Russian state-based hackers have targeted Western COVID-19 vaccine development, the cybersecurity agencies of the United States, United Kingdom, and Canada say.
APT29, a hacker group that has been linked to the Kremlin and Russian-sanctioned hacking campaigns, undertook a campaign to steal information and intellectual property around the development and testing of vaccines for the novel coronavirus.
The campaign sought to “hinder response efforts at a time when healthcare experts and medical researchers need every available resource to help fight the pandemic” reads a joint statement from the three countries.
The hackers used malware known as “WellMess” and “WellMail” in order to gain access to researchers’ computers. Japan’s cyber security agency issued an alert in 2018, warning that WellMess was targeting Windows and Linux machines, after the malware was found on Japanese systems.
The malware gives hackers the ability to access the target system and upload and download files at will. The hacks have not been publicly connected to APT29 before today.
“Throughout 2020, APT29 has targeted various organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines,” reads a joint technical advisory.
It’s not clear how successful the hackers were.
A spokesperson for Russian President Vladimir Putin strenuously denied that Russia tried to hack Western research agencies. “Russia has nothing to do with these attempts and we do not accept such accusations just like we don’t accept yet another set of unfounded accusations of interference in the 2019 [UK] elections,” said the spokesperson per CNN.
The British also announced Thursday that evidence points to Russian interference in their 2019 election.
The Russian hacker group, sometimes referred to as “Cozy Bear” or by other aliases, was also identified as the group responsible for the hack on the servers of the Democratic National Committee, putting it at the centre of a conspiracy by Moscow to try and elect Donald Trump as president.
“The group uses a variety of tools and techniques to predominantly target governmental, diplomatic, think-tank, healthcare and energy targets for intelligence gain,” reads an assessment from the UK.
The Communications Security Establishment (CSE), Canada’s main signals intelligence agency and cyber security organization, concluded that APT29 “almost certainly operates as part of Russian intelligence services”—a very high degree of confidence.
The Establishment was joined by the UK’s Government Communications Headquarters’ National Cyber Security Centre and the American Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
“APT29 is likely to continue to target organisations involved in COVID-19 vaccine research and development, as they seek to answer additional intelligence questions relating to the pandemic,” the UK agency wrote in a technical assessment.
The CSE is imploring health organizations to take steps to protect themselves from cyber attack, and has previously released an assessment warning of potential cyberattacks on COVID-19 researchers.
The joint assessment says APT29 used known exploits in commercial VPN and remote access software, including Citrix, PulseSecure, and Fortinet.
Follow Justin Ling on Twitter.