Russian Hackers Target COVID-19 Vaccine Research
I. Targeted Industries
- Higher Education
The Department of Homeland Security (DHS), U.K. National Cyber Security Centre (NCSC), and Canada’s Communications Security Establishment (CSE) released a joint threat alert on July 16, 2020, regarding malware attacks targeting COVID-19 vaccine research. The activity is linked to APT29 (AKA “the Dukes” or “Cozy Bear”) which is likely a Russian Intelligence service. Intelligence officials believe that the hackers intended to steal data, not to disrupt research. The Cozy Bear group began their attack with spear phishing, however, they also exploited four known vulnerabilities and used custom malware called “WellMess” and “WellMail” for data exfiltration.
III. Background Information
APT29 is a group that has been running campaigns throughout 2020 and has targeted various sectors such as Government, Healthcare, Think-Tanks, and Energy. The latest attacks target these industries through a series of phishing attempts and exploiting well-known vulnerabilities, such as Citrix code injection bug (CVE-2019-19781); a publicized Pulse Secure VPN Flaw (CVE-2019-11510); and issues in FortiGate (CVE-2018-13379) and Zimbra (CVE-2019-9670).
When the group Cozy Bear gains access to the network, they initially use SoreFang, which is a first stage downloader that uses HTTP to exfiltrate the victim’s information and download second stage malware. After gaining access to the network the group, Cozy Bear, uses custom malware “WellMess” and “WellMail”. Once established in a network, these types of malware will conduct operations on the victim’s system to extract data. The implementation of the WellMess malware allows for a remote operator to establish encrypted command and control (C2) sessions and execute scripts on an infected system. The malware also passes AES encrypted executable scripts to infected systems. WellMail malware is similar to WellMess as it uses hard-coded client and certificate authority TLS certificates to communicate with C2 servers. However, it uses server port 25 and it is named after file paths containing the word ‘mail’.
According to the U.K. National Cyber Security Centre (NCSC), APT29 is likely to continue targeting organizations involved in COVID-19 vaccine research and development.
You can find the full NCSC Advisory Report Here.
IV. MITRE ATT&CK
Command and Scripting Interpreter – T1059
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms.
Exfiltration Over C2 Channel – T1048
Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.
Exfiltration Over Alternative Protocol – T1041
Adversaries may steal data by exfiltrating it over a different protocol than that of the existing command and control channel. The data may also be sent to an alternate network location from the main command and control server.
- Scheduled Backups & Patch Updates
Back up data regularly and store externally. Update and patch vulnerabilities consistently.
- Use Multi-Factor Authentication
Use a form of multi-factor authentication (2FA) as an additional barrier to prevent hackers from moving around a network.
- Malware Monitoring
Continuously monitor new and existing types of malware. Stay up to date on intel and advancements to prevent, defend, and mitigate these types of threats.
- Incorporate Known IOCs into IDS
Incorporate the known IOCs of the attack into your intrusion detection system (IDS) to catch any suspicious behavior related to the attack.
- Strong Cyber Hygiene
Users need to be wary of the validity of emails, links, downloads, etc. All sources should be verified.
VI. Indicators of Compromise (IOCs)
The link below has been included to assist with the download of some identified IOC’s related to this Threat Advisory Report. Be on the lookout for these IOC’s, as well as anything that looks similar.
(1) “Advisory: APT29 Targets COVID-19 Vaccine Development.” ncsc.gov.uk, July 16, 2020. https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development.
(2) Ilascu, Ionut. “Russian Hackers Target COVID-19 Vaccine Research with Custom Malware.” BleepingComputer. BleepingComputer, July 16, 2020. https://www.bleepingcomputer.com/news/security/russian-hackers-target-covid-19-vaccine-research-with-custom-malware/.
(3) Seals, Tara. “Hackers Look to Steal COVID-19 Vaccine Research.” Threatpost English Global threatpostcom, July 16, 2020. https://threatpost.com/state-sponsored-hackers-steal-covid-19-vaccine-research/157514/.
(4) “UK, US, Canada Accuse Russia of Hacking Virus Vaccine Trials.” SecurityWeek. Associated Press, July 16, 2020. https://www.securityweek.com/uk-us-canada-accuse-russia-hacking-virus-vaccine-trials.
(5) “Malware Analysis Report (AR20-198B).” Cybersecurity and Infrastructure Security Agency CISA, July 16, 2020. https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b.