As has been proven by the influx of Covid-19 related scams and phishing attempts, fraudsters are not above using the current crisis for their own gains.

However, it has now emerged that nation-state attackers are also concentrating their attacks on the pandemic, with reports that companies involved in the development of a Covid-19 vaccine have been targeted.

The UK National Cyber Security Centre (NCSC) has published an advisory warning that Russian threat group APT29, also known by aliases “the Dukes” and “Cozy Bear”, was behind an ongoing campaign targeting organisations involved in the development of a Covid-19 vaccine.

The NCSC said that the group “almost certainly” operates as part of Russian intelligence services.

This has been supported by the Canadian Communication Security Establishment (CSE), the US Department for Homeland Security (DHS) Cybersecurity Infrastructure Security Agency (CISA) and the National Security Agency (NSA).

“Covid-19 is an existential threat to every government in the world, so it’s no surprise that cyber espionage capabilities are being used to gather intelligence on a cure. The organisations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian, and Chinese actors seeking a leg up on their own research,” said John Hultquist, Senior Director of Intelligence Analysis for Mandiant Threat Intelligence.

“We’ve also seen significant Covid-related targeting of governments that began as early as January.

“Despite involvement in several high-profile incidents, APT29 rarely receives the same attention as other Russian actors because they tend to quietly focus on intelligence collection. Whereas GRU actors have brazenly leaked documents and carried out destructive attacks, APT29 digs in for the long term, siphoning intelligence away from its target.”

Russian threat group targets organisations involved with Covid-19 vaccine development

The Russian threat group has mainly targeted government, diplomatic, think-tank, healthcare and energy organisations, attempting to steal intellectual property, particularly related to national and international Covid-19 response, which the NCSC said was “highly likely” to be an attempt to collect information on Covid-19 vaccine research or research into the virus itself.

The NCSC said that the group has used spearphishing to target UK, US and Canadian research organisations, and has distributed malware known as ‘WellMess’ and ‘WellMail’.

APT29 scanned specific external IP addresses owned by the organisations in question for vulnerabilities, in an attempt to obtain authentication credentials before using publicly available exploits.

“APT29 has been successfully compromising systems now for over a decade across the globe. The pandemic has given them a new and additional target to steal research to meet Russian Intelligence initiatives” said Tony Cole, CTO at Attivo Networks.

The State of Technology This Week

“It’s unfortunate that an actor such as APT29 with such sophisticated capabilities is still able to simply scan targets for existing known vulnerabilities and then compromise with little effort or use phishing emails to obtain their initial set of credentials. Organisations must step up their efforts to counter adversaries targeting them. Patching is an imperative that must be met. Instrumentation focused on detection and lateral movement inside the network perimeter and across all endpoints is another imperative since prevention often fails regardless of defensive spending. You can’t prevent all attacks however you must detect them quickly when they do get through your defenses.”

The NCSC has warned that the group will likely continue to target those working on Covid-19 vaccine research and therefore recommends that organisations protect devices and networks by keeping them up to date, use multi-factor authentication, educate staff on the threat of phishing emails set up a security monitoring capability and take steps to prevent and detect lateral movement in your organisation’s networks.

Bill Conner, CEO of SonicWall believes that the sudden mass adoption of home working may have left organisations more vulnerable to attacks:

“At a time when remote working has rendered everyone more susceptible to social engineering, given the lack of the common ‘safety net’, businesses, higher education and governments — especially those in possession of vital research and information — must remain hyper-vigilant. Keeping in mind that IT teams are strained and security budgets are tight, businesses and organisations need a solution that offers easy, resource-saving centralised management.”


Read more: Kaspersky: Covid-19 has created a “perfect storm” for cybercriminals.