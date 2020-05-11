WASHINGTON – The F.B.I. and the Department of Homeland Security are preparing to issue a warning that China's most skilled hackers and spies are working to steal US research in the crash effort to develop vaccines and treatments for the coronavirus. The efforts are part of a surge in cyber theft and attacks by nations seeking advantage in the pandemic.
The warning comes as Israeli officials accuse Iran of making an effort in late April to cut off the water supply, as the Israelis were confined to their homes, although the government has offered no evidence to back up its claim. More than a dozen countries have redistributed to military and intelligence hackers to get everything they can about responses to the virus from other nations. Even American allies like South Korea and nations that don't normally stand out for their cyber vulnerabilities, like Vietnam, have suddenly redirected their state hackers to focus on virus-related information, according to private security firms.
A draft of the upcoming public warning, which officials say will likely be issued in the coming days, says China is seeking "valuable intellectual property and public health data through illicit means related to vaccines, treatments and tests." It focuses on cyber theft and the action of "non-traditional actors," a euphemism for researchers and students who, according to the Trump administration, is activating to steal data from academic and private labs.
The decision to issue a specific indictment against China's state hacking teams, current and former officials said, is part of a broader deterrence strategy that also involves the United States Cyber Command and the National Security Agency. Under the legal authorities that President Trump issued nearly two years ago, they have the power to drill deep into Chinese and other networks to mount proportional counterattacks. This would be similar to his effort 18 months ago to attack Russian intelligence groups seeking to interfere in the 2018 midterm elections and place malware on Russia's power grid as a warning to Moscow for its attacks on American utility companies.
But it is not clear exactly what the US has done. If at all, to send a similar shot across the bow to Chinese piracy groups, including those most closely linked to China's new Strategic Support Force, its equivalent to Cyber Command, the State Security Ministry and other intelligence units.
The next warning is also the latest iteration of a series of efforts by the Trump administration to blame China for being the source of the pandemic and exploiting its consequences.
Secretary of state Mike Pompeo said this month that there was "enormous evidence,quot; that the virus came from a Chinese laboratory before backing down to say it came from the laboratory "neighborhood,quot; in Wuhan. United States intelligence agencies say they have not come to any conclusions on the matter, but public evidence points to a link between the origins of the market outbreak in Wuhan and China's illegal wildlife trafficking.
The State Department on Friday described a Chinese Twitter campaign to spur false narratives and propaganda about the virus. Twitter executives have rejected the agency, noting that some of the Twitter accounts the State Department cited were truly critical of Chinese state narratives.
But finding vaccines has been a particular focus, federal officials say.
"China's long history of misbehavior in cyberspace is well documented, so it should come as no surprise to anyone chasing critical organizations involved in the nation's response to the Covid-19 pandemic," said Christopher Krebs, Director of Cyber Security and Infrastructure Security Agency. He added that the agency "would aggressively defend our interests."
Last week the United States and Great Britain it issued a joint warning that "health care agencies, pharmaceutical companies, academia, medical research organizations and local governments,quot; had been attacked. While it did not name specific countries or targets, the wording was of the type used to describe the most active cyber operators: Russia, China, Iran, and North Korea.
The search for spies looking for intellectual property has also accelerated. For months, F.B.I. Officials have been visiting major universities and submitting largely unclassified reports on their vulnerabilities.
But some of those academic leaders and student groups have backed off, comparing the growing paranoia about stolen research to the worst days of the red scare era. They were particularly opposed when Senator Tom Cotton, R-Arkansas, declared last month on Fox News that it was "a scandal,quot; that the United States "has trained many of the brightest minds in the Chinese Communist Party to return to China."
Security experts say that while there is an increase in attacks by Chinese hackers seeking an advantage in the race for a Covid-19 vaccine, or even effective treatment, the Chinese are hardly alone in the quest to exploit the virus. .
Iranian hackers were also caught trying to break into Gilead Sciences, the maker of remdesivir, the therapeutic drug approved 10 days ago by the Food and Drug Administration for clinical trials. Government officials and Gilead have declined to say if any element of the attack came first. reported by Reuters, it was successful.
Israel's security advisers met last week for a classified session on a cyber attack on April 24 and 25, which authorities called an attempt to cut off the water supply to the country's rural areas. The Israeli media has widely blamed the attack on Iran, although they have offered no evidence in public. The effort was detected fairly quickly and caused no damage, authorities said.
The rush to attribute the attack to Iran could be flawed. When a Saudi petrochemical plant was similarly attacked in 2017, Iran was presumed to be the source of the effort to cause an industrial accident. It was coordinated from a Russian scientific institute.
The coronavirus has created entirely new classes of targets. In recent weeks, Vietnamese hackers have targeted their campaigns against Chinese government officials who are facing the virus, according to cybersecurity experts.
South Korean hackers have targeted the World Health Organization and officials in North Korea, Japan, and the United States. The attacks appeared to be attempts to compromise email accounts, likely as part of a broad effort to gather information about virus containment and treatment, according to two security experts from private companies who said they were not authorized to speak in public. . If so, the movements suggest that even allies are suspicious of official government accounting of cases and deaths worldwide.
In interviews with a dozen current and former government officials and cybersecurity experts over the past month, many described a "free for all,quot; that has spread even to countries with only rudimentary cyber-security.
"This is a global pandemic, but unfortunately countries are not treating it as a global problem," said Justin Fier, a former national security intelligence analyst who is now the director of cyberintelligence at Darktrace, a cybersecurity company. "They are all conducting a general intelligence gathering, on pharmaceutical research, PPE requests, response, to see who is making progress."
The frequency of the cyber attacks and the spectrum of targets are "astronomical, off the charts," Fier said.
Even before the pandemic, the United States was becoming much more aggressive in seeking cases involving suspected Chinese efforts to steal intellectual property related to biological research. The Justice Department announced in January that it had He accused Charles M. Lieber, chair of Harvard's department of chemistry and chemical biology, of making false statements related to his participation in China's Thousand Talents program to recruit scientific talent in the country.
But Harvard also has a joint study program with a Chinese institute on coronavirus treatments and vaccines. And researchers have said that international cooperation will be vital if there is hope for a global vaccine, which puts expected national competencies first in tension with the need for a cooperative effort.
At Google, security researchers identified more than a dozen nation-state hacking groups that use virus-related emails to break into corporate networks, including some sent to US government employees. USA Google did not identify the specific countries involved, but in the past eight weeks, several nation states, some familiar, like Iran and China, and others not so familiar, like Vietnam and South Korea, have taken advantage of softer security like millions. of workers. they were suddenly forced to work from home.
"The nature of vulnerabilities and attacks has radically changed with shelter-in-place," said Casey Ellis, the founder of Bugcrowd, a security company. In some cases, Ellis said, the hackers were simply "kicking a baby," hacking hospitals that were already overloaded and simply lacked the resources to prioritize cybersecurity.
In other cases, they pointed to tools that workers used to remotely access internal networks and encrypted virtual private networks, or VPNs, that allow employees to tunnel into corporate networks to gain access to proprietary information.
"Governments that might otherwise be reluctant to attack international public health organizations, hospitals and business organizations are crossing that line because there is such a thirst for knowledge and information," said John Hultquist, director of intelligence analysis at FireEye, a cyber security company.
Even Nigerian cybercriminals are getting into the game: They recently started attacking companies with coronavirus-themed email attacks to try to convince targets to send them money or to steal personal data that could get money in the dark web.
"These are not complex, but ingenious social engineering is accomplishing them," said Jen Miller-Osborn, deputy director of threat intelligence at Palo Alto Networks, a cybersecurity company. Because Nigerian hackers are less skilled, they lack the so-called "op sec,quot; or operational security to cover their tracks.
David E. Sanger reported from Washington and Nicole Perlroth from Palo Alto, California.