According to a security assessment issued by the U.K.’s National Cyber Security Centre (NCSC) in 2020, Russian hacking group APT29, also known as Cozy Bear and the Dukes, was behind attacks against Coronavirus vaccine research in the U.K., U.S., and Canada. Intelligence Agencies from the U.S. and Canada also contributed to the effort. The hacking was aimed at “government, diplomatic, think-tank, healthcare and energy targets,” the NCSC said in the assessment. An official with the U.S. National Security Agency or NSA urged entities to pay attention to the details in the document.
According to the NSA “APT29 has a long history of targeting governmental, diplomatic, think-tank, healthcare and energy organizations for intelligence gain so we encourage everyone to take this threat seriously and apply the mitigations issued in the advisory.”
State-sponsored hacking groups globally were interested in targeting research on Coronavirus-related vaccines and treatments back in 2020, the U.S. Department of Justice warned. APT29 are the same Russian hackers that breached the Democratic National Committee in 2016 and have been linked with Russia’s Foreign Intelligence Service, according to Estonian intelligence. Russia is now the second country that the United States has accused of targeting Coronavirus research. In May of 2020, the Department of Homeland Security and the FBI accused Chinese hackers of targeting the same information.
ATP29 is known to scan for vulnerabilities in networks including Citrix, Pulse Secure and Fortigate products. The NCSC has described APT29 as “very adept” at exploiting vulnerabilities before updates can be utilized.
What is ‘WellMess’ and ‘WellMail’ Malware
Russian groups have attempted hacking attacks in the U.S., U.K., and Canada using custom malware, dubbed “WellMess” and “WellMail,” which haven’t been previously linked with APT29. The hackers behind the attack were likely looking for credentials that would allow them further access, the NCSC said.
“In recent (2020) attacks targeting COVID-19 vaccine research and development, the group conducted basic vulnerability scanning against specific external IP addresses owned by the organisations,” the NCSC said. “The group then deployed public exploits against the vulnerable services identified.”
WellMess malware is used by hackers to execute shell commands and to upload and download files, according to the NCSC. Although Japan’s JPCERT has previously reported WellMess, WellMail has not previously been reported, the NCSC said. WellMail allows hackers to run commands with results sent to a hardcoded command and control server.
Cyber Command, the offensive cyberespionage arm of the U.S. Department of Defense, shared malware samples to the information-sharing repository VirusTotal. It was only the second time ever that cyber command had attributed malware to a nation-state actor directly. Typically, cyber command leaves the attribution of malicious code up to researchers. Cyber command made its first attribution to North Korea in February of 2020.
