Hackers likely working for Russian intelligence services have been attacking organizations involved in the research and development of a vaccine against the new coronavirus.
The activity is ongoing, attributed to the APT29 threat group, also tracked as Cozy Bear, The Dukes, and Yttrium. Targets are in the government, healthcare, diplomatic, think-tank, and energy sectors.
Spear phishing and exploits
A cybersecurity advisory published today by the National Cyber Security Centre (NCSC) in UK, details that the adversary has been running these attacks throughout 2020 against entities in Canada, UK, and the US.
“Throughout 2020, APT29 has targeted various organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines” - UK’s National Cyber Security Centre
The report comprises information from multiple sources, being a joint effort of NCSC, Canada’s Communications Security Establishment (CSE), the US National Security Agency (NSA), and CISA (Cybersecurity and Infrastructure Security Agency).
The advisory reveals that Cozy Bear starts its attacks with spear phishing but it also exploits known severe vulnerabilities in Citrix (CVE-2019-19781), Pulse Secure (CVE-2019-11510), and Fortigate (CVE-2019-13379) products and Zimbra's Collaboration Suite (CVE-2019-9670) software. Patches exist for all these flaws.
Custom Cozy Bear malware
After gaining access to the network, Cozy Bear uses a first-stage downloader known as SoreFang and custom malware “WellMess” and “WellMail.”
WellMess is written in Golang to run arbitrary shell commands on Windows and Linux. It was publicly reported for the first time by Japan’s CERT in early July 2018 and five months later by Japanese cybersecurity company LAC.
WellMail got its name from the NCSC and is also written in Golang. Its purpose is to run commands or scripts and the results are delivered to a hardcoded command and control server.
“WellMess and WellMail samples contained TLS certificates with the hard-coded subjectKeyIdentifier (SKI) '0102030406', and used the subjects 'C=Tunis, O=IT' and 'O=GMO GlobalSign, Inc' respectively. These certificates can be used to identify further malware samples and infrastructure. Servers with this GlobalSign certificate subject may be used for other functions in addition to WellMail malware communications” - NCSC
The full advisory (PDF) includes rules and indicators of compromise (IOC) that organizations can use to detect malicious activity from APT29.
Comments
cdcjb - 3 years ago
Normally these stories would anger me, but in this case it totally makes sense. For one, it seems that whenever a vax is developed there is going to be a huge challenge trying to produce enough doses to treat the world. Add in the likelihood that whatever country develops it first will likely want to treat their own citizens first before really exporting in a significant way.
I would hope that meaningful research is already being shared openly with other researchers and that his IP doesn't need to be stolen. I would hope that there are agreements in place to license and produce this in other countries rather than a single company in the US, UK, or Canada being the lone source. But from the perspective of anybody outside those three countries, this just feels like a very pragmatic option.