Russia-backed APT29 targeting firms engaged in coronavirus vaccine research

The National Cyber Security Centre today red-flagged Russia-back hacker group APT29 for targeting organisations involved in coronavirus vaccine development with spear-phishing attacks and malware infections.

In an advisory published today, the cyber security watchdog said it has observed malicious activity being carried out by APT29, also known as “the Dukes” or “Cozy Bear”, targeting organisations in the U.S., the UK, and Canada that are involved in coronavirus vaccine development.

According to NCSC, APT29 almost certainly operates as part of Russian intelligence services and its primary mission is to carry out malicious campaigns against government, diplomatic, think-tank, healthcare, and energy targets to steal valuable intellectual property.

Since early 2020, APT29 has been focussing on targeting organisations involved in coronavirus vaccine research and development in order to access intellectual property related to the development and testing of COVID-19 vaccines.

In order to steal information related to coronavirus vaccine development, APT29 is carrying out spear-phishing attacks and is also using custom malware known as 'Sorefang', ‘WellMess’, and ‘WellMail’ to target a number of organisations globally. This assessment is also shared by the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA) and Canada’s Communications Security Establishment (CSE).

APT29 used VPN-targeting malware to attack research organisations

Sorefang is a trojan malware that replaces the Sangfor VPN software distributed to VPN clients. Similar malware was recently used by the DarkHotel hacker group to hijack over 200 Sangfor VPN servers in China.

According to Chinese cyber security firm Qihoo 360, DarkHotel hackers exploited a security vulnerability and gained control over Sangfor VPN servers and replaced a file named SangforUD.exe with a boobytrapped version. When employees connected to the hacked Sangfor VPN servers, their desktop client was automatically updated and received the boobytrapped SangforUD.exe file. This later installed a backdoor trojan on their devices.

While Wellmess allows a remote operator to establish encrypted command and control (C2) sessions and to securely pass and execute scripts on an infected system, Wellmail provides remote operator encrypted C2 sessions and the ability to dynamically run executable scripts on infected systems.

Based on NCSC's assessment about APT29, Foreign Secretary Dominic Raab issued a statement today, terming malicious activity being carried out by the Russia-backed hacker group as "reckless behaviour".

"It is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic. While others pursue their selfish interests with reckless behaviour, the UK and its allies are getting on with the hard work of finding a vaccine and protecting global health. The UK will continue to counter those conducting such cyber attacks, and work with our allies to hold perpetrators to account," he said.

Paul Chichester, NCSC's Director of Operations, said that NCSC condemns these despicable attacks against those doing vital work to combat the coronavirus pandemic and that it is committed to protecting the UK's most critical assets, particularly the health sector.

Commenting on the NCSC's latest advisory, Tony Cole, CTO at Attivo Networks, said that it is unfortunate that an actor such as APT29 with such sophisticated capabilities is still able to simply scan targets for existing known vulnerabilities and then compromise with little effort or use phishing emails to obtain their initial set of credentials.

"Organisations must step up their efforts to counter adversaries targeting them. Patching is an imperative that must be met. Instrumentation focused on detection and lateral movement inside the network perimeter and across all endpoints is another imperative since prevention often fails regardless of defensive spending. You can’t prevent all attacks however you must detect them quickly when they do get through your defenses," he added.

Information on coronavirus vaccine development will be priceless for Russia

According to Sam Curry, chief security officer at Cybereason, a major reason for the targeting of organisations engaged in coronavirus vaccine research is that there is a strong incentive for any nation that becomes the first to come up with a proven vaccine for the virus that has caused mayhem around the world.

"A vaccine for COVID is a strategically valuable (maybe crucial) asset: whoever gets a vaccine first has an economic advantage. It’s the ultimate IP with immediate value. Having a 6 month lead on “re-opening” the world, let alone longer, could have a lasting balance of power impact. It’s like having an oil rush, a data advantage or territorial gain in older real political terms.

"At the very least, there is the potential for trade, diplomacy, military and strategic advantage. It's extremely hard to put a real value on what it would mean for a nation state to get their hands on the vaccine data and research findings when it appears it could be only a matter of months before a vaccine is available and that vaccine could save hundreds of thousands of lives and help countries resume full economic activity," he said.

"It’s not a question of if hacking will be done, but rather when it will. The surprising thing is that only Russia has surfaced so far targeting the most advanced scientific countries in the world. Even if you’re good at science, this is a cheap insurance policy to maintain a seat at the table for the game of nations. And shame on Russia and any nation-state continuing to engage in this activity. You would hope criminals could be brought to justice in these matters, but that is a fantasy in today's global cybercrime ecosystem," he added.

MORE ABOUT: