Hackers, most probably, working for Russian intelligence agencies have been targeting organizations involved in the R&D of the COVID-19 vaccine.

What’s going on?

The British, Canadian, and American governments have accused Russian hackers of attempting to steal coronavirus vaccine research. The ongoing hacking activity is attributed to the APT29 threat group, also known as Cozy Bear, Yttrium, or The Dukes. The targeted sectors include healthcare, energy, think tanks, diplomatic, and government departments.

Techniques applied

  • Publicly available exploits are most commonly used by the actors to carry out widespread scanning and exploitation against vulnerable systems.
  • The group may also contain stolen credentials to gain access to systems.
  • For stealing COVID-19 vaccine research and development, the attackers conducted basic vulnerability scanning against certain external IP addresses owned by the targeted organizations.
  • Spear-phishing attacks are also used to gain authentication credentials to internet-accessible login pages for target organizations.

Custom malware

  • After gaining access to the network, the Cozy Bear group deploys custom malware known as WellMail or WellMess to conduct further operations on the victim’s system. 
  • WellMail is written in Golang to run arbitrary shell commands on Linux and Windows. 
  • It is a lightweight tool that runs scripts or commands with the results being conveyed to a hardcoded C2 server.
  • The IOCs can be found here.

The bottom line

  • APT29 is one of the highest-profile and most successful hacking groups backed by the Russian government. Experts indicate that the threat actor is likely to continue targeting organizations associated with COVID-19 vaccine research. Hackers associated with this group are after confidential information but do not release them publicly.
  • It is recommended that organizations take proactive security measures to protect their research. 

Cyware Publisher