U.S., U.K. Officials Call for Russia to Stop Hacking COVID-19 Researchers

The Russian Intelligence Service is behind recent cyberattacks on COVID-19 researchers, according to a joint advisory issued by the United Kingdom, the United States and Canada. 

“It is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic,” British Foreign Secretary Dominic Raab said in a press release Thursday. “While others pursue their selfish interests with reckless behaviour, the UK and its allies are getting on with the hard work of finding a vaccine and protecting global health. The UK will continue to counter those conducting such cyber attacks, and work with our allies to hold perpetrators to account.”

The National Security Agency and the Cybersecurity and Infrastructure Security Agency presented a united front along with Canada’s Communications Security Establishment in sharing a document prepared by the U.K.’s National Cyber Security Centre that includes tools and techniques used by the attackers, and instructions for mitigating the threat. 

The advisory further muddies the waters in what used to be distinct pools of motivation for advanced persistent threats from nation-states. U.S. officials more typically associate attempts to steal intellectual property with the Chinese government through a group known as APT 10. 

On Thursday, as the cyber agencies alerted the public to the Russian threat, a top U.S. official called attention to China’s malicious behavior in the space.

“The FBI and Department of Homeland Security recently warned that the People’s Republic of China was attempting to steal American vaccine and therapeutics research — an unconscionable act in the midst of the coronavirus pandemic,” Kelvin Droegemeier, President Trump’s science advisor, wrote in a piece for Fox News. The piece described a Joint Committee on the Research Environment, an initiative surrounding efforts to root out China-funded scientists in U.S. institutions and withholding visas for Chinese students to pursue graduate studies in certain fields. 

CISA also recently attributed disinformation attempts—which had more typically been associated with Russian actors trying to sew discord—to China. 

The Details

Thursday’s joint advisory on intellectual property theft related to COVID vaccine development research names APT29, also known as “Cozy Bear,” and “the Dukes,” and associates custom-built malware “WellMess” and “WellMail” with the group for the first time. 

“The group frequently uses publicly available exploits to conduct widespread scanning and exploitation against vulnerable systems, likely in an effort to obtain authentication credentials to allow further access,” the advisory reads.

Once inside, Wellness can upload or download files, while Wellmail can run scripts and send results back to a hardcoded command and control center, the NCSC says. 

The advisory also mentions the malware SoreFang, a sample of which “contains the same infrastructure as a WellMess sample.” The advisory says it’s “likely” that SoreFang targets devices made by Sangfor, an Enterprise Cloud & Network Security Solutions company headquartered in Shenzhen, China, but notes this malware is not exclusively being used by the Russian APT 29 group.    

Mitigations include keeping devices and networks up to date by using the latest supported versions, applying security patches promptly, using anti-virus and scanning regularly to guard against malware threats.

The advisory also recommends using multi-factor authentication to reduce the harm from passwords being compromised, encouraging workers to report suspected phishing attempts— users should never be punished for clicking on phishing links, the advisory says—and collecting data to analyze network intrusions.