On Thursday, Great Britain, the United States and Canada accused a hacking group surmised to be part of the Russian intelligence apparatus of attempting to pilfer information from foreign vaccine researchers.
The group accused of the attempted theft was identified as APT29, aka Cozy Bear. The British announcement naming the hacking group came from Britain’s National Cybersecurity Centre, which stated:
The NCSC assesses that APT29, also named “the Dukes” or “Cozy Bear” almost certainly operate as part of Russian intelligence services. This assessment is also supported by partners at the Canadian Communication Security Establishment (CSE), the US Department for Homeland Security (DHS) Cybersecurity Infrastructure Security Agency (CISA) and the National Security Agency (NSA). APT29’s campaign of malicious activity is ongoing, predominantly against government, diplomatic, think-tank, healthcare and energy targets to steal valuable intellectual property.
NCSC Director of Operations Paul Chichester blasted the Russians, saying, “We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic. Working with our allies, the NCSC is committed to protecting our most critical assets and our top priority at this time is to protect the health sector. We would urge organisations to familiarise themselves with the advice we have published to help defend their networks.”
The statement continued, “Known targets of APT29 include UK, US and Canadian vaccine research and development organisations. The group uses a variety of tools and techniques, including spear-phishing and custom malware known as ‘WellMess’ and ‘WellMail.’”
British Foreign Secretary Dominic Raab stated, “It is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic. While others pursue their selfish interests with reckless behaviour, the U.K. and its allies are getting on with the hard work of finding a vaccine and protecting global health. The UK will continue to counter those conducting such cyber attacks, and work with our allies to hold perpetrators to account.”
The British government asserted, “NCSC are almost certain (95%+) that APT29 are part of the Russian Intelligence Services. APT29 has targeted medical research and development organisations. NCSC assess it is highly likely (80 – 90%) that this activity was to collect information on COVID-19 vaccine research or research into the COVID-19 virus itself.”
“Cozy Bear, also known as the ‘dukes,’ has been identified by Washington as one of two Russian government-linked hacking groups that broke into the Democratic National Committee computer network and stole emails ahead of the 2016 presidential election. The other group is usually called Fancy Bear,” AP reported.
In November 2018, FireEye reported:
On November 14, 2018, FireEye detected new targeted phishing activity at more than 20 of our clients across multiple industries … There are several similarities and technical overlaps between the 14 November 2018, phishing campaign and the suspected APT29 phishing campaign on 9 November 2016, both of which occurred shortly after U.S. elections … APT29 is a sophisticated actor, and while sophisticated actors are not infallible, seemingly blatant mistakes are cause for pause when considering historical uses of deception by Russian intelligence services.