A hacker group with ties to the Russian Intelligence Services attempted to steal information on COVID-19 vaccine development globally, including Canada, reported United Kingdom’s National Cyber Security Centre (NCSC) on Thursday.
APT29 had been targeting vaccine development efforts in Canada, U.S., and the U.K. in order to steal intelligence on the development and testing of the CVOID-19 vaccines. Both the U.K.’s NCSC and Canada’s Communication Security Establishment (CSE) believed that the attacker is an espionage group linked to the Russian Intelligence Services. The U.S. National Security Agency (NSA) agreed with their assessment.
“It is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic,” said Dominic Raab, U.K. Foreign Secretary, in a press release. “While others pursue their selfish interests with reckless behaviour, the U.K. and its allies are getting on with the hard work of finding a vaccine and protecting global health.”
The threat group used custom malware known as “WellMess” and “WellMail” to target vulnerable organizations globally.
Throughout 2020, the group used publicly available exploits to scan and attack vulnerabilities in enterprise tools. The stolen credentials were then stored for later attacks when the organizations they belonged to became interesting targets. Recently, the group narrowed its targets to specific external IP addresses and individuals.
Key exploits deployed by the attackers targeted vulnerabilities in tools by Citrix, Pulse Secure, Fortigate, Zimbra, and others. The group also executed phishing attacks against specific individuals. Once it breached the system, the attackers would attempt to establish persistent access using stolen credentials.
The group sometimes complemented their attacks with WellMess and WellMail, two known custom malware. WellMess is a malware designed to execute arbitrary shell commands, while WellMail ran scripts and extracted them to a computer-controlled by the attacker (called a command and control server) for retrieval.
“In the modern era, cyber-attacks have proven to be a very cost-effective way of obtaining information that may well be very difficult to get ahold of by other means,” wrote David Masson, director of enterprise security for Darktrace, in a statement. “Russia is also facing the effects of this global pandemic and will be seeking ‘help’ in order to deal with it now and in the future. Trying to gain an advantage in the fight against COVID-19 could well lead to theft of research from around the world in order to avoid otherwise necessary investment in time, money and effort (which may not be available)”
The Canadian Centre for Cyber Security (CCCS) noted that during the COVID-19 pandemic, state-sponsored attacks had zeroed in on collecting intelligence on foreign vaccine efforts. In April 2020, a foreign cyberattack infiltrated a Canadian biopharmaceutical company, likely looked to steal information. The World Health Organization (WHO) also linked two phishing campaigns that targeted its employees to state-sponsored attackers in March 2020. On March 31, a foreign attacker attempted to infiltrate a South Korean testing kit manufacture, although the attempt was ultimately thwarted.
Vulnerabilities used by ATP29 have been known for a long time, and in some instances already patched. Citrix, for example, had already patched the vulnerability used in this attack back in January. Although the risk could be reduced through proactive patching, Raj Samani, chief scientist for McAfee, highlighted some circumstances that could have hampered the patching process.
“Strong cyber hygiene requires patching systems,” said Samani. “Sometimes…you can’t necessarily bring systems down in order to be able to patch them. I think other instances could be that there might be some additional software applications that go over the top of it that may not work alongside with these particular factors.”
Although these extenuating details slow down the patching process, Samani stressed that security must be upheld to prevent attacked from multiple groups.
“The Citrix one has been known for some time to be exploited by other criminal gangs as well. So it’s not like this is the sole remit of just this particular group [APT29]. Actually, other groups also use the same approaches and methodologies,” he said.
Moreover, Samani said society as a whole need to view technology as a key component of a functional society and not to be siloed.
“Organizations should implement a risk management strategy,” Samani said. “In other words, what is the risk of us leaving this particular system online? Organizations–and people across the world–have to recognize that cyber not just about computer viruses and so forth. It’s about the foundation of our society.”
The NCSC recommended organizations to protect their data by doing the following:
- Promptly installing security patches.
- Use multi-factor authentication.
- Train employees to recognize signs of phishing and social engineering.
- Set up security monitoring capability
- Prevent lateral movement within the organization’s networks.
