID researchers have intensified as vaccine research has developed and the honeypot of intellectual property (IP) has grown sweeter, authorities say.
Tim Wellsmore, a director of intelligence for cybersecurity giant FireEye, says COVID researchers worldwide are "absolutely" being targeted.
One the largest cybersecurity companies in the world, FireEye has 3,000 employees and a list of clients that features major corporations and several Western governments.
"We've got a collection of groups we've seen targeting COVID researchers," Mr Wellsmore said. "The attacking groups are relentless. It's been a busy time."
Australian authorities say COVID researchers here are also being targeted.
The UK has pointed the finger at hackers from Russia, the US and Spain have accused China, while others have named North Korea, Iran and Vietnam.
The cybersecurity companies themselves are also being attacked — FireEye was hacked on the day the ABC interviewed Mr Wellsmore.
This was an unprecedented event that sent shockwaves through the cybersecurity industry. Hacking the experts themselves required "top-tier offensive capabilities," the company said.
That could only mean it had been targeted by a nation-state.
The hackers stole the tools the firm normally uses to test the network defences of their own clients. Now there's concern that the hackers could use these tools to attack others.
"Defending against these groups is an ongoing challenge," Mr Wellsmore said.
"It's an ongoing arms race and it'll never end."
What do the attacks look like?
A range of techniques are being used to target COVID researchers, including spear phishing attacks, where an email arrives from an apparently trustworthy source, but instead leads the unknowing recipient to a bogus website full of malware.
In one case, the hackers posed as World Health Organization representatives.
In another, the hackers posed as recruiters on LinkedIn and WhatsApp and approached researchers at pharmaceutical companies, with e-documents containing malicious code embedded in false offers of employment.
"The attacks are as sophisticated as they need to be," Mr Wellsmore said.
"Sometimes someone walks up to the front door and it opens right away. Sometime people use stupid passwords."
From Maverick Panda to Charming Kitten
Broadly, there are two kinds of hacking groups: those that are state-sponsored and others that focus on attacks for their own financial benefit.
FireEye refers to the first of these as advanced persistent threat (APT) groups and assigns them a number. The other groups, which often work with organised crime, are called FIN groups.
Other security companies have different naming systems. Crowdstrike assigns animal names according to what country they think the group is working for: 'Maverick Panda' is linked with China, 'Fancy Bear' with Russia, and 'Charming Kitten' with Iran.
As a result, one group can go by several names, depending on how widely they're known: FireEye calls Fancy Bear APT28, while to other companies they're Pawn Storm or Strontium.
Though these groups have names, relatively little is known about them — or at least made public.
So long as these groups remain anonymous, the nation-states that back them can deny responsibility for their attacks.
Many of the main attack groups have been operating for at least a decade, engaged in a cat-and-mouse game with the forces tasked with stopping them.
Sometimes, they make a mistake.
"Then we get an insight into where they're operating from," Mr Wellsmore said.
"Sometimes it points to government buildings and sometimes a home address."
"Some are government employees and some may operate from a network of homes as 'guns for hire.'"
Exposing APT1
In 2013, Mandiant, a company now owned by FireEye, published a now-famous report that described in detail the workings of one of these groups.
Unit 61938 had long been suspected of working on behalf of the Chinese government, but China had denied this was the case.
Through forensic analysis Mandiant traced the group back to a nondescript office building in a Chinese city — a building owned by the Chinese army.
What surprised many was the scale of the operation. The 12-storey building had specially installed fibre-optic communications infrastructure and a staff of hundreds or "possibly thousands".
The report even named and published photos of three high-profile members of Unit 61938: hackers with the names UglyGorilla, dota, and SuperHard.
It was the first time a private company had accused a nation-state of sponsoring hackers.
Mandiant designated the group APT1.
Seven years later, the company has named more than 40 APT groups — the majority of them linked with either China, Russia, Iran, North Korea and Vietnam.
Many of these APT groups have been targeting COVID researchers, Mr Wellsmore said.
They include the Vietnamese group APT32 (also known as OceanLotusGroup), which in early 2020 attempted to hack China's Ministry of Emergency Management in order to learn more about the Wuhan epidemic, according to FireEye.
"We've also seen threat groups we attribute to China — APT41 — and some others that we don't have numbers for," Mr Wellsmore said.
Other groups accused of targeting COVID researchers — either by cybersecurity companies or government agencies — include Fancy Bear and Cozy Bear (APT28 and APT29).
These groups are well known in security circles. Fancy Bear is accused of hacking the Democratic party computers in the run-up to the 2016 presidential election.
The North Korean group known as Hidden Cobra, Lazarus or APT38 has also been active.
A steady patter of automated attacks
In fact, APT groups and other hackers are constantly knocking on the "front doors" of IT systems of corporations and research facilities, testing the defences.
This was the case long before COVID.
Though attacks only occasionally make the news, they happen all the time: a steady patter of malware, viruses and other attempts to breach defences to see what's inside.
So are COVID researchers actually being targeted, or is this a misinterpretation of what are actually random, opportunistic strikes?
It was a bit of both, the Australian Cyber Security Centre (ACSC) said in a statement.
Research facilities and health sector organisations had been targeted before the pandemic, but the pandemic had also provided "new opportunities" for targeting, a spokesperson said.
"The ACSC is providing cybersecurity technical advice and guidance to organisations involved in COVID-19 vaccine research, manufacture distribution and supply chain management," they said.
Sergei Shevchenko, the chief technology officer at Australian cybersecurity company Prevasio, said it was hard to sort targeted attacks from random ones.
Many attacks are automated — as soon as a server goes online it gets bombarded.
"From the moment you put it online, within two minutes, it will immediately start attracting heat of all sorts," he said.
"There are systems set up to to automatically scan [server] addresses and exploit them, and then you can buy access to that server... It's the world we're living in. Cyberspace is very busy."
Mr Shevchenko said APT groups sometimes plant "false flags" in order to frame groups linked to other countries.
The Lazarus group, for example, sometimes pretends to be Russian.
"Lazarus are very clumsy at planting Russian flags," he said.
"They use a number of Russian words in the source code.
"For a native Russian speaker like myself, I can tell they're from Google Translate."
Have the attacks on COVID researchers been successful?
For all the attention given to hackers targeting COVID researchers, there's little evidence these attacks have been successful. The attack on the European Medicines Agency was one of the first where the target — Pfizer — admitted documents had been stolen.
Even so, we don't know how useful these documents were.
Companies and governments often won't even report a breach, for fear of reputational damage. Other times, the hackers are simply too clever to be noticed.
"Whatever pops up in the news is the tip of the iceberg," Mr Shevchenko said.
In 2018, FireEye reported the average dwell-time of intrusions (the time before the intrusion was detected) was 71 days in the US, and 204 days in the Asia Pacific.
"Sometimes we only see the campaign — we don't see if it's been successful," Mr Wellsmore said.
Robert Potter, an Australian cybersecurity expert hired by the US Department of State as an expert on North Korea's cyber capability, said there was no evidence that hackers had stolen useful COVID data.
"I haven't heard reports and I think I would know," he said.
It remains to be seen whether any country has significantly benefited from COVID information stolen by its APT groups.
What is clear, though, is that the value of COVID vaccine IP is going up with the death toll.
Pfizer and BioNTech have developed the only vaccine that — so far — has been approved for emergency use in the UK and the US. They stand to make US$13 billion worldwide.
Reproduced from: Cozy Bears and Hidden Cobras: The hackers targeting COVID-19 vaccine researchers - ABC News