In the world of cyber espionage, the law of supply and demand reigns supreme—so it shouldn't be a surprise that in our pandemic-stricken present, there's no hotter commodity on the current black market than a functional COVID-19 vaccine.
Several different forms of attacks targeting medical research institutions have already been identified. This past month, the US Justice Department recently indicted two Chinese nationals who hacked US-based biotech companies in order to obtain data related to COVID-19 vaccines and treatments. This news came on the tail of the revelation that the notorious Russian hacker group "Cozy Bear" was at it again, but this time it wasn't the DNC it was after, but the
The United Kingdom's National Cyber Security Center (NCSC) along with Canada’s Communications Security Establishment (CSE) issued an advisory warning to research organizations involved with COVID-19 vaccine development stating that the notorious Russian hacker group APT29 (a.k.a. Cozy Bear) made numerous grabs at COVID-19 data in 2020.
The advisory, which was specifically directed at vaccine researchers in the US, Canada, and the UK, strongly recommended these institutions take steps to secure their data from the notorious hacker group. The full report details that Cozy Bear, which was deemed highly likely to be linked to Russian Intelligence, used basic vulnerability scanning to gain initial access to the medical organizations, then deployed custom malware to maintain persistent access.
These hacks are likely just the tip of the iceberg of COVID-19 vaccine hacking attempts, past and future. This means the leaders of institutions at the forefront of vaccine research will have to double down on their efforts to secure their medical data.
While the NSCS issued a recommendation for threat mitigation including using Two-Factor Authentication (2FA), this solution only perpetuates a problem that hackers will exploit over and over again until companies take measures to solve it: passwords. As long as company employees are still using passwords or other "shared secret" methods of security to gain access to proprietary, confidential data, the potential still exists to be compromised via a stolen password. While using 2FA is better than not using it, and the additional layers of authentication commonly recommended (such as answering security questions or entering a security code sent by SMS message) might be enough to deter your garden variety hacker, more sophisticated hackers can easily circumvent these obstacles. And they will—as the COVID-19 vaccine is estimated to be worth upwards of $1 billion, the price is certainly right.
As a proud member of the FIDO Alliance, we at StrongKey support the FIDO Alliance’s mission by assisting companies in implementing strong authentication in their web applications to permanently eliminate the risk of password breaches. These are protocols to which every company handling sensitive information—not to mention the biotech companies handling the keys to global health—should be transitioning.