State-sponsored hackers are actively targeting organizations involved with the development of a COVID-19 vaccine.
According to the NCSC, the threat group APT29, which has been named 'Cozy Bear' and is believed to be associated with Russian intelligence, has been targeting UK, US and Canadian vaccine research and development organizations.
Paul Chichester, director of operations at the NCSC, condemned the attacks, calling them “despicable” and working against those doing vital work to combat the coronavirus pandemic.
“Working with our allies, the NCSC is committed to protecting our most critical assets and our top priority at this time is to protect the health sector,” he said. “We would urge organizations to familiarize themselves with the advice we have published to help defend their networks.”
APT29 typically conducts widespread scanning in an effort to obtain authentication credentials to access systems. “In recent attacks targeting COVID-19 vaccine research and development, the group conducted basic vulnerability scanning against specific external IP addresses owned by the organizations,” the NCSC reported. “The group then deployed public exploits against the vulnerable services identified.”
The NCSC’s advisory claimed the group uses a variety of tools and techniques, including spear-phishing and custom malware known as 'WellMess' and 'WellMail.' WellMess is lightweight malware designed to execute arbitrary shell commands, upload and download files. The malware supports HTTP, TLS and DNS communications methods.
WellMail is a lightweight tool designed to run commands or scripts with the results being sent to a hardcoded Command and Control (C2) server. Similar to WellMess, WellMail uses hard-coded client and certificate authority TLS certificates to communicate with C2 servers.
The NCSC has been supported by partners at the Canadian Communication Security Establishment (CSE), the US Department for Homeland Security (DHS) Cybersecurity Infrastructure Security Agency (CISA) and the National Security Agency (NSA).
John Hultquist, senior director of intelligence analysis for Mandiant Threat Intelligence, said it was no surprise that cyber-espionage capabilities are being used to gather intelligence on a cure, as “COVID-19 is an existential threat to every government in the world.”
He said: “The organizations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian, and Chinese actors seeking a leg-up on their own research. We’ve also seen significant COVID-related targeting of governments that began as early as January.
“Despite involvement in several high-profile incidents, APT29 rarely receives the same attention as other Russian actors because they tend to quietly focus on intelligence collection. Whereas GRU actors have brazenly leaked documents and carried out destructive attacks, APT29 digs in for the long term, siphoning intelligence away from its target.”