A number of prominent hacking groups made a gentleman’s agreement with research labs that are attempting to develop a vaccine for the deadly COVID-19 virus currently ravaging the planet.
The agreement was promising that no attacks against research facilities would be made. Unfortunately, not everyone is playing by those rules.
Recently, intelligence agencies in the US and Europe as well as security researchers around the world have spotted evidence. They found that Russian hackers believed to have ties to the Russian government, have begun attacking R&D centers that are actively working on a cure for the virus.
The attacks have been attributed to APT29, which is also referred to variously as The Dukes, Yttrium, or Cozy Bear. This group’s normal targets are government installations, think tanks, energy companies, diplomatic corporations around the world, and healthcare organizations.
The National Cyber Security Centre (NCSC), out of the UK, recently published a security advisory that reads, in part, as follows:
“Throughout 2020, APT29 has targeted various organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines.”
The advisory goes on to detail that APT29 is initiating these attacks with spear phishing.
APT29 is also exploiting several known security vulnerabilities, including those found in:
- Citrix (CVE-2019-19781)
- Pulse Secure (CVE-2019-11510)
- Fortigate (CVE-2019-13379)
- Zimbra Collaboration Suite (CVE-2019-9670)
The frustrating thing about this is that patches for all of the security flaws listed above already exist. It’s just that too often, the IT professionals working in R&D organizations have been slow to apply them, leaving research stations around the world vulnerable at a time when they’re conducting critical research that could stop the global pandemic in its tracks.
Once APT29 gains a foothold on a targeted network, they install a pair of custom malware applications called ‘WellMess’ and ‘WellMail,’ both written in Golang. If your firm is in any way connected to ongoing COVID-19 research efforts, stay on the alert for this one. It’s a serious threat indeed, and the attack is coming from one of the most dangerous groups of hackers on the planet.