The hackers have been trying to breach programs in all three countries, the officials said in a security assessment issued by the U.K.’s National Cyber Security Centre (NCSC). Agencies from the U.S. and Canada contributed to the effort.
The hacking is aimed predominantly at “government, diplomatic, think-tank, healthcare and energy targets,” the NCSC said in the assessment.
A senior official with the U.S. National Security Agency urged organizations to pay attention to the technical details in the document.
“APT29 has a long history of targeting governmental, diplomatic, think-tank, healthcare and energy organizations for intelligence gain so we encourage everyone to take this threat seriously and apply the mitigations issued in the advisory,” NSA Cybersecurity Director Anne Neuberger said in a separate statement.
“Whatever country’s or companies’ research lab is first to produce that is going to have a significant geopolitical success story,” the assistant attorney general for national security, John Demers, said during a panel discussion earlier this year. “We are very attuned to increased cyber intrusions to medical centers, research centers, universities — anybody that is doing research in this area.”
APT29 is the same group of Russian intelligence hackers that breached the Democratic National Committee in 2016, and has been linked with Russia’s Foreign Intelligence Service (SVR) or the country’s Federal Security Service (FSB), according to Estonian intelligence. Russia is now the second nation-state the U.S. has accused of targeting coronavirus research. In May, the Department of Homeland Security and the FBI accused China-backed hackers of targeting such information.
‘WellMess’ and ‘WellMail’
The Russians have been hacking in the U.S., U.K., and Canada using custom malware, dubbed “WellMess” and “WellMail,” which have not previously been linked with APT29 publicly, the NCSC said in a public version of its analysis. The hackers were likely looking for credentials that would allow them further access, the NCSC said.
“In recent attacks targeting COVID-19 vaccine research and development, the group conducted basic vulnerability scanning against specific external IP addresses owned by the organisations,” the NCSC said. “The group then deployed public exploits against the vulnerable services identified.”
WellMess malware can be used by hackers to execute arbitrary shell commands and to upload and download files, the NCSC said. While WellMess has been previously reported by Japan’s JPCERT, WellMail has not previously been reported, the NCSC said. WellMail could allow attackers to run commands with results sent to a hardcoded command and control server, the NCSC said.
Cyber Command, the offensive hacking arm of the U.S. Department of Defense, shared samples of the malware to the information-sharing repository VirusTotal Thursday. It was the second time ever the command, which hunts for adversarial malware on partner networks, had attributed malware to a nation-state actor directly. Typically, the command leaves the attribution and analysis up to researchers. The command made its first attribution to the North Korean government in February, as CyberScoop first reported.
To gain initial access, APT29 used publicly available exploits, including vulnerabilities in Citrix, Pulse Secure, FortiGate, and Zimbra technologies, the NCSC said.
Hospitals and research entities have been a target of criminal and state-backed hackers since the pandemic began earlier this year. Hackers have been sending spearphishing emails laced with coronavirus-related content, but which actually contain malware or malicious links. Some actors have been running financially-focused pandemic-related ransomware campaigns, according to CrowdStrike.
In addition to the U.K.’s NCSC and the U.S. NSA, the U.S. Department of Homeland Security and the Canadian Communication Security Establishment collaborated on the security assessment.