Russian Hackers Target COVID-19 Vaccine Developers with Cyberattacks

Russian hackers are targeting the healthcare, pharmaceutical, and academic research sectors, as well as other vaccine developers with cyberattacks, in an effort designed to steal information related to Coronavirus research, according to the UK National Cyber Security Centre. 

The advisory received support from the US National Security Agency, the Department of Homeland Security Cybersecurity and Infrastructure Security Agency, and Canada’s Communication Security Establishment. 

The agencies agreed that the hacking group known as APT29, or Cozy Bear, is likely tied to Russian intelligence services. APT29’s current campaign is actively and predominantly targeting government, think-tank, diplomatic, and energy targets to steal valuable data. 

APT29 is also using a custom malware variant called WellMess and WellMail to target these organizations, which have not previously been publicly tied to the group. 

WellMail is a lightweight tool designed to run commands or scripts, before sending results to a hard-coded Command and Control (C2) server, while WellMess can execute arbitrary shell commands and upload and download files. The malware supports HTTP, TLS, and DNS communication methods. 

CISA also shared insights into the key malware variants used in these attacks. 

Throughout the COVD-19 pandemic, officials explained APT29 has targeted a range of entities working on vaccine development in the US, Canada, and the UK. 

Using publicly available exploits, the group conducts widespread scanning and exploitation against vulnerable systems to likely obtain credentials and gain further access. Officials explained the group is also using spear-phishing campaigns to steal login credentials to internet accessible login pages. 

In the latest campaign against vaccine developers, APT29 conducted basic vulnerability scanning against specific external IP addresses of the targeted entities before deploying public exploits against identified, vulnerable services. 

“This broad targeting potentially gives the group access to a large number of systems globally, many of which are unlikely to be of immediate intelligence value,” officials wrote. “The group may maintain a store of stolen credentials in order to access these systems in the event that they become more relevant to their requirements in the future.” 

“The group likely seeks to take full advantage of a variety of new exploits when publicized,” they added. 

Some of those successful exploits included targeted attacks on Pulse Secure Virtual Private Networks (VPNs) and certain Citrix servers, both of which DHS CISA urged organizations to patch in the past few months. CISA also warned patched VPNs were successfully being compromised by hackers, in April. 

The activity will likely continue throughout the pandemic, and all related entities are urged to review the NCSC advisory to review indicators of compromise for these attacks. 

“We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic,” NCSC Director of Operations, Paul Chichester, said in a statement. “Working with our allies, the NCSC is committed to protecting our most critical assets and our top priority at this time is to protect the health sector.” 

“We would urge organizations to familiarize themselves with the advice we have published to help defend their networks,” he added. 

Administrators should ensure devices and networks are operating the most up-to-date version, including promptly applying patches, using anti-virus, and regularly scanning to protect against known malware threats. 

Two-factor or multi-factor authentication should be implemented on applicable endpoints to reduce the impacted of compromised credentials, while the workforce should be treated as the first line of defense. Notably, a recent report showed more than 15 billion compromised credentials are up for sale on the dark web, which can be used in these types of attacks. 

Lastly, organizations need to establish a security monitoring capability to collect data needed to analyze network intrusions and review NCSC guidance on how to prevent and detect lateral movement in the enterprise network.