Sign up for NYT Chinese-language Morning Briefing.
WASHINGTON — The FBI and the Department of Homeland Security are preparing to issue a warning that China’s most skilled hackers and spies are working to steal American research in the crash effort to develop vaccines and treatments for the coronavirus. The efforts are part of a surge in cybertheft and attacks by nations seeking advantage in the pandemic.
The warning comes as Israeli officials accuse Iran of mounting an effort in late April to cripple water supplies as Israelis were confined to their houses, though the government has offered no evidence to back its claim. More than a dozen countries have redeployed military and intelligence hackers to glean whatever they can about other nations’ virus responses. Even U.S. allies like South Korea and nations that do not typically stand out for their cyber abilities, like Vietnam, have suddenly redirected their state-run hackers to focus on virus-related information, according to private security firms.
A draft of the forthcoming public warning, which officials say is likely to be issued in the days to come, says China is seeking “valuable intellectual property and public health data through illicit means related to vaccines, treatments and testing.” It focuses on cybertheft and action by “nontraditional actors,” a euphemism for researchers and students the Trump administration says are being activated to steal data from inside academic and private laboratories.
The decision to issue a specific accusation against China’s state-run hacking teams, current and former officials said, is part of a broader deterrent strategy that also involves U.S. Cyber Command and the National Security Agency. Under legal authorities that President Donald Trump issued nearly two years ago, they have the power to bore deeply into Chinese and other networks to mount proportional counterattacks. This would be similar to their effort 18 months ago to strike at Russian intelligence groups seeking to interfere in the 2018 midterm elections and to put malware in the Russian power grid as a warning to Moscow for its attacks on U.S. utilities.
现任和前任官员说，对中国国家黑客团队提出具体指控，属于一项全面威慑战略的一部分，美国网络司令部(U.S. Cyber Command)和国家安全局(National Security Agency)也参与其中。根据唐纳德·特朗普总统近两年前授予的法律权力，他们可以深入中国和其他国家的网络，发起相应反击。该行动与18个月前他们打击试图干预2018年中期选举的俄罗斯情报组织的行动类似，当时他们在俄罗斯电网中植入恶意软件，作为对莫斯科攻击美国公共事业的警告。
But it is unclear exactly what the U.S. has done, if anything, to send a similar shot across the bow to the Chinese hacking groups, including those most closely tied to China’s new Strategic Support Force, its equivalent of Cyber Command, the Ministry of State Security and other intelligence units.
The forthcoming warning is also the latest iteration of a series of efforts by the Trump administration to blame China for being the source of the pandemic and exploiting its aftermath.
Secretary of State Mike Pompeo claimed this month that there was “enormous evidence” that the virus had come from a Chinese lab before backing off to say it had come from the “vicinity” of the lab in Wuhan. U.S. intelligence agencies say they have reached no conclusion on the issue, but public evidence points to a link between the outbreak’s origins at a market in Wuhan and China’s illegal wildlife trafficking.
The State Department on Friday described a Chinese Twitter campaign to push false narratives and propaganda about the virus. Twitter executives have pushed back on the agency, noting that some of the Twitter accounts that the State Department cited were actually critical of Chinese state narratives.
But it is the search for vaccines that has been a particular focus, federal officials say.
“China’s long history of bad behavior in cyberspace is well documented, so it shouldn’t surprise anyone they are going after the critical organizations involved in the nation’s response to the COVID-19 pandemic,” said Christopher Krebs, director of the Cybersecurity and Infrastructure Security Agency. He added that the agency would “defend our interests aggressively."
“中国在网络空间长期以来的不良行为是有案可查的，因此，他们会追踪我国参与应对新冠病毒大流行的关键组织，这并不让人感到意外。”美国国家网络安全和基础设施安全局(Cybersecurity and Infrastructure Security Agency)局长克里斯托弗·克雷布斯(Christopher Krebs)说，他还说，该机构将“积极捍卫我们的利益”。
Last week, the U.S. and Britain issued a joint warning that “health care bodies, pharmaceutical companies, academia, medical research organizations and local governments” had been targeted. While it named no specific countries — or targets — the wording was the kind used to describe the most active cyberoperators: Russia, China, Iran and North Korea.
The hunt for spies seeking intellectual property has also accelerated. For months, FBI officials have been visiting major universities and presenting largely unclassified briefings about their vulnerabilities.
But some of those academic leaders and student groups have pushed back, comparing the rising paranoia about stolen research to the worst days of the Red Scare era. They particularly objected when Sen. Tom Cotton, R-Ark., declared last month on Fox News that it was “a scandal” that the U.S. had “trained so many of the Chinese Communist Party’s brightest minds to go back to China.”
不过，一些学术领袖和学生团体已经开始反击，他们认为，这种担心研究成果被窃取的多疑心理愈演愈烈，可以同红色恐怖时代最糟糕的日子相提并论。他们尤其反对阿肯色州共和党参议员汤姆·科顿(Tom Cotton)的言论。上个月，他在福克斯新闻(Fox News)上宣称，美国“培训了那么多中国共产党的精英，让他们回到中国”，这是一桩“丑闻”。
Security experts say that while there is a surge of attacks by Chinese hackers seeking an edge in the race for a COVID-19 vaccine, or even effective treatment, the Chinese are hardly alone in seeking to exploit the virus.
Iranian hackers were also caught trying to get inside Gilead Sciences, the maker of remdesivir, the therapeutic drug approved 10 days ago by the Food and Drug Administration for clinical trials. Government officials and Gilead have refused to say if any element of the attack, which was first reported by Reuters, was successful.
伊朗黑客被发现试图进入瑞德西韦的制造商吉利德科学(Gilead Sciences)的电脑。10天前，美国食品和药物管理局(Food and Drug Administration)批准对这种药物进行临床试验。该袭击由路透社率先报道，政府官员和吉利德都拒绝透露攻击是否取得了成功。
Israel’s security advisers met last week for a classified session on a cyberattack on April 24 and 25, which authorities were calling an attempt to cut off water supplies to rural parts of the country. The Israeli news media has widely blamed the attack on Iran, though they have offered no evidence in public. The effort was detected fairly quickly and did no damage, authorities said.
The rush to attribute the attack to Iran could be faulty. When a Saudi petrochemical plant was similarly attacked in 2017, Iran was presumed as the source of the effort to cause an industrial accident. It turned out to be coordinated from a Russian scientific institute.
The coronavirus has created whole new classes of targets. In recent weeks, Vietnamese hackers have directed their campaigns against Chinese government officials running point on the virus, according to cybersecurity experts.
South Korean hackers have taken aim at the World Health Organization and officials in North Korea, Japan and the U.S. The attacks appeared to be attempts to compromise email accounts, most likely as part of a broad effort to gather intelligence on virus containment and treatment, according to two security experts for private firms who said they were not authorized to speak publicly. If so, the moves suggest that even allies are suspicious of official government accounting of cases and deaths around the world.
In interviews with a dozen current and former government officials and cybersecurity experts over the past month, many described a “free-for-all” that has spread even to countries with only rudimentary cyber ability.
“This is a global pandemic, but unfortunately countries are not treating it as a global problem,” said Justin Fier, a former national security intelligence analyst who is now the director of cyberintelligence at Darktrace, a cybersecurity firm. “Everyone is conducting widespread intelligence gathering — on pharmaceutical research, PPE orders, response — to see who is making progress.”
The frequency of cyberattacks and the spectrum of targets are “astronomical, off the charts,” Fier said.
David E. Sanger自华盛顿报道、Nicole Perlroth自加利福尼亚州帕洛阿托报道。
David E. Sanger是时报国家安全记者。在为时报供职的36年报道生涯中，他曾三次作为团队成员获得普利策奖，最近一次是2017年的普利策国际报道奖。他最新出版了《The Perfect Weapon: War, Sabotage and Fear in the Cyber Age》一书。欢迎在Twitter和Facebook上关注他。
Nicole Perlroth是一名负责报道网络安全和间谍活动的记者。自2011年加入时报前，她曾为《福布斯》杂志报道硅谷。欢迎在Twitter上关注她 @nicoleperlroth。