By Jack Stubbs and Christopher Bing
LONDON/WASHINGTON, May 8 (Reuters) - Hackers linked to Iran
have targeted staff at U.S. drugmaker Gilead Sciences Inc
in recent weeks, according to publicly-available web
archives reviewed by Reuters and three cybersecurity
researchers, as the company races to deploy a treatment for the
In one case, a fake email login page designed to steal
passwords was sent in April to a top Gilead executive involved
in legal and corporate affairs, according to an archived version
on a website used to scan for malicious web addresses. Reuters
was not able to determine whether the attack was successful.
Ohad Zaidenberg, lead intelligence researcher at Israeli
cybersecurity firm ClearSky, who closely tracks Iranian hacking
activity and has investigated the attacks, said the attempt was
part of an effort by an Iranian group to compromise email
accounts of staff at the company using messages that
Two other cybersecurity researchers, who were not authorized
to speak publicly about their analysis, confirmed that the web
domains and hosting servers used in the hacking attempts were
linked to Iran.
Iran's mission to the United Nations denied any involvement
in the attacks. "The Iranian government does not engage in cyber
warfare," said spokesman Alireza Miryousefi. "Cyber activities
Iran engages in are purely defensive and to protect against
further attacks on Iranian infrastructure."
A spokesman for Gilead declined to comment, citing a company
policy not to discuss cybersecurity matters. Reuters could not
determine if any of the attempts were successful, on whose
behalf the Iranian hackers were working or their motivation.
Still, the hacking attempts show how cyber spies around the
world are focusing their intelligence-gathering efforts on
information about COVID-19, the disease caused by the novel
Reuters has reported in recent weeks that hackers with links
to Iran and other groups have also attempted to break into the
World Health Organization, and that attackers linked to Vietnam
targeted the Chinese government over its handling of the
Britain and the United States warned this week that
state-backed hackers are attacking pharmaceutical companies and
research institutions working on treatments for the new disease.
The joint statement did not name any of the attacked
organizations, but two people familiar with the matter said one
of the targets was Gilead, whose antiviral drug remdesivir is
the only treatment so far proven to help patients infected with
The hacking infrastructure used in the attempt to compromise
the Gilead executive's email account has previously been used in
cyberattacks by a group of suspected Iranian hackers known as
"Charming Kitten," said Priscilla Moriuchi, director of
strategic threat development at U.S. cybersecurity firm Recorded
Future, who reviewed the web archives identified by Reuters.
"Access to even just the email of staff at a cutting-edge
Western pharmaceutical company could give ... the Iranian
government an advantage in developing treatments and countering
the disease," said Moriuchi, a former analyst with the U.S.
National Security Agency.
Iran has suffered acutely from the COVID-19, recording the
highest death toll in the Middle East. The disease has so far
killed more than 260,000 people worldwide, triggering a global
race between governments, private pharmaceutical companies and
researchers to develop a cure.
Gilead is at the forefront of that race and has been lauded
by U.S. President Donald Trump, who met the California company's
CEO Daniel O'Day at the White House in March and May to discuss
its work on COVID-19.
The U.S. Food and Drug Administration last week gave
emergency use authorization to Gilead's remdesivir for patients
with severe COVID-19, clearing the way for broader use in more
hospitals around the United States.
An official at one European biotech company said the
industry was on "red alert" and taking extra precautions to
guard against attempts to steal COVID-19 research, such as
conducting all work related to vaccine trials on "air-gapped"
computers that are disconnected from the internet.
(Additional reporting by Raphael Satter in WASHINGTON, Joseph
Menn in SAN FRANCISCO and Michelle Nichols in NEW YORK; editing
by Chris Sanders and Edward Tobin)
© 2023 Thomson/Reuters. All rights reserved.