A Russian cyber espionage group, code-named Cozy Bear, has been targeting organizations involved in the development of a vaccine for COVID-19 in the United Kingdom, Canada, and the United States, the top cybersecurity agencies of all three countries said in a joint notification issued Thursday.
The Russian group also known as APT 29 or Advanced Persistent Threat 29 has been using custom malware code-named WellMess and WellMail to extract information from companies and institutions involved in vaccine development, the U.K’s National Cyber Security Centre, Canada’s Communications Security Establishment, and the U.S. Cybersecurity and Infrastructure Security Agency said in an unusual joint advisory.
The findings and the results were also backed by the U.S. National Security Agency, according to the U.K. agency.
The joint U.K., U.S., and Canadian notice said that the Russian group “conducted basic vulnerability scanning against specific external IP addresses” operated by the target organizations. “The group then deployed public exploits against the vulnerable services identified.”
The cyber group is connected to the Russian Foreign Intelligence Service, also known as SVR, which typically engages in long-term espionage activities, according to researchers.
The group normally uses known vulnerabilities to break into systems and gain logincredentials that it then stores for future use, the joint warning said.
Cybersecurity researchers have seen the malware WellMess and WellMail deployed before, some going back to 2018, but until today’s joint notice by the three countries, they had been unable to link it to a nation-state hacker, said Ben Read, senior manager for cyber espionage at cybersecurity firm FireEye’s intelligence unit.
FireEye has seen the use of the two malwares being deployed against some of the security firm’s clients, including some whose work involves COVID-19 research, Read said.
The APT 29 group has been active for a while and was also involved in the 2016 U.S. elections although much of the attention focused on another group called APT 28, code-named Fancy Bear, which also worked with the Russian military intelligence services and was responsible for leaking stolen emails from the Democratic National Committee, Read said.
In the case of the effort against vaccine research, the Russian hackers targeted remote access software such as Citrix and Pulse Secure, Zimbra, which is an email collaboration platform, and FortiGate, a firewall application, according to the joint notice.
The hackers also use spear-phishing techniques to get authentication credentials to online login pages of the target organizations, the warning said.
Once the group gains access to a network it then deploys a malware known as WellMess, which then executes commands to upload or download files, the warning said. The hackers also use another malware known as WellMail that runs remote software and sends results to a command and control server operated by the hackers.
The joint notice said the Russian hackers were likely to continue to target companies involved in COVID-19 research and advised companies to patch their software, use multi-factor authentication for access, and use security monitoring capabilities to analyze network intrusions.