Colleagues talking during a meeting.

Russian Espionage and Dirty Tricks During a Global Pandemic

Dave McMahon · CEO Clairvoyance Cyber Corp · Posted: July 22, 2020

Canadian, U.S. and U.K., intelligence agencies have formally accused Russia of deliberately targeted COVID-19 vaccine research facilities in Canada.  The cyber attacks were attributed to APT29 also known as Cozy Bear, identified as the Russian Intelligence Service. 

I have been an eye-witness to Russian espionage and dirty tricks through the cold war, the fall of the Berlin wall and during glasnost. I have watched a digital iron curtain descend between East and West, and cyber conflicts intensify against Canada up to today.

The Canadian Security Industry and the government's Communications Security Establishment (CSE) have long been warning that sophisticated cyber threat actors could target Canadian medical research labs working on COVID-19 vaccines and treatments.

CSE stated that "these malicious cyber activities were very likely undertaken to steal information and intellectual property relating to the development and testing of COVID-19 vaccines, and serve to hinder response efforts at a time when health-care experts and medical researchers need every available resource to help fight the pandemic.”

Across the Atlantic, the U.K. Foreign Secretary Dominic Raab tweeted that his government stands with Canada and the U.S. "against the reckless actions of Russia's intelligence services, who we have exposed today for committing cyber attacks against those working on a COVID-19 vaccine."

Russia has an extensive rap sheet of conducting espionage, deliberately interfering in critical infrastructure and otherwise trying to derail our society. But attacking medical labs during a global pandemic is a new low. 

Russia is the biggest troll in Cyberspace

State-run troll farms have been implicated in antagonizing polarized discussions online, undermining liberal democracies, interfering in elections, stirring-up the anti-vax movement, climate change deniers, sowing fractured narratives, and violently attacking Canadian based organizations, while spraying a fire hose of falsehoods around 5G causing everything from Cancer to triggering the COVID19 Global Pandemic.  They have incited the burning of cell towers in Montreal.

Cozy Bear is behind the latest attacks against Canadian labs

Cozy Bear, classified as advanced persistent threat APT29, has been identified as the Russian intelligence Service. In 2014, the General Intelligence and Security Service of the Netherlands (AIVD) had hacked into the network of a building at a Russian university in Moscow used by "Cozy Bear." Access to the video cameras allowed the AIVD to get images of every person who entered the room and match them against known Russian intelligence agents and officials. This corroborated what was known by the security industry through forensic analysis of APT29’s Tactics, Techniques, and Procedures(TTP). According to Fireeye, APT29 typically uses compromised servers for Command and Control (CnC) communication. They counter attempts to remediate attacks and also maintains a fast development cycle for its malware, quickly altering tools to hinder detection. In June 2016, Cozy Bear was implicated alongside the hacker group APT28 Fancy Bear (Russian military intelligence agency GRU) in the Democratic National Committee cyber attacks.

Cozy Bear and Fancy Bear have been hunting game in Canada for a while

The 2014 Sochi Olympic Games saw the involvement of the Russian Intelligence Service (SVR) in state-sanctioned cheating. Russia responded to international sanctions by attacking the doping inquiry and agencies. The Russian GRU (Fancy Bear APT28) was further implicated in cyber attacks against 26 national anti-doping organizations including Canada. The exploitation of the Montreal-based World Anti Doping Association (WADA) by Russia included the full spectrum of information warfare; influence activities, disinformation, offensive cyber, close access operations, intimidation and assassination. In 2018, the US Justice Department indicted GRU operatives in the exploitation of the World Anti-doping Association.

Russia’s campaign against Canada is not just about hacking

The Russian 'Gerasimov doctrine' combines military, technological, information, diplomatic, economic, cultural, sport and other tactics for the purpose of achieving strategic goals.  The term ‘hybrid war’ has become synonymous with Russian aggression. It denotes a style of warfare that combines the political, economic, social and kinetic, in a kind of conflict that recognizes no boundaries between covert and overt war. 

The Institute of Modern Russia interestingly outlines how the Kremlin weaponizes information, culture and money to achieve foreign policy goals and undermine opponents in the report The Menace of Unreality. We see collusion between Russian state and military intelligence services, their security industry and organized crime such as the former Russian Business Network and present day troll farms.

Competition, conflict and war between states are occurring on cyber terrain owned and operated by the private sector.  Canadian citizens, businesses and research facilities find themselves victims in a proxy conflict between states. Russian information operations are a decisive tool of state power rather than a supporting element. Russia is competing against Canada in cyberspace at a level just below armed conflict.

Canada’s national security and intelligence committee’s report named two countries (Russia and China) amongst those conducting “sophisticated and pervasive foreign interference activities against Canada.”

There are many bad actors, but China and Russia in particular have focused their efforts in strategic ways and are executing at scale to achieve their objectives. Meanwhile, both China and Russia are executing well-developed cyber-enabled regional and global “grey zone” unconventional strategies against the US and its allies.[1][1]

According to a recent national security review, Canada remains an “attractive and permissive target” for interference, that endangers the “foundations of our fundamental institutions, including our system of democracy itself.” 

A doctrine of restraint has led to increased aggression and embodiment.  Indifference and passivity after repeated Chinese and Russian attacks against Canadian institutions, installations, industries and infrastructure has invited more aggressive campaigns and transgressions. 

The question will be, whether Canada will expand deployment of active cyber defence to protect more of industry and adopt a policy of persistent engagement to normalize Russia’s behaviour.

[2][1] Cyber Security Readiness Review, US Navy, 2019-04-15

Dave McMahon has an honours degree in computer engineering from the Royal Military College of Canada and 35 years experience in defence, security and intelligence.  Dave was a CSO, COO to defence, telecommunications and intelligence organizations, co-chair or the Interdepartmental Committee on Information Warfare, expert witness to the Senate and special advisor to the Privacy Commissioner of Canada, and intelligence oversight and review. Dave is currently the Chair of the CADSI cyber council, and the CEO of Clairvoyance Cyber Corp.

Disclaimer: The views and opinions expressed in this blog post are those of the authors and do not necessarily reflect the official position of the Professional Development Institute of the University of Ottawa.


Security, Economics & Technology Blog

Browse Recent Posts

June 30, 2021 - Cyber Deception — The Art of Camouflage, Stealth and Misdirection

June 24, 2021 - Remembering Air India 182: A Failure of Imagination


June 8, 2021 - The Idaho Mass Shooting and the Australian Example ​ 

June 1, 2021 - Jordan: Still Stable, but Less So 

May 13, 2021 - Are we Entering a new "Threat Wave"?

March 16, 2021 - Insider Threat Bias

March 2, 2021 - If the head of a spy agency speaks publicly, shouldn't we listen?

February 9, 2021 - The Socialization of Terrorism

February 1, 2021 - Star Wars and Cyber Defence

January 25, 2021 - Understanding the Wave of Normalization in the Middle East​

January 19, 2021 - Top 10 Cyber Defence Predictions for 2021

January 11, 2021 - What will Canada’s National Security and Public Safety Challenges be in 2021?

December 16, 2020 - Countries Treat First Degree Murder Seriously, as they Should: why doesn’t Canada when it comes to Terrorism?

December 7, 2020It’s Time for Our Government to Walk the Walk, Not Just Talk the Talk, (and talk and talk…..maybe) When it Comes to the PRC?  

November 23, 2020Digital Citizen

November 16, 2020Why can’t the Canadian PM denounce a brutal act of terrorism? 

November 2, 2020Piecing Together the Puzzle of a Potential Terrorist Plot 

October 13, 2020State Sponsored Kidnapping -  What are the options? 

October 06, 2020The Taliban Deal & U.S. - Jihadist Negotiations

September 28, 2020This Threat to National Security may be out of this World!

September 22, 2020FUDging the odds: Security as business enabler

September 14, 2020 - Is the violent extremist issue bigger than a shoebox?

September 1, 2020 - Canada is getting a failing grade when it comes to terrorism prosecutions

August 24, 2020 - Strike Back: Canadian context to cyber vigilantism and the active cyber defence certainty act

August 17, 2020 - Canada must send a strong message to Saudi Arabia

August 7, 2020 - Is Canada Really The 'True North Strong and Free' When It Ignores Arctic Sovereignty?

July 22, 2020 - Russian Espionage and Dirty Tricks During a Global Pandemic

June 24, 2020 - Déjà Vu for Canada’s Security Intelligence Service

June 17, 2020 - So Canada is Bringing Back ISIS Women – Now What?

June 11, 2020 - Terrorism means many things to many people and we may be heading down an unhelpful pathway

June 5, 2020 - Canada’s Supply Chain Vulnerabilities and the Links to National Interests

May 28, 2020 - How Foresight Could Help us Prepare for the Next Crisis

May 20, 2020 - Allegation from a Former Spy's Kiss 'n Tell Memoir

May 13, 2020 - "Money Often Costs too Much"

May 6, 2020 - Where is the COVID-19 terrorism spike?

Visit the SET Homepage for Upcoming Courses and Events

Back to top