Coronavirus: Russian Hackers Attack Vaccine Researchers

coronavirus Image credit: World Health Organisation

British and Western intelligence services are warning Russia’s APT29 hacking group is targetting Covid-19 vaccine researchers

The British government and its allies have warned today of hackers linked to the Russian government, are targetting researchers developing a Covid-19 vaccine.

The National Cyber Security Centre (NCSC), which is a part of GCHQ, published an advisory, in which it detailed the activity of APT29 – a well known hacking group.

Indeed APT29 (also known as Cozy Bear) is said to be a Russian hacker group associated with Russian intelligence. Indeed, APT29 is also said to be affiliated to APT28 (also known as Fancy Bear or Strontium), which is associated with the Russian military intelligence agency (GRU).

Russian internet © Pavel Ignatov Shutterstock 2012

APT29 Campaign

“The NCSC assesses that APT29, also named ‘the Dukes’ or ‘Cozy Bear’ almost certainly operate as part of Russian intelligence services,” said the agency.

It said its assessment is supported by key allies including the Canadian Communication Security Establishment (CSE), the US Department for Homeland Security (DHS) Cybersecurity Infrastructure Security Agency (CISA) and the National Security Agency (NSA).

It warned that “APT29’s campaign of malicious activity is ongoing, predominantly against government, diplomatic, think-tank, healthcare and energy targets to steal valuable intellectual property.”

“We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic,” said NCSC director of operations, Paul Chichester. “Working with our allies, the NCSC is committed to protecting our most critical assets and our top priority at this time is to protect the health sector.”

“We would urge organisations to familiarise themselves with the advice we have published to help defend their networks,” said Chichester.

Known targets of APT29 include UK, US and Canadian vaccine research and development organisations.

Pandemic attacks

This is not the first time that outside hackers have sort to use the global Coronavirus pandemic to carry out attacks.

In April both the NCSC and the US CISA warned that state-backed hackers and online criminals were exploiting the Coronavirus pandemic to carry out attacks.

And then in May the FBI and the Department of Homeland Security warned that ‘China-linked hackers’ were trying to break into American organisations carrying out research into Covid-19.

This followed a joint advisory from the UK’s NCSC and the US Cybersecurity and Infrastructure Security Agency (CISA), which warned they had detected more UK government branded scams relating to Covid-19 than any other subject.

The UK is widely regarded as having the best chance of producing a viable working vaccine for Covid-19, thanks to the efforts researchers and scientists at both the Jenner Institute in Oxford (which started its promising trial last month) and another team at Imperial College London.

This research being produced by UK scientists is hugely important and potentially valuable. This has promised the repeated warnings from UK and US authorities.

Russian intelligence

And APT29 is a credible foe according to security experts.

“APT29 has been successfully compromising systems now for over a decade across the globe,” explained Tony Cole, CTO at Attivo Networks. “The pandemic has given them a new and additional target to steal research to meet Russian Intelligence initiatives.”

“It’s unfortunate that an actor such as APT29 with such sophisticated capabilities is still able to simply scan targets for existing known vulnerabilities and then compromise with little effort or use phishing emails to obtain their initial set of credentials,” said Cole.

“Organisations must step up their efforts to counter adversaries targeting them,” he cautioned. “Patching is an imperative that must be met. Instrumentation focused on detection and lateral movement inside the network perimeter and across all endpoints is another imperative since prevention often fails regardless of defensive spending. You can’t prevent all attacks however you must detect them quickly when they do get through your defenses.”

No surprise

Another expert warned that this trend of attacks against Covid-19 researchers is likely to continue for the rest of 2020.

“For those involved in cyber, it’s no surprise to see organisations conducting research into a Covid-19 vaccine being targeted by cyber attacks,” said David Higgins, EMEA technical director at CyberArk.

“Since March, both the NCSC and the World Health Organisation (WHO) have advised of criminals using the pandemic to target employees in both the public and private sector through coordinated phishing and spear-phishing attacks,” said Higgins.

“It’s a trend that’s likely to continue throughout the year,” he warned. “Nation-state attackers are particularly adept at combining existing, unsophisticated, yet proven, tactics with new techniques to exfiltrate IP, as opposed to just targeting PII or other sensitive data. Their motive is often to gain competitive advantage, whether by destabilisation, experimentation, information wars, or policy influence, as is possible in this case.”

“Attack characteristics of these nation states will probably involve the exploitation of known vulnerabilities, also using existing malware to harvest credentials and data in an attempt to disguise the attack source i.e. to pass themselves off as cyber criminals,” said Higgins.

“Another point to note is that nation states, just like less well-funded attackers, will often revert to the path of least resistance: the attacks that the NCSC are reporting bear all the hallmarks of a multitude of previous attempts that have affected the private and public sector,” he concluded. “That is to say, exploiting people or a known vulnerability, then seeking to use valid credentials to access the systems or data they are targeting.”

Election meddling

Meanwhile another security expert pointed to the fact that the Russian hacking came on the same day the British government revealed that Russian hackers had attempted to meddle in British elections.

“Attribution of cyber-crime with data from a single source is notoriously difficult; claims resulting from collaboration between multiple intelligence agencies should be taken seriously,” explained Andrew Tsonchev, Director of Technology at Darktrace.

“On the same day that attempted election meddling and efforts to steal Covid-19 vaccine research have been revealed, we can be in no doubt that the deliberate interference in the instruments of democracy, cyber warfare and the spread of misinformation are a real and worrying part of a complex threat landscape,” said Tsonchev.

“Nation-states may have been motivated to steal vaccine information to further their own research or by the more sinister goal of disrupting the country’s response to the pandemic,” Tsonchev added.

“Cozy Bear, or APT29, have been accused of hacking the Pentagon, the DNC in 2016 and the Norwegian government in 2017,” he said. “This latest campaign fits with their modus operandi of disruption, stealing intellectual property, and sowing distrust in democracy.

“Spear-phishing and custom malware are commonly used by the group,” said Tsonchev. “We are at the stage where groups like this are able to send malicious emails that are impossible for humans to distinguish from genuine communication. Many governments, research organisations and universities around the world have realised this and are embracing a radically different approach: using AI technology to combat phishing attacks before they reach the inbox.”

Spear phishing

Meanwhile another security expert warned of the similarities in tactics between financially-motivated attacks and cyber espionage like this – in that spear phishing techniques are commonly used.

“In the midst of the darkest parts of this crisis, cyber crime hasn’t abated,” Ed Macnair, CEO of CensorNet. “Today’s announcement from the NCSC that Russian hacking groups have been targeting Covid-19 vaccine developers is not shocking but it is concerning.

“While the objective of this data breach is different to most financially-motivated attacks we see, the tactics the hackers are using are exactly the same,” said Macnair. “Once again, spear phishing techniques were employed to trick employees into handing over personal information that allowed them to take over accounts.”

“These targeted and personalised attacks are sophisticated and difficult to spot, especially in the strange circumstances we find ourselves in today, so organisations must do everything in their power to mitigate them with technology,” Macnair said.

“As always when combating phishing attacks, although it is important to educate employees on best practice so that they treat all suspicious emails with caution, organisations must take it upon themselves to protect employees from these email attacks in the first instance,” said Macnair. “Organisations need to use email security that combines algorithmic analysis, threat intelligence and executive name checking to efficiently protect themselves against these evolving attacks.”

Do you know all about security? Try our quiz!