British security officials have joined forces with their American and Canadian counterparts to link a series of cyber attacks on coronavirus vaccinologists to the Russian government.
According to a joint advisory issued on Thursday, the threat group APT29, which is believed to operate as part the Russian intelligence services, has targeted researchers working for universities and pharmaceutical companies in the UK, US and Canada.
The threat group, also known as ‘Cozy Bear’ and ‘the Dukes’, scans targets’ external IP addresses for known vulnerabilities, before dropping publicly available exploits (as opposed to zero-days). “The group has been successful using recently published exploits to gain initial footholds,” NCSC said.
APT29 has exploited vulnerabilities, previously detailed by NCSC, in products produced by Citrix, including its Gateway remote access tool, as well as virtual private networks (VPNs). The group has also been observed using spear-phishing attacks to harvest login details.
In some cases, once the hackers have compromised a system, they then deploy custom malware, dubbed ‘WellMess’ and ‘WellMail’ by NCSC, to exfiltrate the data. While WellMess was first reported in July 2018, NCSC said WellMail had not been previously publicly documented.
APT29 is one of the world’s most prominent threat groups and has been linked to attacks on governments, diplomats, thinktanks, healthcare organisations and energy businesses, according to NCSC. It was also reportedly involved in the attack on the Democratic National Convention ahead of the 2016 US election.
British researchers working at the University of Oxford, in partnership with the pharmaceutical company AstraZeneca, are said to be months ahead of rival scientists working in other universities. Although NCSC did not name any of the targeted organisations, Oxford has previously said it is working with the security agency to protect its research.
NCSC warned in May that hackers were targeting coronavirus research in the UK, but did not publicly attribute the attacks. It had been reported that Russia, China and Iran were thought to have been behind various attempts to steal Covid-19-related research.
Today’s announcement came just hours after the foreign secretary, Dominic Raab, claimed that Russian actors had attempted to promote an “illicitly acquired” document revealing details of plans for a UK-US trade deal.
Parliament’s intelligence and security committee could publish a report on Russian interference in British politics as soon as next week. Downing Street received a copy of the report in October, but Boris Johnson blocked its release ahead of the general election in a move that MPs described as “utterly reprehensible”.
Commenting on the cyber attacks on vaccine research, Raab said: “It is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic. […] The UK will continue to counter those conducting such cyber attacks, and work with our allies to hold perpetrators to account.”
NCSC’s director of operations, Paul Chichester, condemned what he described as “despicable attacks against those doing vital work to combat the coronavirus pandemic”.
He added: “Working with our allies, the NCSC is committed to protecting our most critical assets and our top priority at this time is to protect the health sector. We would urge organisations to familiarise themselves with the advice we have published to help defend their networks.”
The post Russia’s APT29 targeting British coronavirus vaccine research, says NCSC appeared first on NS Tech.