US, UK, Canada: Russian Hackers Targeting COVID-19 ResearchOfficials Say Attackers Aim to Steal Vaccine Development Intellectual Property
Government officials in the U.S., U.K. and Canada issued a joint advisory Thursday warning that the Russian hacking group APT29 - also known as "Cozy Bear" and the "Dukes" - is targeting research organizations in those countries involved in COVID-19 vaccine development.
The advisory - issued by the U.S. National Security Agency and Cybersecurity and Infrastructure Security Agency, the U.K.'s National Cyber Security Center and Canada's Communications Security Establishment - said the APT29 cyber espionage group, "almost certainly part of the Russian intelligence services," is targeting research entities in the three nations "highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines."
The hacker group uses a variety of tools and techniques to target government, diplomatic, think-tank, healthcare and energy targets for intelligence gain, the advisory notes.
"Throughout 2020, APT29 has targeted various organizations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom ... using custom malware known as 'WellMess' and 'WellMail'," the advisory says. "WellMess and WellMail have not previously been publicly associated to APT29."
APT29 is one of two suspected Russian-linked cyber espionage organizations that targeted the Democratic National Committee in the run-up to the 2016 U.S. presidential election. In late 2019, researchers said the group was targeting embassies.
The hacker group frequently uses publicly available exploits to conduct widespread scanning and exploitation of vulnerable systems, likely in an effort to obtain authentication credentials to allow further access, the alert says.
"This broad targeting potentially gives the group access to a large number of systems globally, many of which are unlikely to be of immediate intelligence value," the advisory notes.
"The group may maintain a store of stolen credentials in order to access these systems in the event that they become more relevant to their requirements in the future," the alert adds. "In recent attacks targeting COVID-19 vaccine research and development, the group conducted basic vulnerability scanning against specific external IP addresses owned by the organizations. The group then deployed public exploits against the vulnerable services identified."
Cozy Bear has been successful using recently published exploits to gain initial footholds, the advisory adds. Examples include:
- Citrix product vulnerabilities (CVE-2019-19781);
- VPN vulnerabilities in Pulse Secure (CVE-2019-11510) and Fortinet FortiGate (CVE-2018-13379);
- A vulnerability involving the mailboxd component in Synacor Zimbra Collaboration Suite (CVE-2019-9670).
"The group likely seeks to take full advantage of a variety of new exploits when publicized," the advisory adds. "The group also uses spear phishing to obtain authentication credentials to internet-accessible login pages for target organizations."
Upon gaining access to a system, "the group likely drops further tooling and/or seeks to obtain legitimate credentials to the compromised systems in order to maintain persistent access. The actor is likely to use anonymizing services when using the stolen credentials."
APT29 is likely to continue to target organizations involved in COVID-19 vaccine research and development as Russians seek to answer additional intelligence questions relating to the pandemic, the alert adds.
A variety of mitigations can help defend against the Cozy Bear campaign, the advisory points out. Those include:
- Protect devices and networks by keeping them up to date. Use the latest supported versions, apply security patches promptly, use anti-virus and scan regularly to guard against known malware threats.
- Use multifactor authentication to reduce the impact of password compromises.
- Educate staff to report suspected phishing emails and investigate their reports promptly and thoroughly.
- Set up a security monitoring capability to collect data that will be needed to analyze network intrusions.
- Prevent and detect lateral movement in organization's networks.
"Anyone doing research that could advance therapies or a vaccine should consider themselves a target," says John Hultquist, senior director of analysis at Mandiant Threat Intelligence. "Pharmaceutical firms, biotech and academia are all being targeted. These actors are looking for anything useful they can use to advance their own research."
The new advisory "clearly demonstrates the value of patching early," he notes. "If you can't patch early, leverage this intel to get more resources." But in the meantime, organizations must be on guard, Hultquist adds. "Until this crisis is over, and the uncertainty and existential danger disappears, the hacking will continue."