Russian hackers targeting healthcare orgs for coronavirus vaccine info

British, Canadian and U.S. intelligence agencies released a statement saying the group is "almost certainly" part of the Russian intelligence services.
By Kat Jercich
12:57 PM

The United Kingdom's National Cyber Security Centre said in an advisory Thursday that Russian hackers are targeting organizations involved in coronavirus vaccine development and testing.

The statement, which was endorsed by the U.S. and Canadian governments, said that the hacking group uses a variety of methods "to predominantly target governmental, diplomatic, think-tank, healthcare and energy targets for intelligence gain."

According to the NCSC, throughout 2020, the hackers – known as APT29, "the Dukes" or "Cozy Bear" – have zeroed in on organizations working on the COVID-19 vaccine in the United States, the United Kingdom and Canada. 

Learn on-demand, earn credit, find products and solutions. Get Started >>

It is highly likely that APT29 has acted "with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines," said the NCSC assessment.

"The United Kingdom's National Cyber Security Centre and Canada's Communications Security Establishment assess that APT29 ... is a cyber espionage group, almost certainly part of the Russian intelligence services. The United States' National Security Agency agrees with this attribution and the details provided in this report," according to NCSC.

"Despite involvement in several high-profile incidents, APT29 rarely receives the same attention as other Russian actors because they tend to quietly focus on intelligence collection," said John Hultquist, senior director of analysis at Mandiant Threat Intelligence, in a statement.

"Whereas GRU actors have brazenly leaked documents and carried out destructive attacks, APT29 digs in for the long term, siphoning intelligence away from its target," he said.

The group's techniques, as outlined in the NCSC report, include using publicly available exploits to scan and exploit vulnerable systems, spear-phishing for authentication credentials, seeking to obtain legitimate credentials once initial access is gained and deploying custom malware.

Cybersecurity threats to healthcare organizations have increased amidst the pandemic, with hasty rushes to cloud hosting and telemedicine implementation acting as "blood in the water" – as one expert put it – for criminals. A thirst for the latest COVID-19 knowledge can also make people less cautious about opening emails from apparently trustworthy sources.

"APT29 is likely to continue to target organisations involved in COVID-19 vaccine research and development, as they seek to answer additional intelligence questions relating to the pandemic," read the report.

"COVID-19 is an existential threat to every government in the world, so it's no surprise that cyber espionage capabilities are being used to gather intelligence on a cure. The organizations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian, and Chinese actors seeking a leg up on their own research," said Hultquist in his statement. "We've also seen significant COVID-related targeting of governments that began as early as January."

Kat Jercich is senior editor of Healthcare IT News.
Twitter: @kjercich
Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.