Tuesday 23rd June 2020

BLOG: COVID’s Metamorphoses part I: nation-state activity in the era of vaccine nationalism

By Kit Palmer and Jamie MacColl

Orpheus analysts examine one of the key geopolitical consequences of COVID-19 in the first part of our blog series on the long-term impact of the pandemic on the cyber threat landscape – the competition over COVID-19 vaccine research and production.

Introduction: COVID-19 and geopolitics

As always, nation-state cyber activities are informed by the geopolitical backdrop under which they occur. Nearly six months into the COVID-19 pandemic, hopes of renewal of multilateralism and co-operation between states to combat the virus are subsiding. Instead, geopolitics and international diplomacy have become more acrimonious and competitive in 2020.

This is particularly true of the crucial bilateral relationship between the US and China. The blame game over the origins of the virus is now aggravating pre-existing tensions between the two countries.[1] Concerns about China are also increasing outside the US, as Beijing has become more aggressive and risk-tolerant as the virus has spread; both in Hong Kong and through its increasingly combative disinformation campaigns.

This sense of international antagonism and suspicion has three main geopolitical consequences that we asses have long-term implications for the cyber threat landscape. We explore the first in this blog post. We assess that competition over the development and production of a vaccine will consumer much of the focus of nation-state cyber espionage groups seeking to collect intelligence on targets in healthcare, the pharmaceutical industry, and academic researchers. Similarly, nation-state units or private contractors will seek to collect intelligence on the origins of the virus to use as part of broader information operations to shape narratives to legitimise their own government’s handling of the crisis, or to discredit opponents.

Vaccine nationalism

The research and production of COVID-19 vaccines and treatments has become intensely competitive and politicised, a phenomenon dubbed “vaccine nationalism” by many commentators.[2] There are over 100 candidate COVID-19 vaccines currently being researched worldwide with many governments having deals in place to secure vaccines for their own citizens first.[3]

The race for a vaccine, however, is about more than just health. A Chinese vaccine would go some way to repairing the country’s damaged geopolitical standing; whereas an American vaccine could provide a valuable boost ahead of the November Presidential election. Caught between the two superpowers are a variety of countries either looking to produce their own vaccines or seeking more intelligence on the virus and its origins.[4]

Cyber espionage in support of vaccine nationalism

We have already covered numerous instances of state-level cyber espionage against entities involved in COVID-19 research.[5] These include Iranian operations against WHO employees and pharmaceutical company Gilead; Chinese state units exploiting vulnerabilities associated with remote working tools to target the healthcare and pharmaceutical sectors; and Vietnam’s Ocean Lotus Group targeting the Chinese government for COVID-19 intelligence. Current evidence suggests that majority of these espionage campaigns emanate from China, Iran, Russia, North Korea and Vietnam, and are targeted against Western entities. However, we expect Western intelligence agencies are pursuing corresponding targets, albeit in a more discreet manner.

We assess that state-directed cyber espionage against such entities is likely to continue even after a COVID-19 vaccine has been developed. For example, some states will likely use cyber espionage to steal intellectual property to produce their own vaccine, mitigating the effects of global shortages – particularly as political leaders’ standing will continue to rest on their perceived abilities to manage the outbreak and protect the health of citizens.  Espionage against organisations involved in vaccine research may have an economic dimension as a COVID-19-induced recession starts to bite: obtaining intellectual property reduces the need for costly research and development phases, which could allow entities to produce a lower-cost vaccine and undercut the market to their own economic advantage. To this end, we could also expect to see commercial, non-state-affiliated entities engage in their own forms of cyber espionage.

Disrupting vaccine research and production: an escalation too far?

There is also the possibility that threat actors may attempt to sabotage or disrupt competitors’ vaccine research for geopolitical or financial gains.[6] Although any such adversary would likely attempt to achieve plausible deniability, sabotage against vaccine development would have significant reputational consequences, and perhaps invoke punitive responses and sanctions.

Consequently, we assess that any disruptive operation against an organisation involved in the development of COVID-19 vaccine or treatments is likely to take on a more subtle character. For instance, rather than engaging in direct sabotage, threat actors could degrade a network indirectly associated with systems or productions lines producing a COVID-19 vaccine, slowing the research or production process.

Similarly, manipulating data integrity could represent a quieter and less attributable – albeit more difficult – form of disruption against vaccine research, when compared to ‘noisier’ disruptive operations targeting data availability with wiper malware. For instance, subtly manipulating a dataset of a pharmaceutical or academic scientist could lead to incorrect conclusions or send them down unpromising paths. As one commentator has noted, compromising data in this way could also happen unintentionally, if a cyber espionage operation targeting confidential data accidentally mishandled it during the discovery or exfiltration process.[7] Whether purposeful or not, we assess that any disruption of vaccine research or production via cyber means is likely to be understated and indirect.

Information operations during and beyond COVID-19  

In addition to cyber espionage, the COVID-19 pandemic has also been accompanied by state-level information operations aimed primarily at reducing criticism of each state’s handling of the pandemic, and drawing attention to failures of other governments.[8]

For example, after an initial period of obfuscation over the outbreak of the virus in Wuhan, China has been linked to cross-network spam campaigns amplifying pro-China and anti-US messaging while downplaying its role in the spread of the pandemic (see images below),[9] Russian actors have disseminated conspiracy theories suggesting COVID-19 was a US bioweapon;[10] while Iranian operations seek to show Western sanctions are undermining its response to the pandemic.[11] Even the US government has added to this complicated information ecosystem, outlining legitimate criticism of Beijing’s handling of the outbreak while spreading unsubstantiated rumours that COVID-19 was created in Chinese laboratories.[12]

Figure 1: Examples of suspected Chinese accounts engaging in astroturfing, whereby accounts copy content and retweet one another to create the perception of more support than actually exists.
Figure 2: Two Chinese bots (the accounts consist of a word followed by a string of numbers, which is a tell-tale sign) using the #USAVIRUS hashtag.

In the long-term, we anticipate COVID-19 themed information operations will blend with existing narratives and methods – for example adopting the Russian hack and leak approach and combining with efforts to target the US Presidential Election, as we predicted in our 2020 forecast. The election will take place amid a larger disinformation environment where adversaries will use the US government response to COVID-19, along with the protests related to the mis-management of the virus and racial injustice in the US, to sow chaos and cast doubt on the moral authority of US leadership and the value of liberal democracy more broadly.[13] These kinds of information operations will likely cut both ways, particularly as China will be the key foreign policy issue of the 2020 US election. The Trump administration could, for example, seek to leak stolen information that discredits the WHO or China’s handling of the outbreak.[14]


The impact of “vaccine nationalism” will influence the objectives and tasking of nation-state cyber activities for the foreseeable future. This will make healthcare, pharmaceutical and academic organisations involved in COVID-19 vaccine and treatment research much more susceptible to cyber espionage or disruption. Moreover, competing narratives over who is to “blame” for the outbreak of the virus will continue to drive information operations well into the 2020 presidential election. We will continue to explore the geopolitical complexities caused by COVID-19 in the next blog post in this series.

A threat-led intelligence approach is essential for understanding how sophisticated nation-state groups will continue to adapt their targeting and tactics, techniques and procedures. To better understand cyber threats to your own organisation, click here.

Kit Palmer is an Orpheus Research Intern

Jamie MacColl is an Orpheus Researcher

[1] https://www.ft.com/content/115fc14f-4a8a-45da-8688-c59605a5191a; https://foreignpolicy.com/2020/05/14/china-us-pandemic-economy-tensions-trump-coronavirus-covid-new-cold-war-economics-the-great-decoupling/

[2] https://www.nytimes.com/2020/04/10/business/coronavirus-vaccine-nationalism.html?auth=login-email&login=email

[3] https://www.gavi.org/vaccineswork/covid-19-vaccine-race ; https://www.gov.uk/government/news/funding-and-manufacturing-boost-for-uk-vaccine-programme ; https://rusi.org/commentary/vaccine-nationalism-age-coronappp;[ppp-[-=–[[[=[[[-==virus

[4] https://www.bbc.co.uk/news/technology-52992677

[5] https://www.ncsc.gov.uk/files/Joint%20NCSC%20and%20CISA%20Advisory%20APT%20groups%20target%20healthcare%20and%20essential%20services.pdf ; https://coronavirus.health.ny.gov/system/files/documents/2020/05/covid-19_tlp_white-pin-21may2020.pdf

[6] https://coronavirus.health.ny.gov/system/files/documents/2020/05/covid-19_tlp_white-pin-21may2020.pdf ; https://www.lawfareblog.com/developing-coronavirus-vaccines-and-treatments-cooperatively-and-not-competitively

[7] https://www.lawfareblog.com/developing-coronavirus-vaccines-and-treatments-cooperatively-and-not-competitively

[8] https://graphika.com/reports/the-covid-19-infodemic/

[9] https://www.bbc.co.uk/news/blogs-trending-52657434

[10] https://thereader.mitpress.mit.edu/operation-denver-kgb-aids-disinformation-campaign/

[11] https://www.rferl.org/a/eu-monitors-sees-coordinated-covid-19-disinformation-effort-by-iran-russia-china/30570938.html

[12] https://www.theguardian.com/world/video/2020/mar/18/not-racist-at-all-donald-trump-defends-calling-coronavirus-the-chinese-virus-video ; https://theconversation.com/donald-trumps-chinese-virus-the-politics-of-naming-136796

[13] https://www.nytimes.com/2020/04/08/world/asia/coronavirus-china-narrative.html?utm_source=newsletter&utm_medium=email&utm_campaign=newsletter_axioscodebook&stream=technology

[14] https://news.sky.com/story/coronavirus-leaked-who-files-show-china-delayed-releasing-important-information-11999027

Get our latest cyber intelligence insights straight into your inbox

Fill out the short form below to subscribe to our newsletter so that you never miss out on our cyber intelligence insights and news.