Cybersecurity agencies in the United States, United Kingdom, and Canada issued a joint warning July 16 accusing Russian intelligence services of targeting COVID-19 research and vaccine development facilities with cyberattacks.
The National Security Agency, National Cyber Security Center in the UK, Communications Security Establishment in Canada, and the Cybersecurity and Infrastructure Security Agency (CISA) teamed on the advisory saying the Russian-linked group Cozy Bear, also known as APT29, is participating in COVID-related cyber espionage. Per the advisory, the group is using a custom malware known as WellMess and WellMail to target organization involved with COVID-19 vaccine development globally.
“In recent attacks targeting COVID-19 vaccine research and development,” the advisory describes, “the group conducted basic vulnerability scanning against specific external IP addresses owned by the organisations [sic]. The group then deployed public exploits against the vulnerable services identified.”
Using this tactic, successful attacks have been reported at Citrix, Pulse Secure, FortiGate, and Zimbra. APT29 has also deployed persistent access, malware, and certificate usage to gain access to COVID-19 research.
The cyber agencies warned that APT29 is “likely to continue” its attacks as it seeks to answer intelligence questions related to the pandemic. To fend off the attacks, the agencies recommend cybersecurity measures such as multi-factor authentication, treating people as the first line of defense, and setting up a security monitoring capability.
In the U.S., agencies such as CISA have been warning of an increase in COVID-related attacks since the pandemic begin. In a June interview with MeriTalk, Assistant Director for Cybersecurity at CISA Bryan Ware cautioned specifically against state actors targeting COVID-19 pharmaceuticals and research.
“We’re seeing our adversaries – in particular China, Russia, and Iran – targeting our pharmaceutical labs’ research and development for COVID vaccines, antivirals, and various medical technology,” Ware warned.
COVID-related malware, an increased cyberthreat attack surface at Federal agencies, and several other threat vectors described by the FBI and Department of Justice have also been reported throughout the pandemic.