Kremlin’s Cozy Bears sought to get their claws into vaccine test secrets
Britain, US and Canada call out Moscow’s attempts to steal valuable research into treatment for Covid-19
Robert Mendick,
Bill Gardner, James Cook
Nataliya Vasilyeva
THE Kremlin was cock-a-hoop. Vaccine trials for Covid-19, funded by Russia’s sovereign wealth fund, had gone so well at two separate institutions that Vladimir Putin could look forward to announcing the world’s first approved vaccine for virus by the end of the year.
Kirill Dmitriev, the chief executive of the powerful Russian Direct Investment Fund and a close ally of President Putin, announced at a press conference in Moscow yesterday that advanced phase III trials will begin next month with a plan to produce 30million doses of Covid-19 vaccine by December. Lucrative manufacturing deals had been signed with five other countries, said Mr Dmitriev, to produce a further 170 million doses.
Almost 2,000 miles away in London, just as Russia was boasting of its breakthrough, intelligence agencies in the UK were painting a different picture, announcing that they had uncovered a plot by “Russian actors” that has targeted “coronavirus vaccine development” in the UK, the US and Canada.
The National Cyber Security Centre (NCSC), a branch of GCHQ, said it had found evidence that a cyber hacking group, Advanced Persistent Threat 29 (APT29) known colloquially in the cyber sphere as Cozy Bear, had attempted to steal vaccine secrets being developed in the UK at both the University of Oxford and Imperial College London. Cozy Bear is run by Russian intelligence agencies, either the SVR (equivalent to MI6) or the domestic FSB (formerly the KGB).
The prize is clear because any country that produces a Covid-19 vaccine first will have a huge advantage in getting their economy fully functioning before any other.
APT29 had also tried to hack into vaccine research centres in the US and
Canada and yesterday the three countries decided they had had enough and chose to “call out” the Russians. Intelligence agencies were guarded about the success of the attacks, which have been launched regularly since they first started trying to find a vaccine.
“We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic,” said Paul Chichester, NCSC Director of Operations, in a rare intervention.
A source said: “APT29’S campaign of malicious activity is ongoing, predominantly against government, diplomatic, think-tank, healthcare and energy targets to steal valuable intellectual property.”
The NCSC gave a large amount of detail, even releasing the “digital finresearch gerprints” of the tools used by the Cozy Bear hackers in an attempt to help institutions update their cyber defences to protect themselves against similar attacks.
That information released yesterday included the IP addresses of servers used by the Russian hackers to control their software, as well as other snippets of code that cybersecurity experts can use to update their networks to automatically scan for and remove the malware.
Experts said the attacks were sophisticated, reliant on funding from Russian intelligence to develop Cozy Bear’s cyber weaponry. Cozy Bear had developed two new forms of malicious software, Wellmess and Wellmail, which allowed them to silently search for data and funnel them out of the university computer systems without raising alarms.
Wellmess acts as a portal to smuggle out stolen documents while Wellmail sends hackers information on the username of whoever is logged in to a computer. The software had never publicly been named or examined until the discovery of the coronavirus hacking attempts.
Whitehall sources said there was “nothing audacious” about the attacks. The hackers have been operating from the safety of Russian soil. “This is a classic Russian modus operandi of trying to steal our intellectual property,” said a Whitehall security source.
Reports have suggested the Cozy Bear hackers work from office blocks
‘We condemn what are despicable attacks against those people who are doing vital work to combat the coronavirus pandemic’
‘Guards have been placed at entrances to the building. But the main issue is data security. We take it extremely seriously’
in St Petersburg and in Moscow as well as universities. The Putin regime has for years recruited thousands of promising young computer programmers who could use their expertise for hacking into computer systems in other countries and yesterday investigators working within GCHQ, NCSC and MI5 were confident enough to declare for the first time that Cozy Bear is an offshoot of Russian intelligence.
The hackers strike by testing vulnerable systems and finding weak points.
They can send out “spear phishing” emails which impersonate someone the target knows, such as their manager or a university IT administrator.
According to experts, these fake emails tricked targets into logging on to websites that appear to be legitimate university web pages but are actually cleverly designed fakes. When university researchers logged into the pages, they gave their usernames and passwords to Russian hackers.
The hackers also frequently scanned the internet in search of stolen passwords and saved up a large database in case they ever became useful for future hacking campaigns.
It is not as though Oxford wasn’t aware of the threat. The vaccine research is being carried out at the Jenner Institute, on the edge of Oxford. Last month, Prof Adrian Hill, director of the Jenner Institute and co-leader of the Oxford vaccine project, told The Telegraph that his team were regularly targeted by “nuisance people” sending phishing emails.
The NCSC, Prof Hill said, was helping the university to defend its research from cyber attackers.
“There are serious IT people who are giving us a huge amount of priority. Guards had been placed at entrances to the building. I guess they’re stopping anyone who might want to break in and steal the vaccine, which we could take as a compliment, I suppose,” he said. “But the main issue is data security. We take it extremely seriously.”
Cozy Bear has spent years honing its skills and has become particularly adept at breaking into organisations in search of classified information.
Cozy Bear first came to public attention when hackers broke into an American research organisation and planted what appeared to be an innocent-looking video of monkeys wearing shirts and ties. But when amused employees shared the video, the file spread malware inside networks that gave hackers access to secret files.
In 2014, the Dutch secret services hacked into the security camera system used in a Moscow university building that housed members of Cozy Bear. Dutch spies watched them plan an attack on a US government network which was subsequently thwarted.
In 2016 Cozy Bear hacked into the US Democratic National Committee alongside a rival Russian group, Fancy Bear. The hack may have changed the course of the US presidential election. After that Cozy Bear went quiet for a couple of years before targeting Eastern European countries. It is unclear if the attempts to were successful.
There are two rival teams developing coronavirus vaccines in Russia, one at the Gamalei National Research Centre for Epidemiology and Microbiology and another at the Sechenov First Moscow State Medical University. Sechenov is backed by the Russian health ministry while the trials at the reputable Gamalei Institute are funded by Russia’s sovereign wealth fund.
Russia has denied responsibility. “We do not have information about who may have hacked into pharmaceutical companies and research centres in Great Britain. We can say one thing – Russia has nothing at all to do with these attempts,” said Dmitry Peskov, a spokesman for President Putin.