Covid-19 pandemic: Russian hackers target UK, US and Canadian research

Allie Nawrat 3 August 2020 (Last Updated July 31st, 2020 15:32)

Security services in the UK, US and Canada have determined that the Russian cyber hacking group – APT29 – has been trying to illicitly access Covid-19 research. But, what makes Covid-19 research, and medical data in general, a target for state-sponsored espionage groups?

Covid-19 pandemic: Russian hackers target UK, US and Canadian research
The main approach used by APT29 in the attacks was custom malware called WellMess and WellMail. Credit: Shutterstock.

In mid-July, the UK’s National Cyber Security Centre (NCSC) published a report stating that the cyber espionage group, APT29, which is “almost certainly part of the Russian intelligence services”, has been attacking organisations based in the UK, US and Canada that are involved in developing Covid-19 vaccines.

This assessment was supported by the Canadian Communication Security Establishment, as well as the US Department for Homeland Security’s Cybersecurity Infrastructure Security Agency and the National Security Agency.

Naming APT29 as the perpetrator expands upon a previous announcement made by the the NCSC in May that “advanced persistent threat (APT) groups were looking to exploit the uncertainty that surrounds the Covid-19 crisis”, explains SonicWall CEO and advisor to GCHQ Bill Conner.

Russian authorities have vehemently denied these allegations and have asked for evidence to back up these claims by the US, UK and Canadian authorities.

Details of the APT29 attack

The APT29 – also known as ‘The Dukes’ or ‘Cozy Bear’ – used a variety of tools to target a range of organisations with the suspected intention of stealing information and intellectual property associated with investigational Covid-19 vaccines, according to the NCSC report.

The NCSC claimed that APT29 used publicly available tools to scan and exploit vulnerable systems in order to obtain credentials that enable deeper access.

The main approach used is custom malware known as WellMess and WellMail. The NCSC explains that WellMess has been in used since at least 2018; it is a “lightweight malware designed to execute arbitrary shell commands, upload and download files”. WellMail is similarly a lightweight malware, but it runs commands or scripts so that the results are sent to a “hardcoded Command and Control (C2) server”.

Conner explains that although it is difficult to directly identify the source of a cyberattack, “the complexity behind the malware targeting these research institutions would be telling of a state-sponsored attack”. APT29 has been previously linked with the Russian security service.

Why target Covid-19 research?

The Covid-19 pandemic has caused unprecedented disruption to society and  national economies, so it is not surprising that it would be the target of cyberattacks, particularly from state actors. Being the first to secure a Covid-19 vaccine is likely to bring significant advantages on the global stage.

“It is important to view the coronavirus vaccine as a critical piece of intellectual property,” notes Conner. “It is sought after by every major geopolitical player globally and, therefore, is a central target for nation-state actors vying for dominance.”

There is much for cybercriminals to gain from fraudulently gaining access to Covid-19 vaccine research. “Acquiring vaccines and therapeutics could potentially provide a country with short-term economic benefits as they begin to sell the illegally obtained technology,” says Conner. “It could also provide them with long-term economic benefits, giving them a research edge that could catapult them ahead of other countries striving to achieve dominance as a distributor during a global pandemic.”

“While Russia was the first country to be placed in the spotlight, it is only a matter of time before another nation-state resorts again to cybercrime to influence or control global healthcare during a time of great need,” concludes Conner.

Mandiant Threat Intelligence senior director of intelligence analysis John Hultquist told Verdict that actors from other countries – including Iran and China – are already involved in Covid-19 cyberattacks.

Beyond the pandemic: medical data as a target

Although the pandemic provides a clear geopolitical motive to cyberattack medical and research organisations, these organisations have been vulnerable to attacks for many years. In fact, there is evidence that suggests the number of attacks on medical and healthcare organisations are actually increasing.

Conner provides the example of the WannaCry on the UK’s National Health Service (NHS) in 2017-8. This was a global ransomware attack that targeted computers running on Microsoft Windows.  It affected up to 70,000 devices owned by the around 200 NHS hospitals in England and Scotland; it is estimated this attack cost the NHS £92m, according to a government report.

Central to why medical organisations are targets of attacks, and are likely to increasingly be in the future, is linked to the data they have access to. “The data housed on these systems is very valuable and important in preventing diseases and advancing countries’ medical development,” explains Conner. Healthcare data is extremely lucrative on the black market.