‘Cozy Bear’ Group Tied to Hacks on Covid Vaccine Research

(Bloomberg) -- In the world of nation-state hacking groups, APT29, or Cozy Bear, has kept a relatively low profile, focusing on gathering intelligence rather than creating a stir.

That changed on Thursday, when the hacking group tied to the Russian government was accused of using a combination of known security vulnerabilities and custom-made malware to infiltrate organizations involved in developing a vaccine for Covid-19, according to the U.K. and U.S. cybersecurity agencies.

The group, also known as The Dukes, has long been affiliated with Russian intelligence agencies, including the Russian Foreign Intelligence Service (SVR) and the Russian Federal Security Service (FSB), according to researchers. APT29 has a history dating back to 2008 and has targeted dozens of governments, research institutes and corporations around the world in an effort to gather intelligence that may inform Russian government policy making, according to researchers who have studied the group.

On Thursday, governments in the U.K., U.S. and Canada jointly announced that they concluded that APT29 had targeted “various organizations involved in Covid-19 vaccine development.” The governments didn’t identify specific victims of the hacking campaign. The hackers were probably acting “with the intention of stealing information and intellectual property relating to the development and testing of Covid-19 vaccines,” according to a statement from the U.K.’s National Cyber Security Centre.

The Kremlin denied the accusations. “Russia has nothing to do with these attempts,” said spokesman Dimitry Peskov.

Read More: U.K. Says Russians Try to Steal Vaccine Research

Artturi Lehtiö, director of strategy and corporate development for Finnish cybersecurity company F-Secure, said that targeting Covid-19 research projects possibly marked a change in approach for the hacking group. “They traditionally go after intelligence that would inform policy and their interactions with other nations,” Lehtiö said. If the allegations are true, he added, it “suggests Covid-19 is such a major national security priority” for Russia that the group’s “capabilities are being retasked.”

It’s not clear whether the hackers’ efforts were successful in stealing information about Covid-19 research. Technical details released by the U.K.’s National Cyber Security Centre alleged on Thursday that the hackers used a combination of methods to break into their victims’ computers.

Security Weaknesses

The hackers scanned organizations’ computer systems for vulnerabilities. They exploited security weaknesses in Citrix Systems Inc. software and virtual private network products from companies including Pulse Secure Inc. and Fortinet Inc., according to U.K. cybersecurity officials. Security vulnerabilities in those products had been publicized in 2018 and 2019, but some organizations may not have updated their software, leaving them open to attack, the officials said.

“While we cannot confirm that the attack vectors for this group took place via this vulnerability, we are reaching out to customers and strongly urging them to implement the upgrade and mitigations,” Sandra Wheatley Smerdon, a Fortinet spokeswoman, said in an email, noting that the company had alerted customers in 2019 “strongly recommending an upgrade.”

Citrix and Pulse Secure didn’t immediately respond to a request for comment.

The hackers also sent out spearphishing emails -- which typically include malicious code hidden in an attachment -- in an attempt to obtain login credentials for websites associated with the Covid-19 organizations. And they created customized malware -- named SoreFang, WellMail, and WellMess -- to steal data from infected computers, according to U.K. officials.

Over the last decade, APT29 has been accused of hacking governments and political organizations in the U.S., Georgia, Turkey, Uganda, Norway, and the Netherlands. Most famously, the group was behind the attack on the Democratic National Committee’s servers, according to the cybersecurity company Crowdstrike, resulting in embarrassing leaks of internal emails in the run-up to the 2016 U.S. presidential election.

Another Russian group, APT28, or “Fancy Bear,” got more attention in that episode because of its role in influence and disinformation operations.

Confirming who’s behind hacks can be difficult, due to methods the hackers can use to conceal their identity. In 2014, however, the Dutch intelligence agency turned the tables on APT29 by hacking their computers and using their webcams to spy on them, identifying them as members of Russia’s Foreign Intelligence Service. Later, Dutch intelligence operatives were able to use the access they obtained to watch members of APT29 planned and carried out their hack on the Democratic National Committee.

‘Highly Likely’

According to the U.K. government, it’s 95% sure that APT29 is part of the Russia’s intelligence services. British authorities said they have concluded that it’s “highly likely” the group had targeted medical research and development organizations to gather information on Covid-19 vaccine research. “The U.K. will continue to counter those conducting such cyber-attacks, and work with our allies to hold perpetrators to account,” the U.K. government’s foreign secretary, Dominic Raab, said in a statement on Thursday.

John Hultquist, senior director of intelligence analysis for FireEye Inc., said APT29 had not received as much public attention because it tends “to quietly focus on intelligence collection,” unlike other Russian hacking groups, which have carried out destructive attacks and disinformation operations.

“It’s no surprise that cyber espionage capabilities are being used to gather intelligence on a cure,” Hultquist said. “The organizations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian and Chinese actors seeking a leg up on their own research. We’ve also seen significant Covid-related targeting of governments that began as early as January.”

©2020 Bloomberg L.P.