What UK Government is – and isn’t – saying about coronavirus vaccine hacking

There was a predictably pusillanimous BBC interview by Security Minister James Brokenshire on Friday regarding allegations that Russian state hackers attacked companies working on coronavirus vaccines.

Brokenshire didn’t name the companies involved, nor did he confirm whether the hacks were successful. This is pretty typical of cybersecurity announcements: they flag up the threat, and provide lots of technical detail, but stop short of revealing what actually happened.

And of course, all of this must be read in the context of the expected release next week of a long-awaited report into Russian interference in UK politics – more on that below.

But a close reading of the UK’s National Cyber Security Centre advisory document on the matter throws up some interesting insights.

Firstly, the NCSC claims the hacks are the work of the so-called Cozy Bear group, AKA APT 29, which many Western intelligence agencies believe is a branch of the Russian SVR foreign intelligence agency.

If so, this is a formidable adversary, as I’ve outlined in my forthcoming book. During the 2016 US Presidential election, the Democratic Party was infiltrated by not one, but two different hacking groups. The now-famous Fancy Bear gang were aggressive, noisy, and got spotted within a few weeks. Its alleged members and tactics were mapped out in a giant FBI indictment.

Cozy Bear, by contrast, had been quietly lurking on the Democrats’ networks for perhaps a year or more before Fancy Bear turned up (having previously hacked into the White House, State Department and Joint Chiefs of Staff). Yet even when their alleged colleagues were outed, barely anything emerged about the work of Cozy Bear. The group is stealthy, motivated and not easily deterred.

The other interesting aspect of the NCSC’s release is the detail it provides on the viruses allegedly used to attack the vaccine development companies. Hackers work in stages: first they sneak a small virus onto a victim’s computer, because the fewer lines of code a virus contains, the easier it is to hide from anti-virus and other security measures. This small initial infection is then used to download further viruses giving greater access and control over the victim’s systems.

According to the NCSC, Cozy Bear used publicly-available hacking tools for its first stages, but then went on to hit their targets with extra malicious software (named Wellness and Wellmail) for “further operations”. This implies the alleged Russian attack went far further than just scouting the companies’ digital perimeters, and got at least some level of access.

One final titbit from the NCSC advisory. It states that once inside the companies, Cozy Bear hackers “likely” used further software to remain hidden inside, and “likely” used anonymising services to conceal their tracks. The uncertain language implies that, at some point, investigators looking into the hacks struggled to follow the attackers’ trail.

The fact that nations are hacking to access coronavirus information is hardly new (I pulled together  a handy list of such attacks here), and the NCSC’s announcement, along with Foreign Secretary Dominic Raab’s assertion that Russians “almost certainly” tried to interfere in the 2019 UK General Election, must be seen in a political context.

Some people believe the government is trying to get ahead of the expected publication next week of an Intelligence and Security Committee report into Russian interference in UK politics. They see the months-long delay in its release as evidence that it will reflect badly on Boris Johnson’s government. If so, we can expect much more on nation state cyber activity to emerge over the next few days.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s