Coronavirus vaccine development is the target for Russian hackers, according to the UK official National Cyber Security Centre (NCSC). It has published an advisory, on activity of the threat group known as APT29, which has gone after government, diplomatic, think-tank, healthcare and energy targets globally.
The NCSC assesses that APT29, also named “the Dukes” or “Cozy Bear” almost certainly operate as part of Russian intelligence services. This assessment is supported the Canadian Communication Security Establishment (CSE), and the United States federal Department for Homeland Security (DHS) Cybersecurity Infrastructure Security Agency (CISA) and the National Security Agency (NSA).
NCSC Director of Operations, Paul Chichester, said: “We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic. Working with our allies, the NCSC is committed to protecting our most critical assets and our top priority at this time is to protect the health sector. We would urge organisations to familiarise themselves with the advice we have published to help defend their networks.”
For the full advisory visit the NCSC website.
Foreign Secretary Dominic Raab said: “It is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic. While others pursue their selfish interests with reckless behaviour, the UK and its allies are getting on with the hard work of finding a vaccine and protecting global health. The UK will continue to counter those conducting such cyber attacks, and work with our allies to hold perpetrators to account.”
Comments
Dr Duncan Hodges, Senior Lecturer in Cyberspace Operations at Cranfield University, said: “This is textbook activity that you would expect to see from the Cozy Bear group at this time and is typical of their approach to intelligence gathering. The difference between other nation states and Russia, is that they are typically less concerned about the theft being attributed to them, meaning their appetite for risk is much higher.
“They are using the tools, techniques and procedures that have been highly successful in the past for this advanced and persistent threat.” He said that the Cozy Bear group of hackers have historically had significant success using techniques such as spearfishing, and exploiting vulnerabilities in corporate IT infrastructure – all highlighted in NCSC’s advisory.
“I’d be incredibly surprised if Russia hadn’t had some success in these attacks. The reason they keep on using these tools and techniques is because they are incredibly successful in carrying them out, with successful high profile attacks on US Non-Governmental Organisations, political parties and a number of Government departments around the world.
“At a time when people’s attention is rightly focused on developing a life-saving vaccine, cyber-security tends to take a lower priority for individuals, who overlook their basic security practices. This increase in vulnerability is what Russia thrives on to conduct its information operations.
“As long as Russia keeps having success with these methods and continues to be unafraid of being caught, these attacks will keep on coming.”
John Hultquist, Senior Director of Intelligence Analysis for Mandiant Threat Intelligence said: “COVID-19 is an existential threat to every government in the world, so it’s no surprise that cyber espionage capabilities are being used to gather intelligence on a cure. The organisations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian, and Chinese actors seeking a leg up on their own research. We’ve also seen significant COVID-related targeting of governments that began as early as January.
“Despite involvement in several high-profile incidents, APT29 rarely receives the same attention as other Russian actors because they tend to quietly focus on intelligence collection. Whereas GRU actors have brazenly leaked documents and carried out destructive attacks, APT29 digs in for the long term, siphoning intelligence away from its target.”
And Tony Cole, CTO at Attivo Networks said that APT29 has been compromising systems for over a decade. “The pandemic has given them a new and additional target to steal research to meet Russian intelligence initiatives. It’s unfortunate that an actor such as APT29 with such sophisticated capabilities is still able to simply scan targets for existing known vulnerabilities and then compromise with little effort or use phishing emails to obtain their initial set of credentials. Organisations must step up their efforts to counter adversaries targeting them. Patching is an imperative that must be met. Instrumentation focused on detection and lateral movement inside the network perimeter and across all endpoints is another imperative since prevention often fails regardless of defensive spending. You can’t prevent all attacks however you must detect them quickly when they do get through your defences.”
Tim Callan, Senior Fellow at Sectigo, said: “Once again, we see that social engineering and spoofed identity play key roles in these advanced attacks. To the degree that organisations can put in place mechanisms to truly identify actors, they can mitigate the effectiveness of such hostile attacks as these.”
David Emm, Principal Security Researcher at Kaspersky said: “For the last few months, Kaspersky’s Global Research and Analysis Team (GReAT) has been actively tracking new command and control (C2) servers associated with the piece of malware used in this attack, which is commonly referred to as WellMess. WellMess was initially documented by JPCERT in July 2018, but has been sporadically active since then. Beginning in March 2020, we noticed an increase in C2 servers, indicating a potential new wave of activity. We have, so far, not observed any infrastructure overlap, code overlap in the malware, or other tactics, techniques, and procedures unique to a specific threat actor, suggesting WellMess is wholly unique.
“We have documented attacks using this malware on various companies and government institutions in the Middle East and North Africa, as well as a case in Europe related to an IT company. On July 22, as part of Kaspersky’s series of expert talks, GReAT will be giving an in-depth presentation on the WellMess malware. For those who wish to attend, they can register here: https://kas.pr/y8iz.”
