UK Security Officials Expose Cozy Bear Russian State Hackers Targeting Coronavirus Research
According to security officials in the UK, Russian cyber actors have been targeting organizations that are involved in coronavirus (COVID-19) vaccine development. The National Cyber Security Centre (NCSC), which is part of GCHQ, published an advisory that detailed the activity of the Russian threat group known as APT29. The same group also goes by the name "The Dukes" or "Cozy Bear."
According to the security officials, the group is "almost certainly" operating as part of Russian intelligence services. The UK isn't alone in coming to these conclusions. It points out that partners at the Canadian Communication Security Establishment and the U.S. Department for Homeland Security, Cyber Security Infrastructure Security Agency, and the NSA all agree.
APT29 has been behind the campaign of malicious activity that is ongoing and predominantly engaged against government, diplomatic, think-tank, healthcare, and energy targets. Authorities say the goal of the malicious actors is to steal valuable intellectual property. The NCSC has condemned what it calls "despicable attacks" that are aimed at those fighting the coronavirus pandemic around the world.
The agency and its allies are committed to protecting critical assets and says that the top priority at this time is to protect the health sector. The agency published an assessment to help organizations defend their networks. APT groups have been targeting organizations involved in national and international COVID-19 responses. So far, known targets have included vaccine research and development organizations in the UK, US, and Canada.
The nefarious group of attackers has used a variety of tools and techniques to attack the organizations. The tools include spear-phishing and custom malware known as "WellMess" and "WellMail." This isn't the first time that Russian hackers have targeted organizations abroad. In late 2019 Russian hackers modified Chrome and Firefox in a sophisticated scheme to spy on web traffic.