Russian hackers have been targeting research into a novel coronavirus vaccine in Canada, the US, and the UK, according to a joint statement from the cybersecurity agencies of the three countries.
The suspected culprits are a group known as APT29 or CozyBear. APT stands for ‘Advanced Persistent Threat,’ while Russian hacking groups often refer to themselves as bears in honor of their country’s national symbol.
These are sophisticated threat actors aiming to steal intellectual property about COVID-19 vaccination research or associated sensitive data. At the present time, only Canada, the US, and the UK are thought to have been targeted.
Threat actors fall into distinct categories. Hacktivists, who hack in order to achieve a cause or social change and tend to be poorly funded; state-sponsored, who form an unacknowledged part of a country’s cyber strategy; cybercriminals, who tend to be looking for financial gain; and cyber terrorists.
Russian threat actors are considered to be the ‘elite’ (or 1337 in hacker lingo) when it comes to ransomware and intellectual property theft. With links to the Russian state, CozyBear was likely trying to gain access to information that could give an edge in the race to find a vaccine.
The recent attack likely used known vulnerabilities to breach the servers, looking for insecure, unpatched networks. The hackers probably combined technical attacks with social engineering tactics to discover areas where the networks could be compromised.
With the current situation, such attacks are not hard to carry out. With working from home the current standard and hospital systems under intense pressure, the environment is such that breaches and social engineering attacks are easier than ever.
“The current global pandemic has created an atmosphere that is almost tailor-made for threat actors and cybercriminals,” according to VC3 CEO Ryan Vestby. “It’s no surprise that groups like APT29 are taking advantage to gather data and impact the race to find a vaccine.”
Analysis carried out by Canada’s Communications Security Establishment (CSE) indicates that CozyBear used custom malware called WellMess, "a lightweight malware designed to execute arbitrary shell commands, upload and download files,” to extract data in the first instance, and gain access at vulnerable points.
The Canadian government has been aware of this as a potential risk since earlier this year and issued a directive on cyber threats during the COVID-19 pandemic in March 2020. This highlighted a number of specific risks, identified relevant patches and updates, and aimed to raise awareness, particularly amongst the medical community, of the increased risks and threats to health organizations from a cyber security perspective.
The CozyBear group themselves are not a new threat. They are best known for their interference in the Democratic National Committee during the 2016 US Presidential Election and have long targeted high-value targets across the US and Canada.
For us and our clients, even those not in the health sector, the COVID-19 situation also represents a period of heightened risk. As we can see from this recent attack, threat actors are always looking to take advantage of precarious situations, and when working practices change and organizations move to working remotely more frequently, vulnerabilities will appear.
The most important thing for VC3 and our clients is ‘know thy enemy.’ It is probably unlikely that we are going to be targets for CozyBear, but that doesn’t mean we should let down our guard. We are likely to be targeted by cybercriminals, looking to take advantage as businesses come under unprecedented pressure and adapt to new ways of working.