The UK Government Claims That Russian Hackers Attempted to Steal COVID-19 Vaccine Research
The coronavirus pandemic is far from over. Although many countries are easing the restrictions, the number of cases is still growing, and people continue to die every day. It's clear that the only solution is to mass-vaccinate the population, which is obviously very difficult considering the fact that a vaccine hasn't been invented yet.
The sooner we have it, the more lives will be saved, and you'd think that in light of all this, the world's most powerful nations will gather their brainiest specialists and will make them work as a team so that we can have a working vaccine as quickly as possible. You'd be wrong.
When speaking about the development of a vaccine for the new coronavirus, John Demers, an assistant attorney general for the US national security, said that whoever creates the vaccine will have a "significant geopolitical success story." In other words, he implied that this is a competition, and the UK's National Cyber Security Centre (NCSC) reckons that some of the competitors are playing dirty.
The UK, the US, and Canada: The Russians are attacking organizations that work on a coronavirus vaccine
Yesterday, NCSC published a report that was also backed by the Canadian Security Establishment (CSE), the United States Department for Homeland Security Cyber-security Infrastructure Security Agency (DHS CISA), and the US National Security Agency (NSA). It says that a group of hackers known as APT29, Cozy Bear, or The Dukes has been targeting healthcare organizations working on a COVID-19 vaccine in Canada, the US, and the UK.
It's considered a known fact that APT 29 is backed by the Russian government, and with the report, the UK, the US, and Canada accuse the Kremlin of trying to steal data related to the research and development of a COVID-19 vaccine.
APT29 is as formidable as ever
The report doesn't name any of the targeted organizations, but it does say that the attacks started in early 2020 and are continuing to this day. The NCSC has also put together a pretty detailed explanation of how the APT29 hackers plan and execute their attacks.
Like many other hacking crews, APT29 performs regular scans and gathers intelligence on vulnerable networks that are facing the internet. The hackers don't target all systems they find, but they likely keep a record of them so that they can hack them if the need arises.
Most likely, this is how they singled out the IPs that need to be attacked when they were instructed to gather information about how far the West has gone in the development of the COVID-19 vaccine.
For the most part, the targets are compromised using a list of known vulnerabilities in products from Citrix, FortiGate, Pulse Secure, Zimbra, etc., though the report also says that in some cases, the hackers collect login credentials using sophisticated spear-phishing attacks. Once inside the network, APT29 uses different methods to achieve persistence and deploys a couple of malware strains called WellMess and WellMail.
APT29's weapons of choice
WellMess is the older of the two malware families. It appeared in 2018, but this is the first time anyone has associated it with APT29. It's named after one of the functions in the code, and its primary purpose is to execute shell commands and download and upload data.
WellMail is a previously undocumented malware family that runs commands on the infected machine and sends the results back to the Command and Control (C&C) server. Its name comes from the repeated use of the word "mail" in the code as well, as the fact that it uses server port 25 to communicate with the C&C.
Russia: We haven't done anything
The NCSC seems to be convinced that APT29 is responsible for the attack, and it must be said that if it wasn't confident about its claims, it probably wouldn't have put it in a publicly available report.
Russia isn't that keen on accepting responsibility, though. According to the BBC, a spokesperson for President Vladimir Putin has denied any connection between Russia and the attacks on vaccine-developing organizations. Then again, the world's superpowers rarely admit to using sophisticated hacking groups to spy on other countries, so this statement should probably be taken with a dose of skepticism.
In any case, if what NCSC says is true, some of the world's most capable hackers are attacking the institutions responsible for creating a vaccine that will save thousands of lives. Let's hope the attacks don't disrupt their work too much.