The Trump administration is pointing the finger at China for attempting to steal coronavirus research as officials are warning they have seen a growing wave of cyberattacks on US government agencies and medical institutions leading the pandemic response by nation states and criminal groups.
Hospitals, research laboratories, health care providers and pharmaceutical companies have all been hit, officials say, and the Department of Health and Human Services - which oversees the Centers for Disease Control and Prevention – has been struck by a surge of daily strikes, an official with direct knowledge of the attacks said.
“It is safe to say that there are only two places in the world that could hit (the Department of Health and Human Services) the way it’s been hit,” the official familiar with the attacks told CNN.
The primary culprits for the HHS attacks are Russia and China, the official said, because of the size and scope of the actions. After some hesitance to attribute the wide-ranging attacks across the medical sector to any specific countries – whether for political reasons or a lack of certainty – top national security officials have decided to single out China.
The Department of Justice now says they are particularly concerned about attacks by Chinese hackers targeting US hospitals and labs to steal research related to coronavirus.
“It’s certainly the logical conclusion of everything I’ve said,” John Demers, the head of the Justice Department’s National Security Division, said when asked specifically about China’s actions during an online discussion Thursday on Chinese economic espionage hosted by Strategic News Service. “We are very attuned to increased cyber intrusions into medical centers, research centers, universities, anybody that is doing research in this area.”
“There is nothing more valuable today than biomedical research relating to vaccines for treatments for the coronavirus,” Demers said. “It’s of great importance not just from a commercial value but whatever countries, company or research lab develops that vaccine first and is able to produce it is going to have a significant geopolitical success story.”
Calling out China
Cyber espionage from China against the United States has spiked in the months since the outbreak of the virus. Last month, leading cybersecurity group FireEye reported that Chinese group APT41 has carried out “one of the broadest campaigns by a Chinese cyber espionage actor we have observed in recent years.”
On Thursday, Secretary of State Mike Pompeo – who has been consistently attacking China over the pandemic – told Fox News, “The biggest threat isn’t our ability to work with China on cyber, it’s to make sure we have the resources available to protect ourselves from Chinese cyberattacks.”
CNN has asked the Chinese embassy in Washington for comment on the allegations.
The uptick in activity targeting HHS and the wider medical sector is part of a broader cyber campaign being carried out by groups linked to a number of countries in addition to China, including Russia, Iran and North Korea. The four make up a quartet regularly accused by the US national security community of being the most complex and active actors against the US.
During the coronavirus crisis, attacks from nation states and criminal groups have come in a multitude of forms with numerous different goals: posing as US agency or authority with phishing emails to steal data and information, denial of service, ransomware attacks and disinformation, among others, both on the open internet and darknet.
“The COVID-19 pandemic has provided a unique opening to nefarious actors and cyber criminals,” a senior Trump administration official told CNN. While under attack itself, HHS, along with the cyber arm of the Department of Homeland Security, CISA, has worked to step up the defenses of those pandemic-related organizations, the official added.
The Director of the National Counterintelligence and Security Center, Bill Evanina, who has led the US intelligence community’s battle against Chinese industrial and academic spying and theft of intellectual property, has also warned that critical research for Covid-19 vaccines risks being stolen and replicated overseas.
“Medical research organizations and those who work for them should be vigilant against threat actors seeking to steal intellectual property or other sensitive data related to America’s response to the COVID19 pandemic,” Evanina told CNN.
‘They are trying to steal everything’
But despite an overwhelming consensus that these attacks are occurring at an increasingly high tempo and near universal agreement over the primary state actors, US officials have been careful in assigning blame for specific actions.
“If there was that degree of confidence, you’d see more definite language,” said an official from a country that shares intelligence with the US. “That’s not what we’re being told.”
Arising from the new wave of threats is the Cyber Threat Intelligence League, a global group of more than 1,400 vetted cyber security experts that have volunteered and banded together to highlight and take down threats as they emerge.
The CTI League, which is working with US authorities and put out its first report this week, says the threat actors from the four nation states that traditionally target the US are now focusing on – and taking advantage of - the pandemic.
“They are trying to steal everything,” Ohad Zaidenberg, one of the group’s co-founders who is based in Israel, said of the landscape of actors. Countries like China and Iran, he added, “can steal information regarding the coronavirus information that they don’t have, (if) they believe someone is creating a vaccine and they want to steal information about it. Or they can use the pandemic as leverage so they (can) to steal any other type of information.
Google’s Threat Analysis Group (TAG) has specifically identified over a dozen government-backed attacker groups that are using “COVID-19 themes as lure for phishing and malware attempts, according to a new report published Wednesday.
“One notable campaign attempted to target personal accounts of US government employees with phishing lures using American fast food franchises and COVID-19 messaging. Some messages offered free meals and coupons in response to COVID-19, others suggested recipients visit sites disguised as online ordering and delivery options,” the report said.
The report from Google also cited new activity that corroborates reporting from Reuters last month about Iranian-backed hackers attempting to break into the World Health Organization.
On Thursday, WHO said it “has seen a dramatic increase in the number of cyber attacks directed at its staff, and email scams targeting the public at large” since the outbreak began.
“This week, some 450 active WHO email addresses and passwords were leaked online along with thousands belonging to others working on the novel coronavirus response,” the organization said in a news release. “The leaked credentials did not put WHO systems at risk because the data was not recent. However, the attack did impact an older extranet system, used by current and retired staff as well as partners.”
Lawmakers demand more action
Since the outbreak of the coronavirus in the US, the National Security Agency and Cyber Command have launched offensive cyber action in an attempt to counter a wide range of foreign attacks, including disinformation, sources say. The exact nature of that response is unclear given the work of those agencies remains highly classified.
Broadly speaking, multiple officials told CNN that these agencies continue to employ a “defend forward” posture, which includes offensive operations intended to deter foreign actors linked to nation state adversaries.
US Cyber Command and the NSA are led by Gen. Paul Nakasone, who has been given additional authority to conduct these types of operations without having to get White House approval in recent years, particularly since the Russian threat against US elections became clear.
Cyber Command, NSA and CISA declined to comment on those offensive measures and their response to the senators, but CISA did point to warnings they issued with British counterparts.
While these agencies are currently operating with an unprecedented amount of leeway, some lawmakers believe more needs to be done to protect US health organizations and agencies amid the ongoing pandemic.
A bipartisan group of senators, which included members of the Intelligence and Armed Services committees, said this week that Cyber Command and CISA need to be more aggressive with their warnings and actions to ward off what they called an “unprecedented and perilous campaign of sophisticated hacking operations from state and criminal actors amid the coronavirus pandemic.”
“Disinformation, disabled computers, and disrupted communications due to ransomware, denial of service attacks, and intrusions means critical lost time and diverted resources,” Senators Tom Cotton, Richard Blumenthal, Mark Warner, David Perdue and Edward Markey wrote in a letter to Nakasone and the CISA director, Christopher Krebs. “During this moment of national crisis, the cybersecurity and digital resilience of our healthcare, public health, and research sectors are literally matters of life-or-death.”
CNN’s David Shortell contributed to this report.