Category Archives: FBI

SolarWinds Strikes Again and Again

Posted on by

Primer: The House Oversight and Government Reform Committee, chaired by Carolyn Maloney (D-NY) only held one meeting on SolarWinds and none related to the  DarkSide both of which have caused major interruptions in the supply chain and national security. It was last February that the committee hosted a session via WebEx with a few witnesses of which nothing was determined or solved.

The cyberattackers responsible for the SolarWinds hack targeted U.S. organizations again last week, Microsoft said.

The Russian hackers that U.S. intelligence says are behind the SolarWinds breach that previously compromised government networks went last week after government agencies, think tanks, consultants, and non-governmental organizations, said Microsoft Corporate Vice President Tom Burt.

“This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations,” Mr. Burt wrote on Microsoft’s blog. “While organizations in the United States received the largest share of attacks, targeted victims span at least 24 countries. At least a quarter of the targeted organizations were involved in international development, humanitarian and human rights work.” More here.

***

Solarwinds Management Tools - Full Control Networks source details

New details are emerging from a cyberattack that hit about 3,000 email accounts and 150 government agencies and think tanks spanning 24 countries, including the U.S., this week.

Microsoft on Thursday evening announced that Nobelium, a Russian group of threat actors that targetted software company SolarWinds in 2020 as part of a months-long hacking campaign, recently attacked more U.S. and foreign government agencies using an email marketing account of the U.S. Agency for International Development (USAID).

USAID is aware of the attack, and a “forensic investigation into this security incident is ongoing,” USAID acting spokesperson Pooja Jhunjhunwala said in a statement to FOX Business. “USAID has notified and is working with all appropriate Federal authorities, including the U.S. Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA),” Jhunjhunwala said.

***

Source: The revelation caused a stir, highlighting as it did Russia’s ongoing and inveterate digital espionage campaigns. But it should be no shock at all that Russia, in general, and the SolarWinds hackers in particular, have continued to spy even after the US imposed retaliatory sanctions in April. And relative to SolarWinds, a phishing campaign seems downright ordinary.

“I don’t think it’s an escalation; I think it’s business as usual,” says John Hultquist, vice president of intelligence analysis at the security firm FireEye, which first discovered the SolarWinds intrusions. “I don’t think they’re deterred, and I don’t think they’re likely to be deterred.”

Russia’s latest campaign is certainly worth calling out. Nobelium compromised legitimate accounts from the bulk email service Constant Contact, including that of the United States Agency for International Development. From there the hackers, reportedly members of Russia’s SVR foreign intelligence agency, could send out specially crafted spearphishing emails that genuinely came from the email accounts of the organization they were impersonating. The emails included legitimate links that then redirected to malicious Nobelium infrastructure and installed malware to take control of target devices.

While the number of targets seems large, and USAID works with plenty of people in sensitive positions, the actual impact may not be quite as severe as it first sounds. While Microsoft acknowledges that some messages may have gotten through, the company says that automated spam systems blocked many of the phishing messages. Microsoft’s corporate vice president for customer security and trust, Tom Burt, wrote in a blog post on Thursday that the company views the activity as “sophisticated” and that Nobelium evolved and refined its strategy for the campaign for months leading up to this week’s targeting.

“It is likely that these observations represent changes in the actor’s tradecraft and possible experimentation following widespread disclosures of previous incidents,” Burt wrote. In other words, this could be a pivot after their SolarWinds cover was blown.

But the tactics in this latest phishing campaign also reflect Nobelium’s general practice of establishing access on one system or account and then using it to gain access to others and leapfrog to numerous targets. It’s a spy agency; this is what it does as a matter of course.

“If this happened pre-SolarWinds we wouldn’t have thought anything about it. It’s only the context of SolarWinds that makes us see it differently,” says Jason Healey, a former Bush White House staffer and current cyberconflict researcher at Columbia University. “Let’s say this incident happens in 2019 or 2020, I don’t think anyone is going to blink an eye at this.”

As Microsoft points out, there’s also nothing unexpected about Russian spies, and Nobelium in particular, targeting government agencies, USAID in particular, NGOs, think tanks, research groups, or military and IT service contractors.

“NGOs and DC think tanks have been high-value soft targets for decades,” says one former Department of Homeland Security cybersecurity consultant. “And it’s an open secret in the incident response world that USAID and the State Department are a mess of unaccountable, subcontracted IT networks and infrastructure. In the past, some of those systems were compromised for years.

Especially compared to the scope and sophistication of the SolarWinds breach, a widespread phishing campaign feels almost like a downshift. It’s also important to remember that the impacts of SolarWinds remain ongoing; even after months of publicity about the incident, it’s likely that Nobelium still haunts at least some of the systems it compromised during that effort.

“I’m sure that they’ve still got accesses in some places from the SolarWinds campaign,” FireEye’s Hultquist says. “The main thrust of the activity has been diminished, but they’re very likely lingering on in several places.”

Which is just the reality of digital espionage. It doesn’t stop and start based on public shaming. Nobelium’s activity is certainly unwelcome, but it doesn’t in itself portend some great escalation.

 

The Finer Details of the DarkSide, Hackers of the Colonial Pipeline

Posted on by

Primer: Five months before DarkSide attacked the Colonial pipeline, two researchers discovered a way to rescue its ransomware victims. Then an antivirus company’s announcement alerted the hackers.

Colonial Pipeline hack is latest example of cybersecurity ...

Related reading

On January 11, antivirus company Bitdefender said it was “happy to announce” a startling breakthrough. It had found a flaw in the ransomware that a gang known as DarkSide was using to freeze computer networks of dozens of businesses in the US and Europe. Companies facing demands from DarkSide could download a free tool from Bitdefender and avoid paying millions of dollars in ransom to the hackers.

But Bitdefender wasn’t the first to identify this flaw. Two other researchers, Fabian Wosar and Michael Gillespie, had noticed it the month before and had begun discreetly looking for victims to help. By publicizing its tool, Bitdefender alerted DarkSide to the lapse, which involved reusing the same digital keys to lock and unlock multiple victims. The next day, DarkSide declared that it had repaired the problem, and that “new companies have nothing to hope for.”

“Special thanks to BitDefender for helping fix our issues,” DarkSide said. “This will make us even better.”

DarkSide soon proved it wasn’t bluffing, unleashing a string of attacks. This month, it paralyzed the Colonial Pipeline Co., prompting a shutdown of the 5,500-mile pipeline that carries 45% of the fuel used on the East Coast—quickly followed by a rise in gasoline prices, panic buying of gas across the Southeast, and closures of thousands of gas stations. Absent Bitdefender’s announcement, it’s possible that the crisis might have been contained, and that Colonial might have quietly restored its system with Wosar and Gillespie’s decryption tool.

Instead, Colonial paid DarkSide $4.4 million in Bitcoin for a key to unlock its files. “I will admit that I wasn’t comfortable seeing money go out the door to people like this,” CEO Joseph Blount told the Wall Street Journal.

The missed opportunity was part of a broader pattern of botched or half-hearted responses to the growing menace of ransomware, which during the pandemic has disabled businesses, schools, hospitals, and government agencies across the country. The incident also shows how antivirus companies eager to make a name for themselves sometimes violate one of the cardinal rules of the cat-and-mouse game of cyberwarfare: Don’t let your opponents know what you’ve figured out. During World War II, when the British secret service learned from decrypted communications that the Gestapo was planning to abduct and murder a valuable double agent, Johnny Jebsen, his handler wasn’t allowed to warn him for fear of cluing in the enemy that its cipher had been cracked. Today, ransomware hunters like Wosar and Gillespie try to prolong the attackers’ ignorance, even at the cost of contacting fewer victims. Sooner or later, as payments drop off, the cybercriminals realize that something has gone wrong.

Whether to tout a decryption tool is a “calculated decision,” said Rob McLeod, senior director of the threat response unit for cybersecurity firm eSentire. From the marketing perspective, “You are singing that song from the rooftops about how you have come up with a security solution that will decrypt a victim’s data. And then the security researcher angle says, ‘Don’t disclose any information here. Keep the ransomware bugs that we’ve found that allow us to decode the data secret, so as not to notify the threat actors.’”

In a post on the dark web, DarkSide thanked Bitdefender for identifying a flaw in the gang’s ransomware. (Highlight added by ProPublica.)

Wosar said that publicly releasing tools, as Bitdefender did, has become riskier as ransoms have soared and the gangs have grown wealthier and more technically adept. In the early days of ransomware, when hackers froze home computers for a few hundred dollars, they often couldn’t determine how their code was broken unless the flaw was specifically pointed out to them.

Today, the creators of ransomware “have access to reverse engineers and penetration testers who are very very capable,” he said. “That’s how they gain entrance to these oftentimes highly secured networks in the first place. They download the decryptor, they disassemble it, they reverse-engineer it, and they figure out exactly why we were able to decrypt their files. And 24 hours later, the whole thing is fixed. Bitdefender should have known better.”

It wasn’t the first time Bitdefender trumpeted a solution that Wosar or Gillespie had beaten it to. Gillespie had broken the code of a ransomware strain called GoGoogle, and was helping victims without any fanfare, when Bitdefender released a decryption tool in May 2020. Other companies have also announced breakthroughs publicly, Wosar and Gillespie said.

“People are desperate for a news mention, and big security companies don’t care about victims,” Wosar said.

Bogdan Botezatu, director of threat research at Bucharest, Romania–based Bitdefender, said the company wasn’t aware of the earlier success in unlocking files infected by DarkSide.

Regardless, he said, Bitdefender decided to publish its tool “because most victims who fall for ransomware do not have the right connection with ransomware support groups and won’t know where to ask for help unless they can learn about the existence of tools from media reports or with a simple search.”

Bitdefender has provided free technical support to more than a dozen DarkSide victims, and “we believe many others have successfully used the tool without our intervention,” Botezatu said. Over the years, Bitdefender has helped individuals and businesses avoid paying more than $100 million in ransom, he said.

Bitdefender recognized that DarkSide might correct the flaw, Botezatu said: “We are well aware that attackers are agile and adapt to our decryptors.” But DarkSide might have “spotted the issue” anyway. “We don’t believe in ransomware decryptors made silently available. Attackers will learn about their existence by impersonating home users or companies in need, while the vast majority of victims will have no idea that they can get their data back for free.”

The attack on Colonial Pipeline, and the ensuing chaos at the gas pumps throughout the Southeast, appears to have spurred the federal government to be more vigilant. President Joe Biden issued an executive order to improve cybersecurity and create a blueprint for a federal response to cyberattacks. DarkSide said it was shutting down under US pressure, although ransomware crews have often disbanded to avoid scrutiny and then re-formed under new names, or their members have launched or joined other groups.

“As sophisticated as they are, these guys will pop up again, and they’ll be that much smarter,” said Aaron Tantleff, a Chicago cybersecurity attorney who has consulted with 10 companies attacked by DarkSide. “They’ll come back with a vengeance.”

At least until now, private researchers and companies have often been more effective than the government in fighting ransomware. Last October, Microsoft disrupted the infrastructure of Trickbot, a network of more than 1 million infected computers that disseminated the notorious Ryuk strain of ransomware, by disabling its servers and communications. That month, ProtonMail, the Swiss-based email service, shut down 20,000 Ryuk-related accounts.

Wosar and Gillespie, who belong to a worldwide volunteer group called the Ransomware Hunting Team, have cracked more than 300 major ransomware strains and variants, saving an estimated 4 million victims from paying billions of dollars.

By contrast, the FBI rarely decrypts ransomware or arrests the attackers, who are typically based in countries like Russia or Iran that lack extradition agreements with the US. DarkSide, for instance, is believed to operate out of Russia. Far more victims seek help from the Hunting Team, through websites maintained by its members, than from the FBI.

The US Secret Service also investigates ransomware, which falls under its purview of combating financial crimes. But, especially in election years, it sometimes rotates agents off cyber assignments to carry out its better-known mission of protecting presidents, vice presidents, major-party candidates, and their families. European law enforcement, especially the Dutch National Police, has been more successful than the US in arresting attackers and seizing servers.

Similarly, the US government has made only modest headway in pushing private industry, including pipeline companies, to strengthen cybersecurity defenses. Cybersecurity oversight is divided among an alphabet soup of agencies, hampering coordination. The Department of Homeland Security conducts “vulnerability assessments” for critical infrastructure, which includes pipelines.

It reviewed Colonial Pipeline in around 2013 as part of a study of places where a cyberattack might cause a catastrophe. The pipeline was deemed resilient, meaning that it could recover quickly, according to a former DHS official. The department did not respond to questions about any subsequent reviews.

Five years later, DHS created a pipeline cybersecurity initiative to identify weaknesses in pipeline computer systems and recommend strategies to address them. Participation is voluntary, and a person familiar with the initiative said that it is more useful for smaller companies with limited in-house IT expertise than for big ones like Colonial. The National Risk Management Center, which oversees the initiative, also grapples with other thorny issues such as election security.

Ransomware has skyrocketed since 2012, when the advent of Bitcoin made it hard to track or block payments. The criminals’ tactics have evolved from indiscriminate “spray and pray” campaigns seeking a few hundred dollars apiece to targeting specific businesses, government agencies and nonprofit groups with multimillion-dollar demands.

Attacks on energy businesses in particular have increased during the pandemic—not just in the US but in Canada, Latin America, and Europe. As the companies allowed employees to work from home, they relaxed some security controls, McLeod said.

Continue reading here.

Hunter Flew out of Joint Base Andrews 23 Times

Posted on by

And yet daddy never knew about his business adventures nor asked about them? C’mon man…so many unknown unknowns about this cat and the whole family…

Breitbart:

Rep. Devin Nunes (R-CA), the ranking member of the House Permanent Select Committee on Intelligence (HPSCI), told Breitbart News that revelations in a new book that President Joe Biden’s son Hunter Biden took more than 20 trips through Joint Base Andrews are more proof of “utter corruption” of establishment media.

“The revelation of Hunter Biden’s trips through Joint Base Andrews is further proof of the corporate media’s utter corruption and blinding partisanship,” Nunes told Breitbart News exclusively on Sunday. “They dismissed, ridiculed, and censored reporting on Hunter’s obvious conflicts of interest for the sole purpose of helping Joe Biden’s election prospects. The corporate media has fully merged with the Democratic Party, and their reporting is indistinguishable from crude Democrat talking points.”

Nunes’s comments on this matter come after revelations about Hunter Biden’s travel practices, when his father was vice president to former President Barack Obama, were published Saturday from the new book Breaking the News: Exposing the Establishment Media’s Secret Deals and Hidden Corruption. In particular, the book—from Breitbart News Editor-in-Chief Alex Marlow—revealed Secret Service travel records that showed Hunter Biden took 411 trips, including to 29 foreign countries and 23 trips through Joint Base Andrews, from 2009 to 2014. During that time, his father—now the president of the United States—was vice president of the United States.

The reason why the Joint Base Andrews trips are important is because that is the home of Air Force One and Air Force Two. On Saturday, Breitbart News published a piece from Marlow adapted from the book that further explained the significance of the revelations:

Despite this evidence that there was not an “absolute wall” between Hunter and Joe when it comes to business endeavors, the establishment press has shown little interest in exploring whether Hunter was actually leveraging his father’s power to enrich himself. In fact, quite the contrary. The New York Times, for example, published a story in 2020 portraying Hunter as a skilled artist who was mastering painting. The article, headlined “There’s a New Artist in Town. The Name Is Biden,” un-ironically featured glossy photographs of a relaxed and polished Hunter Biden working away in his studio.

The American public has been told consistently that Hunter Biden is as pure as the driven snow. Joe Biden called his son “the smartest guy I know.” Dr. Jill Biden (Ed.D.) and Joe both expressed confidence that Hunter had done nothing wrong. And, of course, Joe said he thought it was all Russian disinformation. And of course, Facebook and Twitter famously censored bombshell reporting by the New York Post on Hunter Biden that has not been proven to be “Russian” or “disinfo.”

The fact that Hunter Biden flew through Joint Base Andrews during the Obama administration more than twenty times–and to nearly 30 countries on 411 total trips, per Secret Service records–seems to contradict claims that Joe Biden made when he was running for president in 2019. “I have never spoken to my son about his overseas business dealings,” Biden said on the campaign trail in Iowa in the summer of 2019. “Here’s what I know. Trump should be investigated.”

Biden then added specific instructions for the establishment media–which dutifully obliged his not-so-subtle demand that the media instead investigate his opponent then-President Donald Trump instead of his son Hunter.

“You should be looking at Trump,” Biden told the media in Des Moines when he arrived at the annual Democrat fundraiser the Polk County Steak Fry. “He’s doing this because he knows I’ll beat him like a drum. And he’s using an abuse of power and every element of the presidency to try to smear me … Ask the right questions.”

After that, most of the establishment media followed Biden’s orders and completely ignored the hard evidence that proves the Biden narrative about Hunter Biden is untrue. Many questions remain unanswered about exactly where Hunter Biden was going, with whom he was meeting, why he was using an American military base for trips, what he was doing on these trips, and more. Those questions remain unanswered in large part because of the fact the establishment media have ignored, by and large, the Hunter Biden matter for years.

Nunes weighing in on the matter, though, is a sign that top Republicans have begun wising up to these facts about establishment media outlets. He was a critical figure in Congress during the Trump administration when it came to fighting back against fake narratives such as the Russia collusion hoax claims, and later the push to impeach Trump the first time over his call with Ukraine’s president—which was, of course, a central point in the whole Hunter Biden narrative given that it was all about corruption concerns with the now-president’s son and shady business dealings in the eastern European nation.

 

CNA Financial reportedly paid $40 million due to Ransomware Demand

Posted on by

CNA is the seventh largest commercial insurer in the United States as of 2018. CNA provides property and casualty insurance products and services for businesses and professionals in the U.S., Canada, Europe and Asia.

CNA itself is 90% owned by a holding company, Loews Corporation. This holding company also has interests in offshore oil and gas drilling rigs, natural gas transmission pipelines, oil and gas exploration, hotel operations and package manufacturing.

CNA Financial Corporation – Jenkins MBA Careers | Poole College of Management | NC State University

CNA Financial, one of the largest US insurance companies, paid $40 million to free itself from a ransomware attack that occurred in March, according to a report from Bloomberg. The hackers reportedly demanded $60 million when negotiations started about a week after some of CNA’s systems were encrypted, and the insurance company paid the lower sum a week later.

If the $40 million figure is accurate, CNA’s payout would rank as one of the highest ransomware payouts that we know about, though that’s not for lack of trying by hackers: both Apple and Acer had data that was compromised in separate $50 million ransomware demands earlier this year. It also seems like the hackers are looking for bigger payouts: just this week we saw reports that Colonial Pipeline paid a $4.4 million ransom to hackers. While that number isn’t as staggering as the demands made to CNA, it’s still much higher than the estimated average enterprise ransomware demand in 2020.

Law enforcement agencies recommend against paying ransoms, saying that payouts will encourage hackers to keep asking for higher and higher sums. For its part, CNA told Bloomberg that it wouldn’t comment on the ransom, but that it had “followed all laws, regulations, and published guidance, including OFAC’s 2020 ransomware guidance, in its handling of this matter.” In an update from May 12, CNA says that it believes its policyholders’ data were unaffected.

According to Bloomberg, the ransomware that locked CNA’s systems was Phoenix Locker, a derivative of another piece of malware called Hades. Hades was allegedly created by a Russian group with the Mr. Robot-esque name Evil Corp.

***

Ransomware Attack Payment

Ransomware attack payments are rarely disclosed. According to Palo Alto Networks, the average payment in 2020 was $312,493, and it is a 171% increase from the payments that companies made in 2019.

The $40 million payment made by CNA Financial is bigger than any previously disclosed payments to hackers, The Verge reported.

Disclosure of the payment is likely to draw the ire of lawmakers and regulators that are already unhappy that companies from the United States are making large payouts to criminal hackers who, over the last year, have targeted hospitals, drug makers, police forces, and other entities that are critical to public safety.

The FBI discourage organizations from paying ransom because it encourages additional attacks and does not guarantee that data will be returned.

Ransomware is a type of malware that encrypts the data of the victim. Cybercriminals using ransomware usually steal the data too. The hackers, then, ask for a payment to unlock the files and promise not to leak stolen data. In recent years, hackers have been targeting victims with cyber insurance policies and huge volumes of sensitive consumer data that make them more likely to pay a ransom.

Last year was a banner year for ransomware groups, with security experts and law enforcement agencies estimating that victims paid about $350 million in ransom. The cybercriminals took advantage of the pandemic, a time when hospitals, medical companies, and insurance companies were the busiest.

As per Bloomberg’s report, CNA Financial initially ignored the hackers’ demands while pursuing options to recover their files without engaging with the criminals. However, within a week, the company decided to start negotiations with the hackers, who were demanding $60 million.

Payment was made a week later. source

CNA notifying cyberattack

Source

The ransomware cyberattack interrupted the company’s employee and customer services for three days as the firm closed down “out of an abundance of caution” to prevent further damage. Certain CNA systems were impacted, including corporate email.

At Least 18 Scientists Demand Lab Leak Investigation on Covid

Posted on by

Primer: Who is Dr. Ralph Baric and what is his role in the Wuhan lab?

UNC-CH ranks as a world leader in COVID-19 research - here ...

This page lists documents in Professor Ralph Baric’s emails, which U.S. Right to Know obtained via a public records request. Dr. Baric is a coronavirus expert at the University of North Carolina, Chapel Hill (UNC). He has developed genetic techniques to enhance the pandemic potential of existing bat coronaviruses in collaboration with Dr. Zhengli Shi at the Wuhan Institute of Virology and with EcoHealth Alliance.

The emails show internal discussions and an early draft of a key scientists’ letter about coronavirus origins, and shed some light on relationships between U.S. and Chinese experts in biodefense and infectious diseases, and the roles of organizations such as EcoHealth Alliance and National Academy of Sciences (NAS).

Please email anything of interest we may have missed to [email protected], so that we can include them below.

Items from Baric emails

  1. Tracy McNamara, Professor of Pathology at Western University of Health Sciences in Pomona, California wrote on March 25, 2020: : “The Federal govt has spent over $1 billion dollars in support of the Global Health Security Agenda to help developing nations create the capacity to detect/report/respond to pandemic threats. An additional $200 million was spent on the PREDICT project via USAID looking for emerging viruses in bats, rats and monkeys overseas. And now the Global Virome Project wants $1.5 billion dollars to run around the world hunting down every virus on the face of the earth. They will probably get funding. But none of these programs have made taxpayers safer right here at home.” (emphasis in the original)
  2. Dr. Jonathan Epstein, Vice President for Science and Outreach at EcoHealth Alliance, sought guidance for a request from the U.S. Defense Advanced Research Projects Agency (DARPA) about communicating “potentially sensitive dual-use information” (March 2018).
  3. EcoHealth Alliance paid Dr. Baric an undisclosed sum as honorarium (January 2018).
  4. Invitation to U.S. National Academy of Sciences, Engineering and Medicine (NASEM) and the Chinese Academy of Agricultural Sciences (CAAS) U.S. China Dialogue and Workshop on the Challenges of Emerging Infections, Laboratory Safety, Global Health Security and Responsible Conduct in the Use of Gene Editing in Viral Infectious Disease Research, Harbin, China, Jan 8-10, 2019 (November 2018-January 2019). Preparatoryemails and a travel memorandum indicate the identities of the American participants.
  5. NAS invitation to a meeting of U.S. and Chinese experts working to counter infectious disease and improve global health (November 2017). The meeting was convened by the NAS and the Galveston National Laboratory. It took place on January 16-18, 2018, in Galveston, Texas. A travel memorandum indicates the identities of the American participants. Subsequent emails show that the WIV’s Dr. Zhengli Shi is present at the meeting.
  6. On February 27, 2020, Baric wrote, “at this moment the most likely origins are bats, and I note that it is a mistake to assume that an intermediate host is needed.”
  7. On March 5, 2020, Baric wrote, “there is absolutely no evidence that this virus is bioengineered.”

For more information

A link to Professor Ralph Baric’s emails can be found here:Baric emails (~83,416 pages)

U.S. Right to Know is posting documents from our Biohazards investigation. See:FOI documents on origins of SARS-CoV-2, hazards of gain-of-function research and biosafety labs.

NR:

For well over a year, a certain clique of researchers tarred the idea that COVID-19 initially escaped from a laboratory in Wuhan as a conspiracy theory. Now, their grip on that narrative within the scientific community is loosening, as a growing chorus of experts calls for a closer look at this lab-leak hypothesis.

In a letter published this afternoon at Science, 18 scientists call for an investigation into the pandemic’s origins that does not discount the possibility of a lab leak. “Theories of accidental release from a lab and zoonotic spillover both remain viable,” they write. “Knowing how COVID-19 emerged is critical for informing global strategies to mitigate the risk of future outbreaks.”

These researchers include Dr. Ralph Baric, a leading coronavirus expert who has done research on bat coronaviruses with Dr. Shi Zhengli of the Wuhan Institute of Virology, and several other prominent virologists. They have joined the WHO director-general, top intelligence officials, and other U.S. government experts in asserting that such a leak remains a possible explanation, despite a joint WHO-China study’s findings that such a theory is “extremely unlikely.” Like the Biden administration and 13 other countries that signed onto a U.S.-led statement after the report’s release, they raise concerns about how the panel reached its findings. Their letter comes as members of Congress have started to ramp up their scrutiny of a potential lab-leak origin. Already, the scientists’ letter has caught the attention of lawmakers involved in COVID investigation efforts, with Representatives Cathy McMorris Rodgers, Brett Guthrie, and Morgan Griffith, saying in a statement, “We look forward to working with them and all who will follow the science in order to complete this investigation.”

Jamie Metzl, an adviser to the WHO and a senior fellow at the Atlantic Council, explained the letter’s significance on Twitter. “The chokehold on public consideration of an accidental lab incident as a possible #pandemic origin has just been broken. Following publication of the Science letter, it will be irresponsible for any scientific journal or news outlet to not fully represent this viable hypothesis.”

The Science letter finds the joint WHO-China report lacking and evaluates the likelihood of the different origin theories that the panel assessed: “Although there were no findings in clear support of either a natural spillover or a lab accident, the team assessed a zoonotic spillover from an intermediate host as ‘likely to very likely, and a laboratory incident as ‘extremely unlikely.’”

The authors of the letters add, “Furthermore, the two theories were not given balanced consideration. Only 4 of the 313 pages of the report and its annexes addressed the possibility of a laboratory accident.”

The letter doesn’t claim that the lab-leak hypothesis is more credible than the zoonotic origin theory. It’s notable, however, that a letter in a major scientific journal is putting these two theories on equal footing.

The Lancet, another journal, rejected a letter submitted by 14 biologists and geneticists in January arguing that “a lab origin cannot be formally discarded.”

Some figures associated with The Lancet have called the lab-leak scenario a conspiracy theory, including Jeffrey Sachs, the chair of the medical journal’s COVID commission, and Peter Daszak, the chair of the commission’s sub-committee on COVID’s origins. Daszak, whose nonprofit research group received hundreds of thousands of dollars from the National Institutes of Health for studies on bat coronaviruses at the Wuhan Institute of Virology, was a member of the joint WHO-China panel and has faced accusations that he failed to disclose potential conflicts of interest.

Richard Ebright, a Rutgers University chemical biology professor, told National Review last month that their efforts helped to create the false impression that there is a scientific consensus against the possibility of a lab-leak origin. “No such consensus existed then. No such consensus exists now,” he said.

This latest entry into the debate, in the pages of a preeminent scientific journal, shows that the ground is shifting away from a hollow narrative that has been all-too pervasive since the start of the pandemic.