The UK, the United States and Canada accused a hacker group known as APT29, “the Dukes” or “Cozy Bear” of attempts to compromise organizations involved in COVID-19-related research in order to steal information from researchers seeking a coronavirus vaccine.
An alert released by the British National Cyber Security Centre (NCSC) details recent Tactics, Techniques and Procedures (TTPs) of the group. It says that known targets of APT29 include UK, US and Canadian vaccine research and development organizations and that malicious campaigns orchestrated by the hackers are still ongoing. The group uses a variety of tools and techniques, including spear-phishing and custom malware known as “WellMess” and “WellMail”.
The NCSC’s assessment is supported by other partners at the Canadian Communication Security Establishment (CSE), the US Department for Homeland Security (DHS) Cybersecurity Infrastructure Security Agency (CISA), and the National Security Agency (NSA).
The agencies did not elaborate whether any information actually was stolen, but the U.K. says individuals’ confidential information is not believed to have been compromised.
According to the advisory, APT29 frequently uses publicly available exploits in order to compromise vulnerable systems and steal authentication credentials to allow further access.
“In recent attacks targeting COVID-19 vaccine research and development, the group conducted basic vulnerability scanning against specific external IP addresses owned by the organizations. The group then deployed public exploits against the vulnerable services identified,” the British agency said.
The targeted vulnerabilities include CVE-2019-19781 (Citrix), CVE-2019-11510 (Pulse Secure), CVE-2018-13379 (FortiOS), and CVE-2019-9670 (Zimbra).
In some cases, APT29 deploys custom malware tools called WellMess and WellMail to conduct further operations on a compromised system. The first one is a lightweight malware designed to execute arbitrary shell commands, upload and download files, while the second tool is used to run commands or scripts with the results being sent to a hardcoded Command and Control (C2) server.
The advisory also provides rules and IoCs to help organizations to combat this threat.