On 2 March, just a week before Covid-19 was officially classified as a pandemic, employees at the World Health Organisation began receiving unusual emails. The series of messages, sent to their personal accounts, ostensibly came from Google. But, as Reuters reported last month, they had been sent by hackers working on behalf of the Iranian government.
Although it’s not clear if the phishing campaign was successful, the incident was one in a series of attempts, part of a 200 per cent rise in cyber attacks targeting the UN health agency, which has led the international response to the pandemic. Security experts believe the attacks could have been motivated by an assumption among some governments that the WHO may have known more than it publicly disclosed, and that there was valuable intelligence to be gained.
Nearly two months later, with research on vaccines and potential cures advancing, state-sponsored attackers appear to have turned their sights to a new range of targets: coronavirus research labs. Earlier this week, the National Cyber Security Centre (NCSC) issued a joint advisory with its US counterpart, revealing that British and American coronavirus researchers are witnessing a surge in attacks.
“[NCSC] and [the] US Cybersecurity and Infrastructure Security Agency (CISA) have seen large-scale ‘password spraying’ campaigns against healthcare bodies and medical research organisations,” the British security agency said on Tuesday (5 May). “The ‘advanced persistent threat’ (APT) groups target such bodies to collect bulk personal information, intellectual property and intelligence that aligns with national priorities.”
In their advisory, neither NCSC nor CISA disclosed the nationality or allegiance of those responsible for the attacks. Attribution is difficult at the best of times, and hacking groups often operate at a deniable distance from the governments that are thought to sponsor them.
However, the Mail on Sunday reported over the weekend that Iran and Russia had been linked to attacks on British research, while the Guardian reported that China was also a likely suspect. The country has regularly been accused of stealing sensitive intellectual property from Western organisations.
Although none of the attacks appear to have led to a successful breach yet, Oxford University, whose researchers started trialling a vaccine candidate last month, has said it has taken steps to bolster its defences. Researchers at Imperial College London and Bristol University are also preparing possible vaccines for human trials, and may also be at risk.
“If you’re a smaller country like Iran or even somewhere like Russia, as capable as it is, it’s probably not quite up there with the US and UK when it comes to medical research,” says Alan Woodward, a professor of cyber security at the University of Surrey. “Whereas the original WHO attacks were about, ‘Well, what do they know about how this is spreading?’, this is about, ‘Who’s done what in terms of developing a vaccine and a cure?'”
For NCSC and CISA, the motivation for going public with such warnings is twofold. Firstly, says Woodward, security agencies will want to ensure organisations aren’t “disrupted at a time of real significance” which “could be a side-effect of these attacks”, and secondly, because “you don’t want to suddenly find that something that is valuable is stolen”.
Although NCSC has condemned the attacks as “reprehensible”, it appears that GCHQ, its parent agency, is also carrying out coronavirus-related espionage — albeit of a different kind. The Australian Daily Telegraph reported over the weekend that the Five Eyes intelligence alliance — constituting Australia, Canada, New Zealand, the UK and the US — had produced a dossier showing that while Covid-19 had not been created in a lab, the Chinese government had destroyed evidence of the initial outbreak.
“I imagine [GCHQ] will now be trying to get intelligence on what’s happening, rather than trying to steal research,” says Woodward. “What’s truly happening? Is there a second wave? [That will be the focus], rather than trying to steal intellectual property; they’re probably confident we can develop that ourselves.”