Russian APT Group is Targeting Organizations Involved in COVID-19 Research

The APT29 hacking group, also known as Cozy Bear, is looking to attack healthcare organizations, pharma companies, and research agencies in the United States, United Kingdom, and Canada and is trying to swipe research information about COVID-19 and the creation of a vaccine.

On July 16, 2020, Canada’s Communications Security Establishment (CSE), the National Security Agency (NSA), the DHS’ Cybersecurity and Infrastructure Security Agency (CISA) and the UK National Cyber Security Centre (NCSC) issued a joint advisory to heighten awareness of the threat.

APT29 is a cyber espionage group that’s almost definitely a partner of the Russian intelligence services. The group mainly finds government entities, diplomats, think-tanks, and energy targets in order to steal sensitive information. The group has become very active throughout the COVID-19 pandemic and has done several attacks on entities working on COVID-19 research and vaccine creation.

The group conducts widespread scanning to determine unpatched vulnerabilities and makes use of exploits available to the public to acquire access in vulnerable systems. The group has been able to use exploits for these vulnerabilities: Citrix vulnerability CVE-2019-19781, FortiGate vulnerability CVE-2019-13379, the Pulse Secure vulnerability CVE-2019-11510 and the Zimbra vulnerability CVE-2019-9670. The group may also use other exploits.

APT29 utilizes a number of tools to acquire access credentials and attain persistent access to systems and employs anonymizing services whenever utilizing stolen credentials. APT29 is utilizing custom malware variants to strike organizations, such as WellMess and WellMail, two variants of malware that APT29 has not used previously.

WelMess is a lightweight malware written in Golang or .NET that is able to carry out arbitrary shell commands and even upload and download documents and uses HTTP, TLS and DNS for sending messages. WellMail is a lightweight application that utilizes hard-coded client and certificate authority TLS certificates to send messages with C2 servers. The third variant of malware, called SoreFang, is being used too. SoreFang is a first phase downloader that exfiltrates information using HTTP and downloads one more state malware. The attackers use the malware to target SangFor devices.

Attacks on institutions engaged in COVID-19 research are most likely to keep going and any organization involved in COVID-19 research ought to consider itself as a target. Entities were advised to take action to protect their systems and keep track of attacks.

Organizations must make sure to patch and update all software and prioritize the patches for CVE-2019-13379, CVE-2019-9670, CVE-2019-19781 and CVE-2019-11510. Antivirus software must be utilized and kept up to date, and regular scans must be done to determine downloaded malware variants.

Multi-factor authentication should be enforced to avoid using stolen credentials to obtain access to systems. All staff ought to be educated about the threat from phishing and all workers should be assured in their ability to determine a phishing attack. All staff should be told to report any suspected phishing attacks to their security teams and reports ought to be investigated quickly and carefully.

Organizations have been cautioned to create a security monitoring system to ensure that all required data is gathered to support investigations into network intrusions. Networks ought to be segmented, and there ought to be action to prevent and detect lateral movement within networks.