As has been proven by the influx of Covid-19 related scams and phishing attempts, fraudsters are not above using the current crisis for their own gains.

However, it has now emerged that nation-state attackers are also concentrating their attacks on the pandemic, with reports that companies involved in the development of a Covid-19 vaccine have been targeted.

The UK National Cyber Security Centre (NCSC) has published an advisory warning that Russian threat group APT29, also known by aliases “the Dukes” and “Cozy Bear”, was behind an ongoing campaign targeting organisations involved in the development of a Covid-19 vaccine.

The NCSC said that the group “almost certainly” operates as part of Russian intelligence services.

This has been supported by the Canadian Communication Security Establishment (CSE), the US Department for Homeland Security (DHS) Cybersecurity Infrastructure Security Agency (CISA) and the National Security Agency (NSA).

“Covid-19 is an existential threat to every government in the world, so it’s no surprise that cyber espionage capabilities are being used to gather intelligence on a cure. The organisations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian, and Chinese actors seeking a leg up on their own research,” said John Hultquist, Senior Director of Intelligence Analysis for Mandiant Threat Intelligence.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData
Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

“We’ve also seen significant Covid-related targeting of governments that began as early as January.

“Despite involvement in several high-profile incidents, APT29 rarely receives the same attention as other Russian actors because they tend to quietly focus on intelligence collection. Whereas GRU actors have brazenly leaked documents and carried out destructive attacks, APT29 digs in for the long term, siphoning intelligence away from its target.”

Russian threat group targets organisations involved with Covid-19 vaccine development

The Russian threat group has mainly targeted government, diplomatic, think-tank, healthcare and energy organisations, attempting to steal intellectual property, particularly related to national and international Covid-19 response, which the NCSC said was “highly likely” to be an attempt to collect information on Covid-19 vaccine research or research into the virus itself.

The NCSC said that the group has used spearphishing to target UK, US and Canadian research organisations, and has distributed malware known as ‘WellMess’ and ‘WellMail’.

APT29 scanned specific external IP addresses owned by the organisations in question for vulnerabilities, in an attempt to obtain authentication credentials before using publicly available exploits.

“APT29 has been successfully compromising systems now for over a decade across the globe. The pandemic has given them a new and additional target to steal research to meet Russian Intelligence initiatives” said Tony Cole, CTO at Attivo Networks.

“It’s unfortunate that an actor such as APT29 with such sophisticated capabilities is still able to simply scan targets for existing known vulnerabilities and then compromise with little effort or use phishing emails to obtain their initial set of credentials. Organisations must step up their efforts to counter adversaries targeting them. Patching is an imperative that must be met. Instrumentation focused on detection and lateral movement inside the network perimeter and across all endpoints is another imperative since prevention often fails regardless of defensive spending. You can’t prevent all attacks however you must detect them quickly when they do get through your defenses.”

The NCSC has warned that the group will likely continue to target those working on Covid-19 vaccine research and therefore recommends that organisations protect devices and networks by keeping them up to date, use multi-factor authentication, educate staff on the threat of phishing emails set up a security monitoring capability and take steps to prevent and detect lateral movement in your organisation’s networks.

Bill Conner, CEO of SonicWall believes that the sudden mass adoption of home working may have left organisations more vulnerable to attacks:

“At a time when remote working has rendered everyone more susceptible to social engineering, given the lack of the common ‘safety net’, businesses, higher education and governments — especially those in possession of vital research and information — must remain hyper-vigilant. Keeping in mind that IT teams are strained and security budgets are tight, businesses and organisations need a solution that offers easy, resource-saving centralised management.”


Read more: Kaspersky: Covid-19 has created a “perfect storm” for cybercriminals.