The United States, the United Kingdom, and Canada jointly accused Russian intelligence of likely attempting to hack into groups conducting COVID-19 vaccine development in all three countries in an effort to steal their research.
The National Security Agency and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, along with the U.K.’s National Cyber Security Centre and Canada’s Communications Security Establishment, signed on to a report assessing that the hacking group “APT29” — advanced persistent threat 29, also known as “the Dukes” or “Cozy Bear” — is “almost certainly part of Russian intelligence services.”
“Throughout 2020, APT29 has targeted various organizations involved in COVID-19 vaccine development in Canada, the United States, and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines,” the 16-page joint alert by the U.S., U.K., and Canada concluded.
The three allies noted that the Russian hacking operation “uses a variety of tools and techniques to predominantly target governmental, diplomatic, think-tank, healthcare and energy targets for intelligence gain” and that it is currently using custom malware known as “WellMess” and “WellMail” to target organizations around the world, including those “involved with COVID-19 vaccine development.” This is the first time this particular malware has been publicly assessed by these governments to be part of a Russian intelligence operation.
“In recent attacks targeting COVID-19 vaccine research and development, the group conducted basic vulnerability scanning against specific external IP addresses owned by the organizations. The group then deployed public exploits against the vulnerable services identified,” the report stated. “APT29 is likely to continue to target organizations involved in COVID-19 vaccine research and development, as they seek to answer additional intelligence questions relating to the pandemic.”
Russia now joins China in being accused by the U.S. of conducting cyberattacks to steal coronavirus research. Back in May, the FBI and DHS’s CISA said the U.S. was “issuing this announcement to raise awareness of the threat to COVID-19-related research” by hackers backed by the People’s Republic of China and that the U.S. was ”investigating the targeting and compromise of U.S. organizations conducting COVID-19-related research by PRC-affiliated cyber actors.”
The U.S. intelligence community reportedly believes the Chinese Communist Party downplayed the severity of the initial coronavirus outbreak and that China continues to mislead about the infection rate and the death toll inside the country. Beijing has denied orchestrating a cover-up of its coronavirus response.
Russia’s APT29 and its affiliates have previously been implicated in hacking operations against the State Department, the White House, U.S. think tanks, the Dutch and Norwegian governments, and more. The cybersecurity firm CrowdStrike assessed in the summer of 2016 that Cozy Bear and another Russian hacking group known as Fancy Bear assisted in the cyberattacks on the Democratic National Committee in 2016.
Special counsel Robert Mueller’s investigation concluded that Russia interfered in 2016 in a “sweeping and systematic fashion” through a Russian military intelligence hacking operation against the DNC and by providing thousands of emails to WikiLeaks for dissemination but that the evidence “did not establish” any criminal conspiracy between the Russians and the Trump campaign.
The news about Russian intelligence’s involvement in coronavirus cybertheft came the same day as the U.K. government assessed that “Russian actors” had attempted to interfere in the 2019 general election through the “online amplification of illicitly acquired and leaked government documents.” The same documents were a central part of Labour Party leader Jeremy Corbyn’s unsuccessful bid to defeat Conservative Party leader and British Prime Minister Boris Johnson.
