UK Security Agencies Outline Cyber Attacks on COVID-19 Research
The United Kingdom's National Cyber Security Centre (NCSC) has accused Russian-backed hackers of trying to steal COVID-19 vaccine and treatment research from academic and pharmaceutical institutions around the world.
In addition, the United States and Canada, also allege that hacking group APT29, also known as Cozy Bear and said to be part of the Russian intelligence service, was attacking academic and pharmaceutical research institutions involved in coronavirus vaccine development. The persistent and ongoing attacks have been interpreted as an effort to steal intellectual property, rather than to disrupt research.
Cozy Bear has been identified by the US as one of two Russian government-linked hacking groups that broke into the Democratic National Committee computer network and stole emails ahead of the 2016 presidential election. The other group is usually called Fancy Bear (APT28).
"We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic," NCSC Director of Operations Paul Chichester said in a statement. "APT29 is likely to continue to target organisations involved in COVID-19 vaccine research and development, as they seek to answer additional intelligence questions relating to the pandemic."
The NCSC said the group's attacks were continuing and used a variety of tools and techniques, including spear-phishing and custom malware. The group frequently uses publicly available exploits to conduct widespread scanning and exploitation against vulnerable systems, likely in an effort to obtain authentication credentials to allow further access.
This broad targeting potentially gives the group access to a large number of systems globally, many of which are unlikely to be of immediate intelligence value. The group may maintain a store of stolen credentials in order to access these systems in the event that they become more relevant to their requirements in the future.
In recent attacks targeting COVID-19 vaccine research and development, the group conducted basic vulnerability scanning against specific external IP addresses owned by the organisations, and then deployed freely available public exploits against the vulnerable services identified.
The group also uses spear phishing to obtain authentication credentials to internet-accessible login pages for target organisations.
Upon gaining access to a system, the group likely drops further tooling and/or seeks to obtain legitimate credentials to the compromised systems in order to maintain persistent access. The actor is likely to use anonymising services when using the stolen credentials.
In some cases, APT29 also deploys custom malware known as WellMess or WellMail to conduct further operations on the victim’s system.
Kremlin spokesperson Dmitry Peskov said Russia "has nothing to do" with the hacking attacks targeting organisations involved in coronavirus vaccine development, according to state-run news agency TASS. "We do not have information regarding who could have hacked pharmaceutical companies and research centres in the UK," Mr Peskov said. "We can say one thing — Russia has nothing to do with these attempts and we do not accept such accusations."