Sobolev Igor - Fotolia

Russian state hackers attacking Covid-19 researchers

Kremlin-linked APT29 group, also known as Cozy Bear, is conducting a campaign against Covid-19 researchers around the world

The APT29 or Cozy Bear advanced persistent threat (APT) group is targeting organisations working on a vaccine for the Covid-19 coronavirus on behalf of its paymasters in the Russian intelligence services, according to a joint advisory issued by the National Cyber Security Centre (NCSC) and its Canadian and American counterparts.

The campaign of malicious activity is ongoing, said the NCSC, and is primarily targeting government agencies, diplomatic bodies, healthcare organisations, think-tanks, and the energy sector in pursuit of a variety of intellectual property.

“We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic,” said NCSC operations director Paul Chichester.

“Working with our allies, the NCSC is committed to protecting our most critical assets and our top priority at this time is to protect the health sector,” he said.

“We would urge organisations to familiarise themselves with the advice we have published to help defend their networks.”

Foreign secretary Dominic Raab added: “It is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic

“While others pursue their selfish interests with reckless behaviour, the UK and its allies are getting on with the hard work of finding a vaccine and protecting global health,” he said. “The UK will continue to counter those conducting such cyber attacks, and work with our allies to hold perpetrators to account.”

Read more about Russian cyber activity

According to the NCSC, which has published a full assessment that can be downloaded here, Cozy Bear is using two varieties of custom malware, dubbed WellMess and WellMail.

It accesses its targets through a number of widespread vulnerabilities including the infamous CVE-2019-19781 Citrix exploit, as well as others in FortiGate, Pulse Secure and Zimbra products. Nation-state backed threat groups frequently use publicly available exploits to conduct widespread scanning and exploitation against vulnerable systems.

It is also known to be using spear-phishing techniques in order to obtain authentication credentials to internet-facing login pages at its target organisations.

The NCSC said that Cozy Bear was likely to continue to target organisations involved in Covid-19 vaccine research and development as it seeks to answer additional intelligence questions relating to the pandemic.

Organisations on the frontlines of vaccine R&D are best advised to follow a number of basic steps to beef up their cyber security posture to give themselves the best chance of not falling victim to Russian attacks.

These include keeping all IT equipment, devices and networks up to date with the latest supported versions, applying patches frequently and using antivirus products and regular scans to guard against new malware variants; implementing multi-factor authentication to reduce the impact of password compromise; conducting regular training exercises with employees and giving them resources and support to report incidents without shame or punishment; and to establish security monitoring capabilities to collect useful data that will help analyse any intrusions. Full guidance on all these topics is available from the NCSC.

The NCSC’s disclosure comes hot on the heels of government claims that Russia also attempted to interfere in the 2019 UK General Election by leaking sensitive documents via the Reddit website. This comes ahead of the anticipated release next week of a long-delayed report on Russian interference in the UK’s domestic affairs, after prime minister Boris Johnson and his unelected, lockdown-breaking advisor Dominic Cummings failed in their attempt to install Chris Grayling as leader of the Intelligence and Security Committee.

Read more on Hackers and cybercrime prevention