“The group has targeted ‘organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom’ with the apparent intention of stealing intellectual property and other information related to the development and testing of COVID-19 vaccines.”
On July 16, the United Kingdom’s National Cyber Security Centre (NCSC) and Canada’s Communications Security Establishment (CSE), with the United States’ National Security Agency (NSA) in agreement, published a report titled: “Advisory: APT29 targets COVID-19 vaccine development.” The report provided details of Tactics, Techniques and Procedures (TTPs) recently used by a cyber espionage group known as APT29, “the Dukes” or “Cozy Bear”. The United States’ Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA) endorsed the technical detail and mitigation advice provided in the report.
According to a press release associated with the report, “NCSC are almost certain (95%+) that APT29 are part of the Russian Intelligence Services” and “NCSC assess it is highly likely (80 – 90%) that [APT29’s] activity was to collect information on COVID-19 vaccine research or research into the COVID-19 virus itself.”
The report explained that APT29 primarily targets “governmental, diplomatic, think-tank, healthcare and energy targets” using a variety of tools and techniques. In recent months, the group has targeted “organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom” with the apparent intention of stealing intellectual property and other information related to the development and testing of COVID-19 vaccines.
APT29 uses publicly available exploits, i.e. software programs developed to attack an asset by taking advantage of a vulnerability, “to conduct widespread scanning and exploitation against vulnerable systems” in order to steal authentication credentials. In targeting COVID-19 vaccine research and development, APT29 conducts basic vulnerability scanning against specific external IP addresses owned by the targeted organizations and then deploys public exploits against any vulnerable services that have been identified. The study also noted that APT29 uses spear-phishing to obtain authentication credentials for internet-accessible login pages of target organizations. Upon gaining access to a system of a target organization, the group seeks to obtain legitimate credentials in order to maintain persistent access to the system. The group also uses custom malware, such as WellMess and WellMail, to conduct operations on the target organization’s system.
The report also set forth several mitigation strategies to help organizations defend against APT29 campaigns. The mitigation strategies included:
- keeping devices and networks up to date by using the latest versions, applying security patches, and using anti-virus software and scans,
- using multi-factor authentication to protect passwords,
- reporting suspicious phishing emails within organizations,
- set up security monitoring capability to collect data that can be used to analyze network intrusions, and
- Preventing and detecting lateral movement (activity by an attacker to “broaden and cement” an initial foothold within an organization, while gaining further access to valuable data or systems) within the organization’s networks.