Russian hackers at the state’s FSB spy agency have been caught breaking into Western institutions working on potential vaccines for the COVID-19 coronavirus in hope of stealing said research. That’s according to the British National Cyber Security Centre and America’s NSA today.
The Kremlin-backed APT29 crew, also known by a variety of other names such as Cozy Bear, Iron Hemlock, or The Dukes, depending on which threat intel company you’re talking to that week, is believed by most reputable analysts to be a wholly owned subsidiary of the FSB, modern-day successor to the infamous Soviet KGB.
NCSC ops director Paul Chichester said in a statement: “We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic.”
Foreign Secretary Dominic Raab added: “It is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic. While others pursue their selfish interests with reckless behaviour, the UK and its allies are getting on with the hard work of finding a vaccine and protecting global health.”
NCSC and its international chums say they are 95 per cent confident that the attacks they investigated came from Russia. By abusing publicly known vulnerabilities, including those in Citrix and popular VPN products, the Russians were able to gain access to targeted networks. Once inside they deploy a custom malware named WellMess or WellMail, it’s claimed.
“WellMess is a lightweight malware designed to execute arbitrary shell commands, upload and download files. The malware supports HTTP, TLS and DNS communications methods,” said NCSC in its advisory [PDF complete with IOCs and detection rules].
WellMail uses SMTP port 25 to communicate, runs commands or scripts, and uploads its findings to a hard-coded command and control server using TLS encryption. Both pieces of malware are written in Go, the open source language devised by Google. The report neatly summarizes the situation:
Intriguingly, NCSC – along with the US CISA and Canada’s Communications Security Establishment – also said APT29 was deploying a custom malware it named SoreFang against products from Chinese enterprise networking biz Sangfor. However, it cautioned that Sangfor was already a target for other malicious folk before APT29 got wind of it and so not all attacks against Sangfor kit were necessarily proof of state-level espionage.
Today’s attribution follows on from warnings back in May that nameless-but-nefarious bods were targeting those same coronavirus research institutions. In light of today’s news, it could be argued that that public shot across the FSB’s bows didn’t do much to stop the digital attacks.
“This also demonstrates that Iron Hemlock (aka APT29, Cozy Bear) is a very capable threat actor that conducts low visibility operations over an extended period, since at least 2018 in this case, while attracting minimal publicity,” Rafe Pilling, a researcher at infosec biz Secureworks, told The Register.
“Every time we see this group emerge in public they are using novel malware and tradecraft. A strong focus on operational security prompts constant change, a stark contrast to some of their comrades in other parts of government and the military.”
He added that it’s not just Russia doing the hacking, although Vladimir Putin’s nation is at the forefront of today’s report: “The NCSC report emphasises that the global interest in COVID-19 is driving an intelligence collection agenda for Russia, as well as nations like Iran, that has previously been identified targeting COVID-19 related research,” he opined.
“The organizations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian, and Chinese actors seeking a leg up on their own research.”
Meanwhile, Mandiant Threat Intelligence’s John Hultquist said in a statement that APT29 tended to stay below the radar and steal data, making today’s attribution all the more eye-catching for espionage watchers.
“Despite involvement in several high-profile incidents, APT29 rarely receives the same attention as other Russian actors because they tend to quietly focus on intelligence collection,” he explained. “Whereas GRU actors have brazenly leaked documents and carried out destructive attacks, APT29 digs in for the long term, siphoning intelligence away from its target.”
Back in 2015 Fireeye observed APT29 deploying a Twitter-dependent malware strain it called Hammertoss, while last year Eset spotted the same hackers quietly targeting EU nations’ foreign offices and embassies. It seems the state-backed threat is never all that far away
