Russian hacker group attacked organizations involved in COVID-19 vaccine development

Supported By:

Net Patrol International Inc.  Data Investigation and Forensic Services
Bankruptcy and Insolvency Trustees

Ottawa (July 17, 2020) – The Canadian Communication Security Establishment (CSE) and its international counterparts said that the Russian hacker group, APT29, aka ‘Cozy Bear’ or ‘the Dukes’, targeted health organizations and vaccine research entities in Canada, the U.K., and the U.S. The intelligence agencies accused the attackers of attempting to steal information and intellectual property relating to the development of COVID-19 vaccines. Furthermore, they indicated that Russian intelligence services were involved in the attacks. Russia has denied responsibility.

The Canadian Communication Security Establishment (CSE), the UK’s NCSC, the United States CISA, as well as the NSA, said that they revealed multiple cyberattacks by the Russian hacker group, APT29, targeting organizations in Canada, the U.S., and the U.K. involved in COVID-19 vaccine development, according to a statement issued on July 16.

Ongoing campaign targeting COVID-19 vaccine development

According to a CSE statement, the intelligence agencies of Canada, the U.K., and the U.S. accused APT29 of conducting malicious cyber attacks in an attempt to steal information related to COVID-19 vaccine research in the three countries. The statement is part of a joint release of the CSE – who is responsible for Canada’s foreign signals intelligence – with its digital spy agency counterparts, who also detected similar attacks on their territories.

The Russian hacker group, also known as ‘Cozy Bear’ or ‘the Dukes’, allegedly conducted the cyber threat activities in order to steal information and intellectual property relating to the development and testing of COVID-19 vaccines as well as ‘to hinder response efforts at a time when healthcare experts and medical researchers need every available resource to help fight the pandemic,’ the CSE said. They did not specify which organizations had been targeted, or whether any information had been stolen.

The intelligence agencies are speaking of an ongoing campaign targeting organizations involved in Coronavirus vaccine development and that APT29 ‘almost certainly operates as part of Russian intelligence services.’ Russia has immediately denied any responsibility in connection to the cyber attacks.

APT29 is not a new actor for the intelligence agencies. Among other incidents, they were already accused of hacking the Democratic National Committee before the 2016 U.S. election.

Spear-phishing and malware

The CSE advised that the group used a variety of tools and techniques such as spear-phishing and custom malware to target various vaccine research and development organizations globally. The used malware – WellMess and WellMail – has not previously been publicly associated with APT29.

APT29’s campaign of malicious activity is ongoing predominantly against governmental, diplomatic, think-tank, healthcare, and energy targets for intelligence gain. The CSE and its Cyber Centre warned that ‘the COVID-19 pandemic presents an elevated risk to the cyber security of Canadian health organizations involved in the national response to the pandemic.’

‘We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic,’ said U.K.’s NCSC Director of Operations, Paul Chichester.

Read more: How Coronavirus scammers prey on the global pandemic