By Jack Stubbs and Christopher Bing
LONDON/WASHINGTON (Reuters) – Hackers linked to Iran have targeted staff at U.S. drugmaker Gilead Sciences Inc in recent weeks, according to publicly-available web archives reviewed by Reuters and three cybersecurity researchers, as the company races to deploy a treatment for the COVID-19 virus.
In one case, a fake email login page designed to steal passwords was sent in April to a top Gilead executive involved in legal and corporate affairs, according to an archived version on a website used to scan for malicious web addresses. Reuters was not able to determine whether the attack was successful.
Ohad Zaidenberg, lead intelligence researcher at Israeli cybersecurity firm ClearSky, who closely tracks Iranian hacking activity and has investigated the attacks, said the attempt was part of an effort by an Iranian group to compromise email accounts of staff at the company using messages that impersonated journalists.
Two other cybersecurity researchers, who were not authorized to speak publicly about their analysis, confirmed that the web domains and hosting servers used in the hacking attempts were linked to Iran.
Iran’s mission to the United Nations denied any involvement in the attacks. “The Iranian government does not engage in cyber warfare,” said spokesman Alireza Miryousefi. “Cyber activities Iran engages in are purely defensive and to protect against further attacks on Iranian infrastructure.”
A spokesman for Gilead declined to comment, citing a company policy not to discuss cybersecurity matters. Reuters could not determine if any of the attempts were successful, on whose behalf the Iranian hackers were working or their motivation.
Still, the hacking attempts show how cyber spies around the world are focusing their intelligence-gathering efforts on information about COVID-19, the disease caused by the novel coronavirus.
Reuters has reported in recent weeks that hackers with links to Iran and other groups have also attempted to break into the World Health Organization, and that attackers linked to Vietnam targeted the Chinese government over its handling of the coronavirus outbreak.
Britain and the United States warned this week that state-backed hackers are attacking pharmaceutical companies and research institutions working on treatments for the new disease.
The joint statement did not name any of the attacked organizations, but two people familiar with the matter said one of the targets was Gilead, whose antiviral drug remdesivir is the only treatment so far proven to help patients infected with COVID-19.
The hacking infrastructure used in the attempt to compromise the Gilead executive’s email account has previously been used in cyberattacks by a group of suspected Iranian hackers known as “Charming Kitten,” said Priscilla Moriuchi, director of strategic threat development at U.S. cybersecurity firm Recorded Future, who reviewed the web archives identified by Reuters.
“Access to even just the email of staff at a cutting-edge Western pharmaceutical company could give … the Iranian government an advantage in developing treatments and countering the disease,” said Moriuchi, a former analyst with the U.S. National Security Agency.
Iran has suffered acutely from the COVID-19, recording the highest death toll in the Middle East. The disease has so far killed more than 260,000 people worldwide, triggering a global race between governments, private pharmaceutical companies and researchers to develop a cure.
Gilead is at the forefront of that race and has been lauded by U.S. President Donald Trump, who met the California company’s CEO Daniel O’Day at the White House in March and May to discuss its work on COVID-19.
The U.S. Food and Drug Administration last week gave emergency use authorization to Gilead’s remdesivir for patients with severe COVID-19, clearing the way for broader use in more hospitals around the United States.
An official at one European biotech company said the industry was on “red alert” and taking extra precautions to guard against attempts to steal COVID-19 research, such as conducting all work related to vaccine trials on “air-gapped” computers that are disconnected from the internet.
(Additional reporting by Raphael Satter in WASHINGTON, Joseph Menn in SAN FRANCISCO and Michelle Nichols in NEW YORK; editing by Chris Sanders and Edward Tobin)