Russian Cyber Espionage Group Targets COVID-19 Vaccine Research and IP

By IPWatchdog
July 20, 2020

“The group has targeted ‘organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom’ with the apparent intention of stealing intellectual property and other information related to the development and testing of COVID-19 vaccines.”

Cyber Espionage - https://depositphotos.com/80648524/stock-photo-business-espionage-hacker-or-government.htmlOn July 16, the United Kingdom’s National Cyber Security Centre (NCSC) and Canada’s Communications Security Establishment (CSE), with the United States’ National Security Agency (NSA) in agreement, published a report titled: “Advisory: APT29 targets COVID-19 vaccine development.” The report provided details of Tactics, Techniques and Procedures (TTPs) recently used by a cyber espionage group known as APT29, “the Dukes” or “Cozy Bear”. The United States’ Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA) endorsed the technical detail and mitigation advice provided in the report.

According to a press release associated with the report, “NCSC are almost certain (95%+) that APT29 are part of the Russian Intelligence Services” and “NCSC assess it is highly likely (80 – 90%) that [APT29’s] activity was to collect information on COVID-19 vaccine research or research into the COVID-19 virus itself.”

The report explained that APT29 primarily targets “governmental, diplomatic, think-tank, healthcare and energy targets” using a variety of tools and techniques. In recent months, the group has targeted “organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom” with the apparent intention of stealing intellectual property and other information related to the development and testing of COVID-19 vaccines.

APT29 uses publicly available exploits, i.e. software programs developed to attack an asset by taking advantage of a vulnerability, “to conduct widespread scanning and exploitation against vulnerable systems” in order to steal authentication credentials. In targeting COVID-19 vaccine research and development, APT29 conducts basic vulnerability scanning against specific external IP addresses owned by the targeted organizations and then deploys public exploits against any vulnerable services that have been identified. The study also noted that APT29 uses spear-phishing to obtain authentication credentials for internet-accessible login pages of target organizations. Upon gaining access to a system of a target organization, the group seeks to obtain legitimate credentials in order to maintain persistent access to the system. The group also uses custom malware, such as WellMess and WellMail, to conduct operations on the target organization’s system.

The report also set forth several mitigation strategies to help organizations defend against APT29 campaigns. The mitigation strategies included:

  1. keeping devices and networks up to date by using the latest versions, applying security patches, and using anti-virus software and scans,
  2. using multi-factor authentication to protect passwords,
  3. reporting suspicious phishing emails within organizations,
  4. set up security monitoring capability to collect data that can be used to analyze network intrusions, and
  5. Preventing and detecting lateral movement (activity by an attacker to “broaden and cement” an initial foothold within an organization, while gaining further access to valuable data or systems) within the organization’s networks.

The Author

IPWatchdog

IPWatchdog

Warning & Disclaimer: The pages, articles and comments on IPWatchdog.com do not constitute legal advice, nor do they create any attorney-client relationship. The articles published express the personal opinion and views of the author as of the time of publication and should not be attributed to the author’s employer, clients or the sponsors of IPWatchdog.com. Read more.

Discuss this

There are currently 1 Comment comments.

  1. Harvey Wharfield July 22, 2020 12:20 pm

    Interesting article…So, I showed it to my boss, Wes Kussmaul of The Authenticity Alliance, and expected a short email with some mild push back to the author…instead I got an illuminating and lengthy analysis. [The]”…July 20, 2020 IP Watchdog article entitled “Russian Cyber Espionage Group Targets COVID-19 Vaccine Research and IP” tells an old familiar story: valuable intellectual property is being stolen because of improper security where it is stored. The article is a summarization of a joint report entitled “Advisory: APT29 targets COVID-19 vaccine development.” by UK, Canada, and US government security agencies.
    “Since the story is old and familiar, one would think that at some point these august government agencies, filled with “securityt experts” would ask “Are security technology and procedures working at all?” To which the only rational answer is “No. Security is not working.”
    “Then the only valid advice on how to prevent these security breaches would be something other than “Keep using the same security measures and maybe it will work this time.”
    “But in fact here are the “several mitigation strategies to help organizations defend against APT29 campaigns:”
    “1. keeping devices and networks up to date by using the latest versions, applying security patches, and using anti-virus software and scans,
    “2. using multi-factor authentication to protect passwords,
    “3. reporting suspicious phishing emails within organizations,
    “4. set up security monitoring capability to collect data that can be used to analyze network intrusions, and
    “5. Preventing and detecting lateral movement (activity by an attacker to “broaden and cement” an initial foothold within an organization, while gaining further access to valuable data or systems) within the organization’s networks.
    “Do you see anything newer than 1990 in that advice?
    “I don’t.
    “Let’s face it, the world’s information infrastructure is broken.
    Now, here’s the incredible part of that: governments know all about PKI identity certificates, and governments know all about ratings that the various “LOA” or level of assurance systems of the identities represented by those certificates.
    “But instead of telling research labs “If you use PKI identity certificates of measurable reliability then most of these problems will simply go away,” they dispense the same advice that led to MIT Technology Review to report in a 2005 cover story that “The Internet Is Broken.” And of course not only is the internet still broken 15 years later, information infrastructures away from the internet are still broken as well.
    “Face it, if you don’t know with a requisite level of certainty that the people in your network are who they say they are, then you might as well just forget about security because you have none.
    “I feel bad for the author of the article, whose job is just to tell us of this horribly deficient report without criticizing it. The article is just reporting facts. The grim facts around the negligence of multiple governments.” So, there you go…There is STILL a problem, but there is a solution. “…[knowing] that the people in your network are who they say they are, [and if you don’t] then you might as well just forget about security because you have none.” https://www.authenticityalliance.com/ Harvey Wharfield