UK NSCS, Canadian CSE, and US CISA Issue Joint Warning About Russian APT29 Stealing COVID-19 Vaccine Research
The United Kingdom’s National Cyber Security Centre (NCSC) and Canada’s Communications Security Establishment (CSE) issued a joint bulletin concerning Russian cyber activity. The threat actors, tracked as APT29, are using custom malware to steal research associated with COVID-19 vaccine development. The advisory offers detection and mitigation advice for organizations targeted with APT29 malware.
Russian threat actors are targeting governmental, diplomatic, think-tank, healthcare and energy organizations in Canada, the United Kingdom, and the United States. The assumption is that the hackers want to steal intellectual property related to vaccine research.
The UK NCSC advisory attributes these attacks (with 95% certainty) to an Advanced Persistent Threat Group (APT29). NCSC is certain that APT29 is a nation-state hacking organization associated with Russian Intelligence Services. APT29 is also referred to as Cozy Bear, The Dukes, and Yttrium.
What are APT Groups?
Advanced Persistent Threat (APT) groups are hacking organizations that work at the behest of governments. APT groups steal sensitive data from other governments or major corporations for their sponsoring organizations. They may also steal money to fund other operations.
Russian Malware Used by APT29
WellMess malware and WellMail malware being used in these cyber attacks. WellMess has been in use since 2018 and is a lightweight malware designed to execute arbitrary shell commands, and to upload and download files. WellMail is a lightweight malware that runs commands or scripts. It tends to have the word “mail” in file paths.
The hackers use spear phishing and exploits to gain persistence.
Example exploits include:
• CVE-2019-19781 Citrix
• CVE-2019-11510 Pulse Secure
• CVE-2018-13379 FortiGate
• CVE-2019-9670 Zimbra
Malware detection and mitigation
The following detection and mitigation advice can help organizations targeted with Russian custom malware from APT29.
- Keep devices up to date to protect your computers, phones, other hardware, networks. Use the latest supported versions of software and firmware updates. Apply security patches promptly.
- Use antivirus software to protect devices. A reliable antivirus application can protect your devices and network against threat actors.
- Set up security monitoring capability
- Prevent and detect lateral movement across a network. When threat actors gain access to a device or network, they often try to move laterally across the network to infect more devices or obtain admin credentials.
The US National Security Agency (NSA) agrees with this attribution to Russian nation-state threat actors. The US Department of Homeland Security (DHS) Cybersecurity and Infrastructure Security Agency (CISA) endorses the bulletin.