Share this article on:
The APT29 hacking group, aka Cozy Bear, is targeting healthcare organizations, pharma firms, and research entities in the United States, United Kingdom, and Canada and is attempting to steal COVID-19 research data and information about vaccine development.
On July 16, 2020, a joint advisory was issued by the DHS’ Cybersecurity and Infrastructure Security Agency (CISA), UK National Cyber Security Centre (NCSC), Canada’s Communications Security Establishment (CSE), and the National Security Agency (NSA) to raise awareness of the threat.
APT29 is a cyber espionage group that is almost certainly part of the Russian intelligence services. The group primarily targets government entities, think-tanks, diplomatic and energy targets in order to steal sensitive data. The group has been highly active during the COVID-19 pandemic and has conducted multiple attacks on entities involved COVID-19 research and vaccine development.
The group conducts widespread scanning to identify unpatched vulnerabilities and uses publicly available exploits to gain a foothold in vulnerable systems. The group has successfully used exploits for the Citrix vulnerability CVE-2019-19781, the Pulse Secure vulnerability CVE-2019-11510, the FortiGate vulnerability CVE-2019-13379 and the Zimbra vulnerability CVE-2019-9670. Other exploits may also be used by the group.
APT29 uses variety of tools to obtain access credentials and achieve persistent access to systems and uses anonymizing services when using stolen credentials. APT29 is using custom malware variants to attack organizations, including WellMess and WellMail, two malware variants that have not previously been used by APT29.
WelMess is a lightweight malware variant written in Golang or .NET that can execute arbitrary shell commands and upload and download files and uses HTTP, TLS and DNS for communication. WellMail is a lightweight tool that uses hard-coded client and certificate authority TLS certificates to communicate with C2 servers. A third malware variant, named SoreFang, is also being used. SoreFang is a first stage downloader that exfiltrates data via HTTP and downloads a second state malware. The malware is used to target SangFor devices.
Attacks on organizations involved in COVID-19 research are likely to continue and any organization involved in COVID-19 research should consider itself a target. Organizations have been advised to take steps to secure their systems and monitor for attacks.
Organizations should ensure that all software is patched and up to date, and the patches for CVE-2019-19781, CVE-2019-11510, CVE-2019-13379 and CVE-2019-9670 should be prioritized. Antivirus software should be used and kept up to date, and regular scans should be conducted to identify downloaded malware variants.
Multi-factor authentication should be implemented to prevent stolen credentials from being used to gain access to systems. All staff should be educated about the threat from phishing and all employees should be confident in their ability to identify a phishing attack. All staff should be instructed to report any suspected phishing attacks to their security teams and reports should be investigated promptly and thoroughly.
Organizations have been advised to set up a security monitoring system to ensure that all necessary data is collected to support investigations into network intrusions. Networks should be segmented, and steps taken to prevent and detect lateral movement within networks.