Skip to content

Russia’s Latest Hacking Target: Covid-19 Vaccine Projects

The UK, US, and Canada have discovered hackers working on behalf of the Russian state launching attacks against coronavirus vaccine-development projects.


This story originally appeared on WIRED UK.

Criminals working for the hacking group Advanced Persistent Threat 29 (APT29), also known as Cozy Bear, have been caught attacking pharmaceutical businesses and academic institutions involved in vaccine development. Officials in the three countries believe these have been attempts to steal intellectual property and information about potential vaccine candidates.

The hackers used “custom malware” that’s not been previously linked to Russia and a number of publicly known vulnerabilities in widely used software, such as VPNs. These have been accompanied with spear-phishing attempts that have looked to gather login details to “internet-accessible” parts of the organizations targeted.

They’re so confident that the attacks are emanating from Russia that the UK’s National Cybersecurity Centre (NCSC), Canadian Communication Security Establishment, and various US security agencies, including the NSA and Department for Homeland Security, have decided to publicly call out APT29. The public shaming is the latest in an increasingly hostile approach to hacker groups working on behalf of Russia, and it comes at the same time as an admission from the UK government that Russia tried to influence the 2019 general election.

APT29 is widely believed to be linked to the Russian intelligence services and has been involved in many cyberattacks in recent years, including the hacking of the Democratic National Committee ahead of the 2016 US presidential election. On the US hacks, APT29 worked alongside fellow Russian hackers Fancy Bear and APT28.

“We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic,” Paul Chichester the NCSC’s director of operations said in a statement. The NCSC also published an advisory notice detailing the efforts it had seen from APT29 in its attacks on vaccine projects. Officials have not commented on whether the attacks were successful but also have not ruled out that this is the case.

The advisory issued by the cybersecurity groups hints towards there being some success—even if this is just scoping out potential elements of organizations that are vulnerable to attack. “In recent attacks targeting Covid-19 vaccine research and development, the group conducted basic vulnerability scanning against specific external IP addresses owned by the organizations,” the NCSC guidance states. “The group then deployed public exploits against the vulnerable services identified.”

The NCSC also states that APT29 has been “successful” in using publicly known vulnerabilities to “gain initial footholds” in the universities and businesses it has been attacking. The advisory lists a number of well-known vulnerabilities that APT29 looked to take advantage of. These include flaws within Citrix networking systems and VPNs. It is believed that once details of the vulnerabilities have been publicly disclosed, the state-backed actors have been quick to attempt to exploit them in an attempt to strike before security experts can implement fixes.

“Upon gaining access to a system, the group likely drops further tooling and/or seeks to obtain legitimate credentials to the compromised systems in order to maintain persistent access,” the NCSC says in its warning notice. “The actor is likely to use anonymizing services when using the stolen credentials.”

In some of the incidents seen by the NCSC and its US and Canadian counterparts, APT29 has deployed custom malware. They believe this to be the WellMess malware and a new version, called WellMail. The malware has been in use since at least 2018, the NCSC says. “WellMess is a lightweight malware designed to execute arbitrary shell commands, upload and download files. The malware supports HTTP, TLS, and DNS communications methods,” the cybersecurity body says.

It’s not the first time during the pandemic that hackers have sought to gain advantage from the ongoing health crisis. There has been an increase in attacks against businesses as employees have moved to work from home, with hospitals and other medical organizations also targeted.

The APT29 attacks against vaccine groups are continuing, the NCSC says. It’s advisory concludes by saying: “APT29 is likely to continue to target organizations involved in Covid-19 vaccine research and development, as they seek to answer additional intelligence questions relating to the pandemic.”

This story originally appeared on WIRED UK.

More Great WIRED Stories