17 July 2020

UK, US, Canada accuse APT29 of attacks on UK coronavirus vaccine labs


UK, US, Canada accuse APT29 of attacks on UK coronavirus vaccine labs

The UK, the United States and Canada accused a hacker group known as APT29, “the Dukes” or “Cozy Bear” of attempts to compromise organizations involved in COVID-19-related research in order to steal information from researchers seeking a coronavirus vaccine.

An alert released by the British National Cyber Security Centre (NCSC) details recent Tactics, Techniques and Procedures (TTPs) of the group. It says that known targets of APT29 include UK, US and Canadian vaccine research and development organizations and that malicious campaigns orchestrated by the hackers are still ongoing. The group uses a variety of tools and techniques, including spear-phishing and custom malware known as “WellMess” and “WellMail”.

The NCSC’s assessment is supported by other partners at the Canadian Communication Security Establishment (CSE), the US Department for Homeland Security (DHS) Cybersecurity Infrastructure Security Agency (CISA), and the National Security Agency (NSA).

The agencies did not elaborate whether any information actually was stolen, but the U.K. says individuals’ confidential information is not believed to have been compromised.

According to the advisory, APT29 frequently uses publicly available exploits in order to compromise vulnerable systems and steal authentication credentials to allow further access.

“In recent attacks targeting COVID-19 vaccine research and development, the group conducted basic vulnerability scanning against specific external IP addresses owned by the organizations. The group then deployed public exploits against the vulnerable services identified,” the British agency said.

The targeted vulnerabilities include CVE-2019-19781 (Citrix), CVE-2019-11510 (Pulse Secure), CVE-2018-13379 (FortiOS), and CVE-2019-9670 (Zimbra).

In some cases, APT29 deploys custom malware tools called WellMess and WellMail to conduct further operations on a compromised system. The first one is a lightweight malware designed to execute arbitrary shell commands, upload and download files, while the second tool is used to run commands or scripts with the results being sent to a hardcoded Command and Control (C2) server.

The advisory also provides rules and IoCs to help organizations to combat this threat.

Back to the list

Latest Posts

Free VPN apps on Google Play turned Android devices into residential proxies

Free VPN apps on Google Play turned Android devices into residential proxies

The threat actor behind this scheme profits by selling access to the residential proxy network to third parties.
28 March 2024
Cyber spies strike Indian government and energy sectors

Cyber spies strike Indian government and energy sectors

The operation involved phishing emails delivering the HackBrowserData info-stealer.
28 March 2024
Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

Spyware makers and state-backed hackers are primary culprits behind rise in zero-day exploits, Google says

97 zero-day flaws were exploited in-the-wild in 2023, marking an increase of over 50% compared to 2022.
27 March 2024