Russian Espionage and Dirty Tricks During a Global Pandemic

Dave McMahon · CEO Clairvoyance Cyber Corp · Posted: July 22, 2020

Canadian, U.S. and U.K., intelligence agencies have formally accused Russia of deliberately targeted COVID-19 vaccine research facilities in Canada.  The cyber attacks were attributed to APT29 also known as Cozy Bear, identified as the Russian Intelligence Service. 

I have been an eye-witness to Russian espionage and dirty tricks through the cold war, the fall of the Berlin wall and during glasnost. I have watched a digital iron curtain descend between East and West, and cyber conflicts intensify against Canada up to today.

The Canadian Security Industry and the government's Communications Security Establishment (CSE) have long been warning that sophisticated cyber threat actors could target Canadian medical research labs working on COVID-19 vaccines and treatments.

CSE stated that "these malicious cyber activities were very likely undertaken to steal information and intellectual property relating to the development and testing of COVID-19 vaccines, and serve to hinder response efforts at a time when health-care experts and medical researchers need every available resource to help fight the pandemic.”

Across the Atlantic, the U.K. Foreign Secretary Dominic Raab tweeted that his government stands with Canada and the U.S. "against the reckless actions of Russia's intelligence services, who we have exposed today for committing cyber attacks against those working on a COVID-19 vaccine."

Russia has an extensive rap sheet of conducting espionage, deliberately interfering in critical infrastructure and otherwise trying to derail our society. But attacking medical labs during a global pandemic is a new low. 

Russia is the biggest troll in Cyberspace

State-run troll farms have been implicated in antagonizing polarized discussions online, undermining liberal democracies, interfering in elections, stirring-up the anti-vax movement, climate change deniers, sowing fractured narratives, and violently attacking Canadian based organizations, while spraying a fire hose of falsehoods around 5G causing everything from Cancer to triggering the COVID19 Global Pandemic.  They have incited the burning of cell towers in Montreal.

Cozy Bear is behind the latest attacks against Canadian labs

Cozy Bear, classified as advanced persistent threat APT29, has been identified as the Russian intelligence Service. In 2014, the General Intelligence and Security Service of the Netherlands (AIVD) had hacked into the network of a building at a Russian university in Moscow used by "Cozy Bear." Access to the video cameras allowed the AIVD to get images of every person who entered the room and match them against known Russian intelligence agents and officials. This corroborated what was known by the security industry through forensic analysis of APT29’s Tactics, Techniques, and Procedures(TTP). According to Fireeye, APT29 typically uses compromised servers for Command and Control (CnC) communication. They counter attempts to remediate attacks and also maintains a fast development cycle for its malware, quickly altering tools to hinder detection. In June 2016, Cozy Bear was implicated alongside the hacker group APT28 Fancy Bear (Russian military intelligence agency GRU) in the Democratic National Committee cyber attacks.

Cozy Bear and Fancy Bear have been hunting game in Canada for a while

The 2014 Sochi Olympic Games saw the involvement of the Russian Intelligence Service (SVR) in state-sanctioned cheating. Russia responded to international sanctions by attacking the doping inquiry and agencies. The Russian GRU (Fancy Bear APT28) was further implicated in cyber attacks against 26 national anti-doping organizations including Canada. The exploitation of the Montreal-based World Anti Doping Association (WADA) by Russia included the full spectrum of information warfare; influence activities, disinformation, offensive cyber, close access operations, intimidation and assassination. In 2018, the US Justice Department indicted GRU operatives in the exploitation of the World Anti-doping Association.

Russia’s campaign against Canada is not just about hacking

The Russian 'Gerasimov doctrine' combines military, technological, information, diplomatic, economic, cultural, sport and other tactics for the purpose of achieving strategic goals.  The term ‘hybrid war’ has become synonymous with Russian aggression. It denotes a style of warfare that combines the political, economic, social and kinetic, in a kind of conflict that recognizes no boundaries between covert and overt war. 

The Institute of Modern Russia interestingly outlines how the Kremlin weaponizes information, culture and money to achieve foreign policy goals and undermine opponents in the report The Menace of Unreality. We see collusion between Russian state and military intelligence services, their security industry and organized crime such as the former Russian Business Network and present day troll farms.

Competition, conflict and war between states are occurring on cyber terrain owned and operated by the private sector.  Canadian citizens, businesses and research facilities find themselves victims in a proxy conflict between states. Russian information operations are a decisive tool of state power rather than a supporting element. Russia is competing against Canada in cyberspace at a level just below armed conflict.

Canada’s national security and intelligence committee’s report named two countries (Russia and China) amongst those conducting “sophisticated and pervasive foreign interference activities against Canada.”

There are many bad actors, but China and Russia in particular have focused their efforts in strategic ways and are executing at scale to achieve their objectives. Meanwhile, both China and Russia are executing well-developed cyber-enabled regional and global “grey zone” unconventional strategies against the US and its allies.^[1][1]

According to a recent national security review, Canada remains an “attractive and permissive target” for interference, that endangers the “foundations of our fundamental institutions, including our system of democracy itself.” 

A doctrine of restraint has led to increased aggression and embodiment.  Indifference and passivity after repeated Chinese and Russian attacks against Canadian institutions, installations, industries and infrastructure has invited more aggressive campaigns and transgressions. 

The question will be, whether Canada will expand deployment of active cyber defence to protect more of industry and adopt a policy of persistent engagement to normalize Russia’s behaviour.

Dave McMahon has an honours degree in computer engineering from the Royal Military College of Canada and 35 years experience in defence, security and intelligence.  Dave was a CSO, COO to defence, telecommunications and intelligence organizations, co-chair or the Interdepartmental Committee on Information Warfare, expert witness to the Senate and special advisor to the Privacy Commissioner of Canada, and intelligence oversight and review. Dave is currently the Chair of the CADSI cyber council, and the CEO of Clairvoyance Cyber Corp.