Russian state backed APT-29 has been accused for attempting stealing of Covid19 vaccine related research information from medical and pharma research institution according to a joint statement published by U.S. Department of Homeland Security (DHS), the U.K.’s National Cyber Security Centre (NCSC) and Canada’s Communications Security Establishment (CSE).

APT29 which is widely believed to be backed by Russian foreign service intelligence. Is found to be using custom malwares like WellMess and WellMail for data exfiltration, the advisory jointly published by the US, UK and Canada reads.

The operation is to be believed running for several months now stared on as early as February, March to target the organization involved in Covid19 vaccine research and development with likely motivation of stealing information/documents related to their progress in that domain. The specific activity is seen to be started in April, but the but infosec researchers said cyber attacks related to Covid-19 development has been active all year targeting all countries who made a significant progress i.e. entering human trial.             

The Covi-19 threat has been the largest trouble being faced by the governments allover the world. And governments and instructions and ready to sign blank checks to obtain a leg up in the development of Covid-19 cure. So it is no surprise the prime focus of hacktivity has been sifted to procure information regarding it. Both public and private institutions working on research and development of Covid-19 vaccines and cures has been the prime target for hackers from China, Russia and Iran from the very beginning of the year.

However no state owned cyber intelligence departments  has not been able to confirm if such activity has been successful in their venture. “Whatever country’s or companies’ research lab is first to produce that is going to have a significant geopolitical success story,” the assistant attorney general for national security, John Demers, said during a panel discussion earlier this year. “We are very attuned to increased cyber intrusions to medical centers, research centers, universities — anybody that is doing research in this area.” Thats the reason governments are engaging all resources at their disposal to monitor or access progress of institutions of other countries.

Known Vulnerabilities Exploited

To gain initial foothold into the networks APT-29 has exploited known vulnerabilities like Critix code injection bugs and pulse secure VPN flaw. After gaining the initial foothold it looked up for credentials of secure log in pages for publicly available internet login pages to gain information stored on the cloud. However it is not clear yet if the deployed exploits has been successful in making any lateral movement over the network.

Malwares in Play

APT29 is employing homegrown malware WellMess and WellMail to exfiltrate data from user computer. WellMess is a lightweight malware designed to execute arbitrary shell commands, upload and download files. On the other hand Wellmail malware is used to maintain communication with C@ servers. Both malwares uses hard-coded client and certificate authority TLS certificates to communicate with their C2 servers.

APT29 is also learned to be using another malware named NCSC which infiltrate data first stage date from users computer and download second stage malware for further operation, concluded by investigating agencies.

Who Is APT-29?

The history of APT-29 is stretched backed to 2014 when it was first identified by Kaspersky Lab while carrying out data mining attack against White House and Department of State.  In November 2016 it was again found acting for a widespread phishing campaign to mount an attack against the White House and Joint Chief of Staff. On the same year ahead of US presidential election it intruded the Democratic National committee, the most high profile successful attack seen be APT-29 also known as Cozy Bears. The group have been engaged in various other attacks against high value targets across the US including but not limited to Media, Law Enforcement, US military institutes, pharmaceutical companies and national government.

In February 2017, it was revealed that Cozy Bear and Fancy Bear had made several attempts to hack into Dutch ministries, including the Ministry of General Affairs, over the previous six months. Rob Bertholee, head of the AIVD, said on EenVandaag that the hackers were Russian and had tried to gain access to secret government documents. In a briefing to parliament, Dutch Minister of the Interior and Kingdom Relations Ronald Plasterk announced that votes for the Dutch general election in March 2017 would be counted by hand.

Immediately after the incident Dutch intelligence agency claimed that it has been successful in hacking computers of APT-29 group and indentified faces through the camera of hacked computers who are reportedly recruited by Russian Foreign Service Intelligence. The fact which Kremlin denies.

Michael Daly, CTO of Rayhen Intelligence and Space said APT-29 is not focused on simply targeting intellectual property theft. Instead they are more focused on influence operation the changing of hearts and minds to thwart and diminish the power of governments and organizations including byt not limited to interfering in the election of other countries.