Russian hackers are targeting coronavirus scientists with phishing and malware attacks

Advisory from the UK's National Cyber Security Centre warns of an active spear-phishing campaign by APT 29 - a hacking group associated with Russian intelligence services - in an effort to steal research data.
Written by Danny Palmer, Senior Writer

State-backed Russian hackers are targeting pharmaceutical companies, healthcare, academic research centres and other organisations involved in coronavirus vaccine development, security agencies in the UK, USA and Canada have jointly warned.

The advisory, put out by the UK's National Cyber Security with support from the US National Security Agency and the Canadian security services, says cyber attacks from hacking group APT29 – also known as Cozy Bear – are attempting to steal information on coronavirus research.

SEE: Navigating data privacy (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

Organisations in the UK, USA and Canada are thought to have been targeted by attacks, which the NCSC has high confidence have originated from of a group working on behalf of the Russian government.

APT29 has links to the Russian intelligence services and has identified as the culprit of a number of high profile international cyber attacks and spear-phishing campaigns, including attempted election interference in the United States.

There's currently no evidence to suggest that the hacking campaigns have been successful, but the NCSC says the attacks are still are still ongoing.

"We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic," said NCSC director of operations Paul Chichester.

APT29 has been attempting to deploy custom families of malware – WellMess and WellMail, which both can issue commands on infected machines – against organisations involved in vaccine development. The two forms of malware haven't previously been publicly associated with APT29.

SEE: A winning strategy for cybersecurity (ZDNet special report) | Download the report as a PDF (TechRepublic)  

The group is also known to scan for vulnerabilities in networks – such as in Citrix, Pulse Secure and Fortigate products - which it can combine with known exploits in an effort to infiltrate systems and gain persistence to commit espionage and other malicious cyber activity. The NCSC has described APT29 has "very adept" at exploiting vulnerabilities before patches can be applied.

In this instance, it appears that the targets have been protected against falling victim to cyber attacks, but it's thought that Russian hackers will continue to target healthcare as the world reacts to COVID-19, as well as continuing campaigns against targets including governments, diplomats, think-tanks and the energy sector.

"Working with our allies, the NCSC is committed to protecting our most critical assets and our top priority at this time is to protect the health sector. We would urge organisations to familiarise themselves with the advice we have published to help defend their networks," said Chichester.

In order to protect against attacks, the NCSC recommends that organisations to secure devices and networks with the latest security patches so attackers can't exploit known vulnerabilities. It's also recommended that organisations use multi-factor authentication, so in the event of hackers breaching passwords, there's an additional barrier to prevent them moving around the network.

It's also recommended that staff know how to spot phishing emails and that they're confident enough to report them – even if they feel they might have accidentally clicked on a link or handed over login credentials.

It's previously been warned that other nations are also likely to be attempting to steal coronavirus related research.


Editorial standards