One of the world’s top biology labs—one whose renowned professors have been researching how to counter the Covid-19 pandemic—has been hacked.
Oxford University confirmed on Thursday it had detected and isolated an incident at the Division of Structural Biology (known as “Strubi”) after Forbes disclosed that hackers were showing off access to a number of systems. These included machines used to prepare biochemical samples, though the university said it couldn’t comment further on the scale of the breach. It has contacted the National Cyber Security Center (NCSC), a branch of the British intelligence agency GCHQ, which will now investigate the attack.
“We have identified and contained the problem and are now investigating further,” an Oxford University spokesperson said. “There has been no impact on any clinical research, as this is not conducted in the affected area. As is standard with such incidents, we have notified the National Cyber Security Center and are working with them.” The U.K. Information Commissioner’s Office has also been informed, according to a spokesperson, who added that the affected systems didn’t contain any patient data and there was no impact on patient confidentiality.
“We are aware of an incident affecting Oxford University and are working to fully understand its impact,” a spokesperson with the NCSC said.
Forbes was alerted to the breach by Hold Security chief technology officer Alex Holden, who provided screenshots of the hackers’ access to Oxford University systems. They showed interfaces for what appeared to be possible lab equipment, with the ability to control pumps and pressure. There were also times and dates on the Windows-based controls. They covered February 13 and February 14, 2021, indicating the breach had continued up until recently.
The Oxford spokesperson confirmed the hacked machines were used to purify and prepare biochemical samples, such as proteins, that are made in the laboratory for fundamental research on them. Such samples have been used in the lab’s coronavirus research, the spokesperson confirmed.
A breach of the lab could place research data at risk of being stolen, including research into the coronavirus. There’s also the threat of sabotaged research, if hackers were able to tinker with the flow of liquids or other aspects of the purification technology. Holden said that he was particularly concerned about the breach due to the hackers’ ostensible ability to disable a pressure alarm from the interface. “With news about cybercriminals tampering with water purity controls, other attacks against energy companies—this type of data in the hands of cybercriminals draws many concerns,” he said.
“With the current interest in molecular structures in Covid research one might speculate that it was someone searching for data about the virus or the vaccine. It’s difficult to see why they would want to sabotage research,” added professor Alan Woodward, a cybersecurity expert at the University of Surrey.
“As the attackers were selling access, it suggests it was probably not a nation-state but a group who thought nation-states or those working on valuable intellectual property might pay for.”
Whilst not directly involved in the development of the Oxford University-AstraZeneca vaccine, which is the domain of the Oxford Vaccine Group and Jenner Institute, Strubi’s scientists have been heavily involved in researching how Covid-19 cells work and how to stop them causing harm. That includes studies on potential future vaccine candidates. Strubi is also home to the Particle Imaging Center, a “biosafety containment facility” for the study of pathogenic human and animal viruses, and its researchers have most recently published research into HIV.
Among its distinguished scientists studying Covid-19 is Sir David Stuart, a professor knighted at the end of last year for his “innovative methods in vaccine development and structural biology.” He is also part of the Jenner Institute behind the Covid-19 vaccine.
Interpol warned last year that organized crime groups were likely to target those involved in Covid-19 research and vaccine development. The hit on Oxford University may well be the first significant example of such an attack.
Who hacked Oxford Uni?
Previously, Russian and North Korean hackers had been blamed for targeting Covid-19 researchers. But while some attacks on organizations studying Covid-19 have been linked to international espionage, the one suffered by Oxford University appears to have been the work of financially motivated criminals, though ones with alleged ties to government hackers.
The crew, according to Holden, is highly sophisticated and has been privately selling stolen data from a number of its victims, and has previously sold to “advanced persistent threat” groups, a term for nation-state-backed hackers. He noted that the hackers spoke Portuguese. Some of the group’s other victims include Brazilian universities, Holden added, and they also use ransomware to extort some victims.
Holden also provided evidence that business analytics company Dun & Bradstreet Malaysia was recently hacked by the crew, providing screenshots from that attack, too, which included apparent access to internal email systems and Oracle databases. They also included a spreadsheet of Oracle database passwords. At the time of publication, the company’s website had gone off-line.
A D&B spokesperson said the Malaysia office was a licensed business and not connected to the licensee company’s systems. That D&B Malaysia may have had its databases compromised could be cause for serious concern for the business’ own intellectual property: it promises an “up-to-the-minute extensive database of more than 240 million companies worldwide.” The Malaysia office hadn’t responded to a request for comment at the time of publication.
Whoever hacked Oxford University has a growing list of high-profile, high-worth targets. And some governments might be buying their stolen goods.