An advisory published by the UK National Cyber Security Center (NCSC) describes the activities of the Russian hacking group and explicitly expresses efforts to target US, UK and Canadian vaccine research and development organizations.
“APT29’s campaign for harmful activities is ongoing, mainly against government, diplomatic, food, health and energy targets to steal valuable intellectual property,” said a press release on the advice.
Cozy Bear is one of two hacking groups linked to Russian intelligence believed to have gained access to the Democratic National Committee’s internal system in the run – up to the 2016 US election, but Thursday’s announcement is the first time this group has been targeted in connection with cyber attacks related to the coronavirus pandemic.
The US, British and Canadian authorities have issued several warnings about state-sponsored cyberattacks against organizations involved in the response to coronavirus in recent months.
In April, CNN also reported on a growing wave of cyberattacks on US authorities and medical institutions that led to the pandemic response from nation states and criminal groups.
Hospitals, research laboratories, healthcare providers and pharmaceutical companies have all been affected, officials said at the time.
The Department of Health and Human Services ̵
“The National Security Agency (NSA), together with our partners, remains firm in its commitment to protecting national security by collectively issuing this critical cybersecurity advice as foreign actors continue to benefit from the ongoing COVID-19 pandemic,” NSA Cybersecurity Director, Anne Neuberger, said in a statement Thursday.
“APT29 has a long history of targeting government, diplomatic, think tanks, healthcare and energy organizations for intelligence gain, so we encourage everyone to take this threat seriously and apply the restrictions issued in the advisory,” she said.
The NCSC, the UK’s leading cyber security technical agency and part of the UK Government Communications Headquarters (GCHQ), judged that APT29 “almost certainly functions as part of Russian intelligence services.”
This assessment is also supported by partners at the Canadian Communications Security Agency (CSE), the U.S. Department of Homeland Security (DHS), the Cybersecurity Infrastructure Security Agency (CISA), and the National Security Agency (NSA), the NCSC said.
“We condemn these heinous attacks on those who are doing crucial work to combat the coronavirus pandemic,” NCSC Chief Operating Officer Paul Chichester said in a statement. “In partnership with our allies, the NCSC is committed to protecting our most critical assets and our highest priority at present is to protect the health sector.”
The press release said that the NCSC has previously warned that Advanced Persistent Threats (APT) groups have targeted organizations involved in both national and international Covid-19 responses.
APT29 uses a variety of tools and techniques, including javelin fishing and custom malware called “WellMess” and “WellMail”, according to the NCSC.
The report concluded that: “APT29 is likely to continue to target organizations involved in COVID-19 vaccine research and development, as they seek to address additional intelligence issues related to the pandemic.”