The prospect of medical research facilities facing the extensive danger of cyber-attacks during the COVID-19 global pandemic has been widely discussed over recent months. Back in May, the UK’s National Cyber Security Center (NCSC) and the US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) warned of ongoing activity by APT groups against organizations involved in both national and international COVID-19 responses. These included healthcare bodies, pharmaceutical companies and research organizations.
It should probably therefore come as little surprise to read the NCSC’s advisory last week, which revealed that the threat group APT29 has been actively targeting UK, US and Canadian vaccine research and development organizations over the course of the crisis. APT29, also known as ‘Cozy Bear,’ is strongly linked with Russian intelligence agencies, and therefore these actions have been widely interpreted as an attempt by the Russian state to gather intelligence on the extensive work taking place to find a vaccine for COVID-19.
“We’re absolutely confident that the Russian intelligence agencies were engaged in a cyber-attack on research and development efforts”
Speaking on Sky News’ Sophy Ridge program, UK Foreign Secretary Dominic Raab stated: “We’re absolutely confident that the Russian intelligence agencies were engaged in a cyber-attack on research and development efforts and organizations in this country and internationally with a view either to sabotage or to profit from the R&D that was taking place.”
Attack Methods Used by APT29
The aforementioned advisory in May from the NCSC, CISA and DHS warned of attempts to gain user credentials to access systems, including large-scale ‘password spraying’ campaigns, and such tactics appear to be a major component of the strategy by APT29, according to the NCSC.
Bill Conner, cybersecurity expert and CEO of SonicWall, noted: “The Russian intelligence group suspected of deploying this attack has deployed malware strains to access research organizations’ systems, and social engineering attacks like phishing and spear-phishing to trick employees into handing over access credentials.”
More surprisingly, the NCSC also revealed the use of the custom malware WellMess and WellMail by the group, which it added “have not previously been publicly associated to APT29.” WellMess is a lightweight malware designed to execute arbitrary shell commands, upload and download files, while WellMail is a lightweight tool designed to run commands or scripts with the results being sent to a hardcoded Command and Control (C2) server.
The use of this malware to target research facilities in the West looks to be a worrying development, and a trend that governments and healthcare institutions need to prepare themselves for going forward. Adam Mevers, SVP of CrowdStrike Intelligence, said: “In the past, we’ve observed the use of WellMess and WellMail within East Asia.”
David Emm, principal security researcher at Kaspersky, added: “WellMess was initially documented by JPCERT in July 2018, but has been sporadically active since then. Beginning in March 2020, we noticed an increase in C2 servers, indicating a potential new wave of activity. We have, so far, not observed any infrastructure overlap, code overlap in the malware, or other tactics, techniques and procedures unique to a specific threat actor, suggesting WellMess is wholly unique.”
These methods are therefore indicative of a highly sophisticated information gathering strategy. Matt Lock, technical director, UK at Varonis, explained: “The method of attack is absolutely in line with the kill chain – spear-phishing to drop a pay load, malware used to run reconnaissance to find sensitive data, and then finally exfiltration by SSH, email, Web or DNS. They’re hoping to fly under the radar and avoid detection.”
“It is only a matter of time before another nation state resorts again to cybercrime to influence or control global healthcare during a time of great need”
Why Are Vaccine Developers Being Targeted?
While these particular threats have been repulsed for the time being, it seems certain that there will be more reconnaissance type attacks taken by nation state actors, spreading far beyond Russia. Terry Greer-King, VP EMEA at SonicWall, noted: “While Russia was the first country to be placed in the spotlight, it is only a matter of time before another nation state resorts again to cybercrime to influence or control global healthcare during a time of great need. It is my hope that security agencies will remain vigilant and continue to successfully fend off attacks of this kind, to protect the global community.”
There are strong motivations for nation states to be involved in such attacks, primarily revolving around economic gains and the opportunity to gain influence on the world stage. Sam Curry, chief security officer at Cybereason, said: “A vaccine for COVID-19 is a strategically valuable (maybe crucial) asset: whoever gets a vaccine first has an economic advantage. It’s the ultimate IP with immediate value. Having a six-month lead on ‘re-opening’ the world, let alone longer, could have a lasting balance of power impact. It’s like having an oil rush, a data advantage or territorial gain in older real political terms. At the very least, there is the potential for trade, diplomacy, military and strategic advantage.”
Preparing to Protect Against Future Attacks
Dealing with these kinds of attacks could not have come at a trickier time, with authorities and healthcare institutions heavily distracted by the devastating health, economic and social implications of the COVID-19 pandemic. It is therefore easy in the rush to find a vaccine for cybersecurity to become something of an afterthought, but the NCSC advisory reminds us that there is no room for any complacency.
“Cyber-criminals today are evolving and developing their techniques.”
The way threat-actors such as APT29 are constantly adapting methods poses further problems in ensuring that cybersecurity systems and practices are able to keep pace; the use of WellMess being a case in point. Greer-King explained: “Cyber-criminals today are evolving and developing their techniques. This has taken us to the birth of the ‘malware cocktail,’ in which hackers combine existing components of previous strains to create whole new malware, undetectable by traditional security measures.”
Helping staff working in areas like research labs to avoid falling victim to attempts to steal credentials such as phishing is critical; after all, user awareness training, whilst vital, cannot legislate for a simple lapse in concentration amongst under-pressure individuals. Tim Callan, senior fellow at Sectigo, said: “In the case of phishing and spear-phishing, signed email can play an important role in preventing social engineering-based breaches by providing a mechanism for informed users to confirm the identity of an email sender before acting on its contents and potentially putting vital information at risk.”
Clearly organizations like research facilities must review their systems, keeping them as secure as possible, ensuring there is appropriate patch management as required. Yet it is quite possible for breaches to occur even with the best will in the world, and therefore the ability to react quickly and effectively to a successful attack is critical.
“You can’t prevent all attacks; however, you must detect them quickly when they do get through your defenses”
Tony Cole, CTO at Attivo Networks, added: “Instrumentation focused on detection and lateral movement inside the network perimeter and across all endpoints is another imperative since prevention often fails regardless of defensive spending. You can’t prevent all attacks; however, you must detect them quickly when they do get through your defenses.”
Implications and Recriminations
Clearly the recent activities of APT29 are likely to heighten tensions between Russia and countries like the UK, but aside from rhetoric, it is currently difficult to see what practical steps can be taken to gain justice and prevent further attempts to access these systems.
It will always be difficult to directly trace activities of threat-actors like APT29 to governments, with any association always dismissed. For instance, speaking on the BBC’s The Andrew Marr Show yesterday, the Russian ambassador to the UK, Andrei Kelin, strongly denied any involvement of the Russian state, saying: “I learned about their [the hackers] existence from the British media. In this world, to attribute any kind of computer-hackers to any country, it is impossible.”
Additionally, history indicates that the chances of finding and prosecuting individuals from threat actors like APT29 will be extremely low. Curry added: “You would hope criminals could be brought to justice in these matters, but that is a fantasy in today’s global cybercrime ecosystem.”
For the time being at least, it appears health and governmental institutions must focus on their defensive strategies rather than try and take the fight to the perpetrators, ensuring they have systems and protocols in place to protect themselves from future threats. Tom Kellermann, head of cybersecurity strategy at Carbon Black, stated: “While attribution matters on a geopolitical scale, the primary focus for organizations, particularly in the West, should not be on who is launching these attacks and, rather, what can be done and what kind of security technology can be leveraged to see and stop these attacks before they can cause damage.”
Peter Yapp, a partner at law firm Schillings added: "The best advice for any organisation is to get their own house in order, making sure there are no weaknesses internally, and then across their supply chain."