When the federal government issued an alert in March saying that sophisticated hackers were targeting COVID-19 researchers in Canada, it did so without citing specific attacks or evidence.
Nevertheless, the security establishment and researchers alike are continuing to take the warning from the Canadian Centre for Cyber Security seriously – and for good reason.
Canada has a strong backbone in health research that is recognized around the world, says Christopher Parsons, senior research associate at the Citizen Lab at the Munk School of Global Affairs and Public Policy.
A number of efforts at finding a COVID-19 vaccine are also under way here, which makes Canada a particularly appealing target right now. Calgary-based biotech firm Providence Therapeutics Inc., for example, announced last week it is prepared to begin Phase 1 testing of a vaccine.
“There’s often a lack of appreciation within Canada that we are a very worthwhile target for adversaries,” Dr. Parsons says. “It really undersells what Canada is producing on a regular basis.”
The CCCS warning suggests that potential hackers could be backed by nation states. Dr. Parsons says such scenarios are likely, with different countries having their own reasons for wanting to steal Canadian data.
Countries operating under international trade sanctions could do it because it might be the only way they’ll acquire a vaccine. Other countries, meanwhile, may engage in theft to supplement their own research efforts and thereby improve their respective geopolitical positions.
“Whoever develops it first is going to have a lot of soft power in international relations,” Dr. Parsons says. “That could be very helpful for their global diplomatic efforts.”
A vaccine would also have tremendous economic value. A recent estimate by Barron’s suggests that at a price of US$30 a dose, a vaccine could be worth US$10-billion annually. Some analysts estimate the price could go as high as US$200 a vaccination. Either scenario would present a giant windfall to whatever country or pharmaceutical company that develops one.
One method that hackers are likely to use in stealing research, Dr. Parsons says, is spear-phishing – or targeting researchers with e-mail messages that appear to be from trusted sources. As opposed to generic spam, such messages are personalized and the product of individualized research on the recipient by the sender.
Senders could trick receivers into clicking on malicious links or revealing sensitive information by appearing to be people they know or might know.
The best protection against spear-phishing, Dr. Parsons says, is for recipients to be aware of it and to verify sensitive requests by contacting senders through other means, such as phoning or texting them.
“When it’s done well, spear-phishing is very effective,” he says.
Philip Awadalla is aware of the CCCS alert and is actively heeding it. He is the national scientific director at the Canadian Partnership for Tomorrow’s Health, a project that has been gathering and analyzing health data since 2008.
The organization has focused historically on cancer and genetics research but is also now working on COVID-19. Over the past month, CanPath has surveyed participants about symptoms, travels and other related subjects.
Aside from worrying that this research might get stolen, Dr. Awadalla is also concerned that the 320,000 Canadians voluntarily providing CanPath with data could also be targeted. Individuals who are tricked through phishing attacks could then become distrustful of similar, legitimate communication attempts.
“What we don’t want to happen is if an external actor with [malicious intent] comes in and starts to exploit the goodwill of the Canadian population in capturing information,” he says. “We rely on that goodwill.”
Julia Zarb, director of the master of health informatics program at the University of Toronto, is also concerned about the potential erosion of goodwill. She’s part of Rapid Evidence Access Link, an online project that seeks to provide leaders and policy makers with fast answers to COVID-19 questions.
Ms. Zarb’s experience isn’t necessarily with nation-state-backed hackers, but rather with profit-motivated criminals who steal or lock up information, then extort people to get it back. These types are now using COVID-19 as their lures, she says. Ms. Zarb is concerned that hackers could find lists of people who have had the virus, for example, and then blackmail them.
“They find where the currency is in health care and think about how they can hold it hostage or profit off it,” she says.
Waterloo, Ont.-based OpenText, which makes information management software for businesses, says attackers have recently been targeting people who are now working from home as a result of the pandemic.
Since many remote workers don’t have their systems set up to limit how many times someone can unsuccessfully log in, hackers are launching what’s known as a brute-force attack, where a program rapidly guesses passwords until it succeeds. Such programs are becoming increasingly effective, according to Tyler Moffitt, a security analyst at OpenText.
“Where we’re at now is 15-character passwords can be guessed in 15 hours,” he says.
The obvious answer there, he adds, is for users to set limits on unsuccessful log-in attempts. On a higher level, organizations that are receiving new government grant money for COVID-19 research should also ensure they are investing proportionately in cybersecurity as they ramp up.
Wesley Wark, a visiting professor at the University of Ottawa’s Graduate School of Public and International Affairs, points out that generally lower security spending by Canadian organizations – especially small and medium enterprises – contributes to Canada’s appeal as a target for sophisticated hackers.
He also recommends increased spending on expertise to both prevent attacks and to deal with them when they happen, such as in cases in which attackers lock users out of their systems and hold their data for ransom.
“Institutions, no matter at what scale in the health sector, need to educate their work forces about prevalent forms of cyberattacks, including classic phishing efforts,” he says. “Get expert advice immediately if subject to ransomware attacks. Don’t try to handle it on your own.”