Once again, we learn that COVID-19 research is being targeted by a nation state actor. This time, it’s Russia.

A joint statement by the United States National Security Agency (NSA), the United Kingdom’s National Cyber Security Centre (NCSC), a part of the Government Communications Headquarters (GCHQ), Canada’s Communications Security Establishment (CSE), and the Department of Homeland Security (DHS) announced Russia is targeting and attacking entities conducting COVID-19 research in the West.

In April, the FBI issued a warning about the Chinese intelligence efforts to penetrate entities which are conducting COVID research. So, it comes as no surprise to learn that Russia has also been actively targeting research entities developing a COVID-19 vaccine.

Russia dusts off their 2016 cyber toolbox

According to the NCSC, the Advanced Persistent Threat (APT) Russian cyber group APT29, also known as Cozy Bear, is behind the efforts to penetrate and acquire the research. Readers will recall being introduced to Cozy Bear in 2016, when we wrote of Cozy Bear’s hand in penetrating the Democratic National Committee servers and lifting significant amounts of data as part of their strategy to disrupt the U.S. elections.

It stands to reason, while during a pandemic, the Russian intel apparatus would reach into their toolbox for the tools which worked in the past given the urgency of their task at hand – know all things COVID-19.

The NCSC noted, “APT29 is likely to continue to target organisations involved in COVID-19 vaccine research and development, as they seek to answer additional intelligence questions relating to the pandemic.”

Director of cybersecurity at the NSA, Anne Nuerberger tells us,

“We, along with our partners, remain steadfast in our commitment to protecting national security by collectively issuing this critical cyber security advisory as foreign actors continue to take advantage of the ongoing COVID-19 pandemic, APT29 has a long history of targeting governmental, diplomatic, think-tank, healthcare and energy organizations for intelligence gain so we encourage everyone to take this threat seriously and apply the mitigations issued in the advisory.”

Russia denies all

Russia, as can be expected, denies any connection to the cyber attacks being experienced by the COVID-19 researchers. Indeed, Russia’s Ambassador to the UK, Andrei Klien, noted that Russian pharmaceutical company, R-Pharm, was engaged in a partnership with AstraZeneca (NB: AstraZeneca and Oxford University in the UK are conducting research into a COVID-19 vaccine). Of course, Klein isn’t expected to respond differently.

Russia Pries The Door Open and Used Some of their usual tools

Cozy Bear, according to the NCSC report, used a variety of tools to garner access, including spear-phishing and malware. The COVID-19 cyber-attacks are known as “WellMess” and “WellMail” and had not previously been associated with Cozy Bear (APT29). The report notes how the attackers used basic vulnerability scanning against IP addresses known to be associated with targeted entities. Once access was confirmed as being available, they reached into the toolbox and pulled out known exploits to garner a foothold within the systems.

  • WellMess, was first identified by security researchers in July 2018, and it is designed to execute commands and download files.
  • WellMail, so named by the NCSC, identifies the tool which was “designed to run commands or scripts.”

Information security (infosec) organizations will be well served by reviewing the NSCS report appendix for both the IP addresses associated with the attackers, as well as, the hashes associated with the indicators of compromise (IOC).

What’s Russia’s Motive?

The motive behind Russia’s attacks are to ensure any vaccine is available for its own population amidst fears of some western countries hoarding the initial vaccine supplies. A second, perhaps less obvious, is their continued interest in seeing the COVID-19 infection rates continue to increase, in the West, specifically in the U.S.

It is no secret that Russia has a strategic goal to continue to undermine the U.S. and its economy. Information gleaned from the various hacks provides their wordsmiths with nuggets of truth upon which to plant the seeds of fear and doubt via the established and recognized Russian disinformation infrastructure.

Related News

Christopher Burgess (@burgessct) is an author and speaker on the topic of security strategy. Christopher, served 30+ years within the Central Intelligence Agency. He lived and worked in South Asia, Southeast Asia, the Middle East, Central Europe, and Latin America. Upon his retirement, the CIA awarded him the Career Distinguished Intelligence Medal, the highest level of career recognition. Christopher co-authored the book, “Secrets Stolen, Fortunes Lost, Preventing Intellectual Property Theft and Economic Espionage in the 21st Century” (Syngress, March 2008). He is the founder of securelytravel.com