We need to throw everything at stopping attacks on our research
The culprit in cyber attacks is so often human error: a person reading their password to an impostor, or clicking a suspicious email link
Avaccine for Covid-19, the holy grail for getting past the pandemic, is the single most important piece of intellectual property that could exist today.
So two things inevitably follow: first, the world’s most sophisticated criminals and rogue states will throw everything they have at trying to steal the research, and second, protecting it is a matter of the utmost priority.
Yesterday’s alert from the National Cyber Security Centre that a Russian hacking group known as APT-29, or Cozy Bear, targeted research institutions developing a vaccine, understood to include Oxford University and Imperial College London, is hardly the first such warning.
In recent months, the US government has accused Chinese and Iranian hackers of trying to steal vaccine research. And Israeli research centres were separately targeted.
In response, the NCSC stepped up attempts to protect Britain’s universities in May. But yesterday, the centre said the hacking campaigns started as early as February, suggesting a window where protections may have been less than needed.
It is easy to see – understandable even – that lab technicians racing towards a scientific breakthrough could be frustrated by the more mundane matter of security. Who among us has not rolled their eyes when IT protocols force us to reset our passwords just as we’re trying to send an urgent email?
No allegation of such a lapse in security standards has yet been made, although the culprit in cyber attacks is so often human error: a person reading their password to an impostor, or clicking a suspicious email link.
Research organisations are not known for prioritising cyber security.
Unfortunately, they now find themselves on the front lines of it.
In this case, we know that the hackers used new and bespoke malicious software, known as “Wellmess” and “Wellmail”. Using targeted messages to obtain logins and software that scanned networks for vulnerabilities, they installed the programs on computer systems, potentially retrieving sensitive files, and sending them back to the hacker.
The most concerning immediate aspect is that some of the software vulnerabilities allegedly exploited by Russia date back to before last October, when the NCSC first warned that universities and healthcare institutions could be targeted. If the essential practice of installing security updates did not happen in the intervening period, we should ask why.
The groups fingered as the culprits for the attack are no amateurs. APT-29 has been going for at least a decade, and was implicated in the hacking of top Democratic party officials’ emails ahead of the 2016 US election.
The attackers are well-funded and highly sophisticated. In protecting Britain’s vaccine research, we need to throw equal resources at stopping them.