Two workers work at Pfizer's vaccine factory in Puurs, Belgium, in February Delmi Alvarez
Intelligence services and cybersecurity companies have been waging an invisible war since the beginning of 2020. The enemies are organizations of cybercriminals interested in obtaining sensitive information about the covid vaccine, sabotaging its development or distribution, extorting money from those who produce it, stealing health data on citizens, or taking advantage of the information boom to scam people. It is not clear who is winning the battle, the threat is constant. Pharmaceutical companies, warehouses, research centers, Ministries of Health, hospitals, the European Medicines Agency itself … Nobody escapes.
Some of these cyberattacks have transpired; others have not come to light. Secrecy is the norm in cybersecurity matters: nobody wants to reveal their vulnerabilities, especially if they affect the long-awaited vaccine. THE COUNTRY has contacted all the pharmaceutical companies that are developing the vaccines that are distributed in Europe or that are pending to receive the approval of the European Commission to do so (Pfizer, Moderna, AstraZeneca, Janssen and CureVac), but none have wanted to speak on the attacks it has received or on the reinforcement measures that have been implemented in terms of cybersecurity.
"To date, we have not suffered unauthorized access to the data that we handle as a company, but we do not relax," they point out exceptionally from AstraZeneca . In November of last year it became public that researchers from the British laboratory and the University of Oxford involved in the development of the vaccine received false job offers that included malicious software with the aim of entering their computers. It appears that the intrusion was unsuccessful.
The attack against AstraZeneca and the University of Oxford is attributed to the North Korean Lazarus, one of the best known cyber espionage groups. Recently, in February, South Korea accused North Korea of trying to hack into Pfizer there to steal vaccine information. According to the Russian cybersecurity multinational Kaspersky, Lazarus would also be behind this incident, which also committed last October to "a Ministry of Health" and "a pharmaceutical company that is developing a vaccine against covid-19."
This cybercommand is not alone. North Korean Velvet Cholima also stole information about the vaccine in the United States, United Kingdom and South Korea, and its sister organization Labyrinth Cholima tried to torpedo several US vaccine production plants, according to cybersecurity firm CrowdStrike. The Russian group Cozy Bear, for its part, was accused in the summer by the United States, Canada and the United Kingdom of having launched a campaign that tried to steal information related to the development and testing of the vaccines in which they were working at that time. The Vietnamese Ocean Buffalo, the Iranian Static Kitten and several Chinese agents have also carried out sensitive attacks of this type
Threats in Spain
But it is not necessary to go abroad in search of cases of cyber espionage: the National Intelligence Center (CNI) revealed in September that Chinese hackers had managed to steal information related to the vaccine prepared by Spanish researchers . The director of the CNI, Paz Esteban, already warned at that time of "a campaign, especially virulent, not only in Spain, against laboratories that are working in the search for a vaccine for covid-19".
The Spanish authorities are aware of this . They launched a special digital surveillance device on March 15, 2020, coinciding with the lockdown. Coordinated by the National Cybersecurity Council, in which the ministries of the Interior, Defense, Economic Affairs and Digital Transformation, Foreign and Health participate, the device monitors possible threats, intrusions, information theft, espionage or fraud attempts. At the end of last year, with the start of the vaccination campaign, collaboration with pharmaceutical companies and all those involved in the supply chain was strengthened: storage and transport of vaccines, cold chain, etc.
Un 'hacker' infiltrates a computer system.RITCHIE B. TONGO
"We have seen that the reason for the covid is being used to reach society in general," says Marcos Gómez, deputy director of Cybersecurity Services at Incibe-CERT. There have been few incidents related to covid in the last year (450 of the 90,000 registered between March 15 and February 19), and the majority are scams and fraud to individuals. “It is a very small amount. The incidents experienced by pharmaceutical companies, the number of which we cannot reveal, are significantly more important. They are not looking for an economic impact, but for information, such as vaccine patents or theft of information to extort them, ”he says. The National Cryptological Center, dependent on Defense, cites in its latest trend report the attacks to hijack data from medical centers and against laboratories and research centers as one of its major concerns for this year.
More than organized crime
The objectives of cybercriminals have changed over time. In the early days of the pandemic, targeted attacks – those designed against specific individuals in critical positions of responsibility – sought to acquire information on infection rates or state responses to COVID-19 treatment, a CrowdStrike report concludes. However, as infections and deaths grew, when it became clear that getting a vaccine was vital, the scientific information that could lead to its development became a priority. Finding a cure for covid became an international competition. And, as in any competition, there are always those who are willing to cheat to win.
Daniel Creus, Senior Analyst of the Kaspersky Research and Analysis Team, divides COVID-related attacks into two large groups. “On the one hand, there are cybercriminals, those who only have a profit motive. They have exploited the social need for information on vaccines and the covid to give an aura of truth to their attacks, "he explains. All kinds of scams would be framed here: from the sale of masks that do not really exist to the purchase of supposed doses of vaccines.
“On the other hand we have the most sophisticated attacks, or persistent threats, that seek intelligence, either to business or state level. Their goal is to get sensitive information ”, he illustrates. In this second category fall the groups of cybercriminals supposedly sponsored by governments, such as the aforementioned Lazarus or Cozy Bear. Supposedly, because it is almost impossible to prove such a link. Known in the industry as APT (Advanced Persistent Threats), these groups are very well organized and highly resourceful. "Orchestrating an express campaign, that is, finding out that there is an interesting objective and carrying out all the malware and infrastructure deployment overnight, is within the reach of very few," says Creus.
The attacks of these groups are targeting individuals who are known to be in a very interesting position in the vaccine supply chain. “They don't launch indiscriminate attacks: they know exactly who to shoot. I cannot comment on organizations, beyond those that have been made public, ”Creus excuses himself. "What these groups are looking for is to have some kind of competitive advantage over other states: more information, know what to expect, know the vaccination strategy of others … They also carry out sabotage actions, which is still amazing when it comes to of a health issue ”.
A diffuse authorship
The management of the pandemic is within what is considered the national security of the states. “The vaccine, either you develop it, or you buy it, or you steal it. And on the contrary: if your adversary has already developed it before you, either you set traps or you try to steal it ”, points out Andrea G. Rodríguez, researcher in emerging technologies at Cidob (Barcelona Center for International Affairs). "This is what has happened in Europe since the spring of last year, where cyberattacks have occurred against pharmaceutical companies, supercomputers that worked in it, and supply chains."
Operarios del Aeropuerto Internacional de Santo Domingo (Dominican Republic), download part of a batch of one million doses of vaccines from the Chinese pharmaceutical company Sinovac.Vice-Presidency of the Republic Dom / EFE
Cyber espionage actions have the advantage that, in addition to being silent, they are very difficult to attribute. “It takes a long time to detect the real authorship of the most sophisticated cyberattacks. Sometimes years go by, in some cases it is not achieved ”, assures the hacker Deepak Daswani. "APTs are tracked with clues provided by intelligence services, sample correlations, code peculiarities, reuse of parts of it, components, modus operandi , etc."
"China would have liked its vaccine to have been the first and I could have sold it en masse all over the world ”, illustrates Rodríguez. “ It uses it as a diplomatic weapon : Beijing is donating massive amounts of Sinovac to countries that are developing or cannot afford Moderna, Pfizer or AstraZeneca.”
The cyberspace battlefield continues to evolve. “As the different vaccines that are underway give different results related to the new variants of the virus that are being discovered, we should hope that the researchers behind these vaccines will also become cyber targets of the countries that compete for the vaccine, ”says Chester Wisniewski, Principal Investigator at Sophos.
Nobody can be trusted. The supply chains of these preparations continue to be attacked . Also hospitals, which in France receive an average of a weekly cyber attack , which has come to cause the stoppage of surgeries, or that in Germany could have claimed a life . The covid cyberwar is not over.
You can follow EL PAÍS TECNOLOGÍA on Facebook and Twitter .