Representational image | Photo: Flickr
Representational image | Photo: Flickr
Text Size:

Edinburgh: In the world of nation-state hacking groups, APT29, or Cozy Bear, has kept a relatively low profile, focusing on gathering intelligence rather than creating a stir.

That changed on Thursday, when the hacking group tied to the Russian government was accused of using a combination of known security vulnerabilities and custom-made malware to infiltrate organizations involved in developing a vaccine for Covid-19, according to the U.K. and U.S. cybersecurity agencies.

The group, also known as The Dukes, has long been affiliated with Russian intelligence agencies, including the Russian Foreign Intelligence Service (SVR) and the Russian Federal Security Service (FSB), according to researchers. APT29 has a history dating back to 2008 and has targeted dozens of governments, research institutes and corporations around the world in an effort to gather intelligence that may inform Russian government policy making, according to researchers who have studied the group.

On Thursday, governments in the U.K., U.S. and Canada jointly announced that they concluded that APT29 had targeted “various organizations involved in Covid-19 vaccine development.” The governments didn’t identify specific victims of the hacking campaign. The hackers were probably acting “with the intention of stealing information and intellectual property relating to the development and testing of Covid-19 vaccines,” according to a statement from the U.K.’s National Cyber Security Centre.

The Kremlin denied the accusations. “Russia has nothing to do with these attempts,” said spokesman Dimitry Peskov.

Artturi Lehtiö, director of strategy and corporate development for Finnish cybersecurity company F-Secure, said that targeting Covid-19 research projects possibly marked a change in approach for the hacking group. “They traditionally go after intelligence that would inform policy and their interactions with other nations,” Lehtiö said. If the allegations are true, he added, it “suggests Covid-19 is such a major national security priority” for Russia that the group’s “capabilities are being retasked.”

It’s not clear whether the hackers’ efforts were successful in stealing information about Covid-19 research. Technical details released by the U.K.’s National Cyber Security Centre alleged on Thursday that the hackers used a combination of methods to break into their victims’ computers.

We are deeply grateful to our readers & viewers for their time, trust and subscriptions.

Quality journalism is expensive and needs readers to pay for it. Your support will define our work and ThePrint’s future.

SUBSCRIBE NOW

Security Weaknesses

The hackers scanned organizations’ computer systems for vulnerabilities. They exploited security weaknesses in Citrix Systems Inc. software and virtual private network products from companies including Pulse Secure Inc. and Fortinet Inc., according to U.K. cybersecurity officials. Security vulnerabilities in those products had been publicized in 2018 and 2019, but some organizations may not have updated their software, leaving them open to attack, the officials said.

“While we cannot confirm that the attack vectors for this group took place via this vulnerability, we are reaching out to customers and strongly urging them to implement the upgrade and mitigations,” Sandra Wheatley Smerdon, a Fortinet spokeswoman, said in an email, noting that the company had alerted customers in 2019 “strongly recommending an upgrade.”

Citrix and Pulse Secure didn’t immediately respond to a request for comment.

The hackers also sent out spearphishing emails — which typically include malicious code hidden in an attachment — in an attempt to obtain login credentials for websites associated with the Covid-19 organizations. And they created customized malware — named SoreFang, WellMail, and WellMess — to steal data from infected computers, according to U.K. officials.

Over the last decade, APT29 has been accused of hacking governments and political organizations in the U.S., Georgia, Turkey, Uganda, Norway, and the Netherlands. Most famously, the group was behind the attack on the Democratic National Committee’s servers, according to the cybersecurity company Crowdstrike, resulting in embarrassing leaks of internal emails in the run-up to the 2016 U.S. presidential election.

Another Russian group, APT28, or “Fancy Bear,” got more attention in that episode because of its role in influence and disinformation operations.

Confirming who’s behind hacks can be difficult, due to methods the hackers can use to conceal their identity. In 2014, however, the Dutch intelligence agency turned the tables on APT29 by hacking their computers and using their webcams to spy on them, identifying them as members of Russia’s Foreign Intelligence Service. Later, Dutch intelligence operatives were able to use the access they obtained to watch members of APT29 planned and carried out their hack on the Democratic National Committee.

‘Highly Likely’

According to the U.K. government, it’s 95% sure that APT29 is part of the Russia’s intelligence services. British authorities said they have concluded that it’s “highly likely” the group had targeted medical research and development organizations to gather information on Covid-19 vaccine research. “The U.K. will continue to counter those conducting such cyber-attacks, and work with our allies to hold perpetrators to account,” the U.K. government’s foreign secretary, Dominic Raab, said in a statement on Thursday.

John Hultquist, senior director of intelligence analysis for FireEye Inc., said APT29 had not received as much public attention because it tends “to quietly focus on intelligence collection,” unlike other Russian hacking groups, which have carried out destructive attacks and disinformation operations.

“It’s no surprise that cyber espionage capabilities are being used to gather intelligence on a cure,” Hultquist said. “The organizations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian and Chinese actors seeking a leg up on their own research. We’ve also seen significant Covid-related targeting of governments that began as early as January.”- Bloomberg

Subscribe to our channels on YouTube & Telegram

News media is in a crisis & only you can fix it

You are reading this because you value good, intelligent and objective journalism. We thank you for your time and your trust.

You also know that the news media is facing an unprecedented crisis. It is likely that you are also hearing of the brutal layoffs and pay-cuts hitting the industry. There are many reasons why the media’s economics is broken. But a big one is that good people are not yet paying enough for good journalism.

We have a newsroom filled with talented young reporters. We also have the country’s most robust editing and fact-checking team, finest news photographers and video professionals. We are building India’s most ambitious and energetic news platform. And we aren’t even three yet.

At ThePrint, we invest in quality journalists. We pay them fairly and on time even in this difficult period. As you may have noticed, we do not flinch from spending whatever it takes to make sure our reporters reach where the story is. Our stellar coronavirus coverage is a good example. You can check some of it here.

This comes with a sizable cost. For us to continue bringing quality journalism, we need readers like you to pay for it. Because the advertising market is broken too.

If you think we deserve your support, do join us in this endeavour to strengthen fair, free, courageous, and questioning journalism, please click on the link below. Your support will define our journalism, and ThePrint’s future. It will take just a few seconds of your time.

Support Our Journalism