COVID-19 alters focus of cyberespionage

This was a piece published on 11 June 2020 that I wrote on COVID-19 and cyberespionage. Copyright belongs to Oxford Analytica and the link to the live piece is available here.

The rapid spread of the global COVID-19 pandemic has altered the strategic goals and intensity of cyberespionage. Calls by the UN and civil society organisations for a cyberspace ‘ceasefire’ have made little difference.

What next

The pandemic has changed the focus of cyberespionage activity as states attempt to mitigate the pandemic by gathering intelligence on pharmacological developments. As information on treatments is disseminated globally, the focus of such activity will return to areas that promise countries longer-term geostrategic and economic advantages, with states leveraging any tactical breakthroughs gained now.

Subsidiary Impacts

  •  Trust in multilateral institutions such as the World Health Organization will be undermined if they suffer cyberattacks.
  •  Post-pandemic, China is likely to experience a rise in cyber intrusions from upcoming cyber actors such as Vietnam.
  •  Although better prepared than research institutions, large pharmaceutical firms are not immune to cyberespionage.


In April, FBI Deputy Assistant Director Tonya Ugoretz noted that reconnaissance and intrusions targeting “those that have publicly identified themselves as working on COVID-related research” have increased since the start of the year (see PROSPECTS H2 2020: Cybersecurity – June 4, 2020).

On May 5, the UK and US governments issued a joint statement warning of a rise in cyberespionage against pharmaceutical firms, research institutes and universities, and healthcare organisations, involved in developing vaccines and other pharmacological solutions for COVID-19.

Corporate researchers have also noted a change in focus. For example, Google’s Threat Analysis Group in April warned of at least a dozen state-backed cyber actors using COVID-19 themes to conduct phishing and malware attacks.


Multiple actors have been implicated in COVID-19-related cyberespionage.


On May 13, the FBI and the US government’s Cybersecurity and Infrastructure Security Agency (CISA) issued a rare joint statement specifically accusing China of trying to acquire intellectual property (IP) and public health data on vaccines, treatments and testing through ‘non-traditional actors’, such as those in academic and private institutions.

Such activity represents a shift of focus rather than of tactics. Cyberespionage to obtain valuable assets such as IP has a long history. Until the onset of the pandemic, Chinese cyberespionage mostly focused on military and economic secrets as well as aiding the Belt and Road Initiative. Such activity was tacitly acknowledged and forbidden by the 2015 China-US agreement against IP theft — an agreement Washington now accuses Beijing of violating.

Russia and Iran

Media reports have pointed to similar espionage by Russian and Iranian state actors, specifically Iranian hacking group Charming Kitten (also known as APT35) that has targeted the WHO as well as the US drug maker Gilead, which is running COVID-19 research trials.

Other actors

Although there is no direct evidence, CISA Director Christopher Krebs has stated that “every intelligence agency” is likely to be conducting espionage related to COVID-19.

Private cybersecurity firm FireEye has revealed that Vietnam’s state-linked APT32 group breached the Chinese Ministry of Emergency Management and the local Wuhan administration in search of information about the pandemic’s outbreak.

Members of the Five Eyes intelligence-sharing alliance — Australia, Canada, New Zealand, the United States and the United Kingdom — are almost certainly conducting cyberespionage against China, not least to establish how Beijing handled the outbreak in Wuhan.

Other states likely to be active include South Korea, North Korea, Israel, Iran and Saudi Arabia.

Securing COVID-19 research

Public research institutions that are currently leading COVID-19 research often have a culture of openness and a need to share information quickly.

This culture, together with lax security protocols, has made research institutions frequent targets for cybersecurity breaches. Universities, in particular, have long been a target for IP theft:

  • A large espionage campaign against 320 universities, revealed in 2018, was conducted by the Iranian-backed Mabna Institute and involved mass exfiltration of research data over five years.
  • In December 2019, Germany’s Justus Liebig University was severely affected by ransomware, after which the university had to reset passwords manually for some 38,000 students and staff.

Pharmaceutical firms

Pharmaceutical corporations have also faced cyberespionage attempts in the past. Notably, German drug maker Bayer was reportedly targeted by China’s ‘Wicked Panda’ (APT41) in 2018.

Consequently, such companies have awareness of and funding for building defences against state and non-state actors. Bayer was involved in setting up a cybersecurity outfit, DCSO, with other German businesses in 2015.

Yet defences do not guarantee immunity, especially in the context of a sharp rise in remote working due to the pandemic.

Existing vulnerabilities

Health-related organisations are vulnerable to a range of common cyberattack techniques

Besides cyberattacks against high-value targets, there has also been a rise in wide-ranging, generic attempts to access systems by using known techniques. Jeremy Fleming, head of the UK agency GCHQ, reflected at the 2020 Cheltenham Science Festival this week that hackers are using “pretty basic techniques” against the UK health infrastructure.

More broadly, as a reported ransomware attack against South Korean car manufacturer Hyundai this week demonstrates, public and private sector organisations worldwide are facing a heightened risk of cyberattacks involving relatively well-established techniques.

Given the stakes involved in the development of COVID-19 treatments, states are making sure critical sectors receive appropriate support. For example, the UK National Cyber Security Centre is offering guidance to the University of Oxford and Imperial College London, both engaged in critical vaccine development and research.

Such support is not available to all key health and research institutions. Better-financed ones are likely to procure these services from private cybersecurity firms.

Post-pandemic outlook

The impact of current cyberespionage will outlast the pandemic.

If established and upcoming foreign cyber actors gain a foothold in sensitive research areas spurred by immediate need, they are likely to build on that research and successful new cyberespionage techniques to gain an economic and strategic advantage post-pandemic.

Although IP theft has been a continuous source of tension among states, this will be particularly heightened as more states adopt more proactive policies.

Global norms

Bilateral norms on cyberactivity are more likely than global ones

Long term, this will lead to greater friction between states not unlike before the 2015 China-US agreement, but now featuring more states.

The tensions are likely to involve conventional actors such as the Five Eyes members, Russia and Iran, but also European actors such as Germany, France and the Netherlands as attention returns to geopolitical strategy focused on Chinese activities in areas such as 5G (see EUROPE: Public resistance to make 5G rollout patchy – May 18, 2020).

Other states such as Israel, Vietnam and South Korea will also use their capabilities to defend their interests.

Tensions could be mitigated through new and strengthened global agreements. However, this is unlikely in the medium term due to the lack of multilateral engagement by principal actors in the cyber domain, especially the United States (see CHINA/US: Ideological conflict will intensify – May 18, 2020). Bilateral agreements such as the US-China pact are more likely, even though they would be less effective than global rules.

Leave a Reply