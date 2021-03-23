Two operators work at Pfizer’s vaccine factory in Puurs, Belgium. Delmi Alvarez placeholder image

Intelligence services and cybersecurity companies have been waging an invisible war since the beginning of 2020. The enemies are cybercriminal organizations interested in obtaining sensitive information about the covid vaccine, sabotaging its development or distribution, extorting money from those who produce it, stealing health data on citizens or taking advantage of the information boom to scam people. It is not clear who is winning the battle, the threat is constant. Pharmaceutical companies, warehouses, research centers, Ministries of Health, hospitals, the European Medicines Agency itself … No one escapes.

Some of these cyberattacks have transpired; others have not come to light. Secrecy is the norm in cybersecurity matters: nobody wants to reveal their vulnerabilities, especially if they affect the long-awaited vaccine. THE COUNTRY has contacted all the pharmaceutical companies that are developing the vaccines that are distributed in Europe or that are pending to receive the approval of the European Commission to do so (Pfizer, Moderna, AstraZeneca, Janssen and CureVac), but none have wanted to speak on the attacks it has received or on the reinforcement measures they have implemented in terms of cybersecurity.

“To date, we have not suffered unauthorized access to the data that we handle as a company, but we do not relax,” they point out exceptionally from AstraZeneca. In November of last year it became public that researchers from the British laboratory and the University of Oxford involved in the development of the vaccine received false job offers that included malicious software with the aim of entering their computers. It appears that the intrusion was unsuccessful.

The attack against AstraZeneca and the University of Oxford is attributed to the North Korean Lazarus, one of the best known cyber espionage groups. Recently, in February, South Korea accused North Korea of ​​trying to to hack there to Pfizer to steal vaccine information. According to the Russian cybersecurity multinational Kaspersky, Lazarus would also be behind this incident, which also committed last October to “a Ministry of Health” and “a pharmaceutical company that is developing the vaccine against covid-19.”

This cybercommand is not alone. North Korean Velvet Cholima also stole information about the vaccine in the United States, United Kingdom and South Korea, and its sister organization Labyrinth Cholima tried to torpedo several US vaccine production plants, according to cybersecurity firm CrowdStrike. The Russian group Cozy Bear, for its part, was accused in the summer by the United States, Canada and the United Kingdom of having launched a campaign that tried to steal information related to the development and testing of the vaccines in which they were working at that time. The Vietnamese Ocean Buffalo, the Iranian Static Kitten and several Chinese agents have also carried out sensitive attacks of this type.

Threats in Spain

But it is not necessary to go abroad in search of cases of cyber espionage: the National Intelligence Center (CNI) revealed in September that hackers Chinese had managed to steal information related to the vaccine prepared by Spanish researchers. The director of the CNI, Paz Esteban, already warned at that time of “a campaign, especially virulent, not only in Spain, against laboratories that are working in the search for a vaccine for covid-19.”

The Spanish authorities are aware of this. They launched a special digital surveillance device on March 15, 2020, coinciding with the lockdown. Coordinated by the National Cybersecurity Council, in which the Ministries of the Interior, Defense, Economic Affairs and Digital Transformation, Foreign and Health participate, the device monitors possible threats, intrusions, information theft, espionage or fraud attempts. At the end of last year, with the start of the vaccination campaign, collaboration with pharmaceutical companies and all those involved in the supply chain was strengthened: storage and transportation of vaccines, cold chain, etc.

A ‘hacker’ infiltrates a computer system. RITCHIE B. TONGO

“We have seen that the reason for the covid is being used to reach society in general,” says Marcos Gómez, deputy director of Cybersecurity Services at Incibe-CERT. There have been few incidents related to covid in the last year (450 of the 90,000 registered between March 15 and February 19), and the majority are scams and fraud to individuals. “It is a very small amount. The incidents experienced by pharmaceutical companies, the number of which we cannot reveal, are significantly more important. They are not looking for an economic impact, but for information, such as vaccine patents or theft of information to extort them ”, he points out. The National Cryptological Center, dependent on Defense, cites in your latest trend report attacks to hijack data from medical centers and against laboratories and research centers as one of his big concerns for this year.

More than organized crime

Cybercriminals’ goals have changed over time. In the early days of the pandemic, targeted attacks – those designed against specific individuals in critical positions of responsibility – sought to acquire information on infection rates or state responses to COVID-19 treatment, a CrowdStrike report concludes. However, as infections and deaths grew, when it became clear that getting a vaccine was vital, the scientific information that could lead to its development became a priority. Finding a cure for covid became an international competition. And, as in any competition, there are always those who are willing to cheat to win.

Daniel Creus, a senior analyst with the Kaspersky Research and Analysis Team, divides the attacks related to covid into two large groups. “On the one hand, there are cybercriminals, those who only have a profit motive. They have exploited the social need for information on vaccines and the covid to give an aura of truth to their attacks, “he explains. Here all kinds of scams would be framed: from the sale of masks that do not really exist to the purchase of supposed doses of vaccines.

“On the other hand we have the most sophisticated attacks, or persistent threats, that seek intelligence, either at the business or state level. Their goal is to get sensitive information ”, he illustrates. In this second category fall the groups of cybercriminals supposedly sponsored by governments, such as the aforementioned Lazarus or Cozy Bear. Supposedly, because it is almost impossible to prove such a link. Known in the industry as APT (Advanced Persistent Threats), these groups are very well organized and highly resourceful. “Orchestrate an express campaign, that is, find out that there is an interesting objective and do all the deployment of malware and infrastructures overnight, that is within the reach of very few ”, emphasizes Creus.

Attacks by these groups are targeting individuals who are known to be in a very interesting position in the vaccine supply chain. “They don’t launch indiscriminate attacks: they know exactly who to shoot. I cannot comment on organizations, beyond those that have been made public, ”Creus excuses himself. “What these groups are looking for is to have some kind of competitive advantage over other states: more information, know what to expect, know the vaccination strategy of others … They also carry out sabotage actions, which is still amazing when it comes to of a health issue ”.

A diffuse authorship

The management of the pandemic is within what is considered the national security of the states. “The vaccine, either you develop it, or you buy it, or you steal it. And on the contrary: if your adversary has already developed it before you, either you set traps or you try to steal it ”, points out Andrea G. Rodríguez, researcher in emerging technologies at Cidob (Barcelona Center for International Affairs). “This is what has happened in Europe since the spring of last year, where there have been cyberattacks against pharmaceutical companies, supercomputers working on it and supply chains.”

The Dominican Republic this month received a batch of one million doses of vaccines from the Chinese pharmaceutical company Sinovac. In the image, airport operators unload part of the cargo at the Santo Domingo International Airport. Vice Presidency of the Republic Dom / EFE

Cyber ​​espionage actions have the advantage that, in addition to being silent, they are very difficult to attribute. “It takes a long time to detect real authorship of the most sophisticated cyberattacks. Sometimes years go by, in some cases it is not achieved ”, assures the hacker Deepak Daswani. “APTs are tracked with clues provided by intelligence services, sample correlations, code peculiarities, reuse of parts of it, components, modus operandi, and so on.”

“China would have liked its vaccine to have been the first and it could have been sold massively all over the world,” Rodríguez illustrates. “He uses it as a diplomatic weapon: Beijing is donating massive amounts of Sinovac to countries that are developing or cannot afford Moderna, Pfizer or AstraZeneca.”

What’s coming

The cyberspace battlefield continues to evolve. “As the different vaccines that are underway give different results related to the new variants of the virus that are being discovered, we should hope that the researchers behind these vaccines will also become cyber targets of the countries that compete for the vaccine, ”says Chester Wisniewski, Principal Investigator at Sophos.

No one can be trusted. The supply chains of these preparations continue to be attacked. Also hospitals, which in France receive an average of a weekly cyber attack, which has come to cause the stoppage of surgeries, or that in Germany a life could be claimed. The covid cyberwar is not over.

