The National Cyber Security Centre (NCSC) has warned that hackers linked to the Russian intelligence services are targeting those researching a coronavirus vaccine.
The warning has been issued by the UK’s cyber security agency alongside its US and Canadian counterparts.
Here is a closer look at the details of the cyber campaign.
– What’s happened?
Today the @NCSC and partners in 🇺🇸 and 🇨🇦, have revealed that Russian intelligence service cyber units have been behind a serious of irresponsible & unacceptable attacks collecting information on vaccine research. https://t.co/2GNXuqualx 1/3 pic.twitter.com/EMfKmHxCtV
— Foreign Office 🇬🇧 (@foreignoffice) July 16, 2020
The UK’s cyber security agency, the NCSC, has revealed Russian cyber criminals have targeted UK academic and healthcare organisations with the aim of stealing information relating to the development of a Covid-19 vaccine.
The NCSC, working with counterparts in the US and Canada, has identified the attackers as a hacking group known to security researchers as APT29 – but also known as The Dukes or Cozy Bear – and say they are “almost certainly” working as part of the Russian intelligence services.
– How were the attacks carried out?
The cyber criminals have attempted to break into a number of UK, US and Canadian vaccine research and development organisations using a range of cyber attack tools, including phishing scams and custom malware known as “WellMess” and “WellMail”.
The agency said the hackers used publicly known software vulnerabilities to try to gain “initial footholds” in systems and collect data such as login credentials which could be useful later on in order to gain further access.
The NCSC said the APT29 group had specifically targeted IP addresses owned by organisations working on a Covid-19 vaccine and scanned them for vulnerabilities and attempted to use known flaws to try to gain access.
The NCSC added that it wanted to reassure the public that the UK was protected and defended against the attacks, which it says remain ongoing.
– Why were the attacks carried out?
Russian Intelligence Services #APT29 is using WellMess, WellMail, and SoreFang #malware to target COVID-19 research and more. IOCs and mitigations provided in our joint #cybersecurity advisory with @NCSC, @CSE_cst, and @CISAgov https://t.co/KpavKVsRbo pic.twitter.com/Rev0mJ8pHi
— NSA Cyber (@NSACyber) July 16, 2020
The cyber security agencies say they believe the aim of the attacks was to steal information about vaccine development, rather than trying to disrupt the UK and other countries’ own efforts to make a vaccine.
In May, the NCSC issued an advisory warning that it had seen an increased proportion of cyber attacks related to coronavirus which hoped to “steal sensitive research data and intellectual property for commercial and state benefit”.
– Who has been targeted?
Although the agencies would not specify any organisations who had been targeted, they said the hackers had been targeting those involved in “both national and international Covid-19 responses”.
The NCSC said the campaign of malicious activity had been predominantly aimed at “government, diplomatic, think tank and energy targets”.
The University of Oxford, which is one of the global leaders in research for a potential vaccine for Covid-19, has previously confirmed it was taking advice from security experts on the issue of cyber attacks linked to coronavirus data.
– What else is the NCSC doing?
The 🇬🇧 stands with 🇺🇸 & 🇨🇦 against the reckless actions of Russia’s intelligence services, who we have exposed today for committing cyber attacks against those working on a #Covid19 vaccine – undermining vital 🌎 cooperation to defeat this pandemic https://t.co/6nIq8Nu5Iz
— Dominic Raab (@DominicRaab) July 16, 2020
The agency has urged businesses to protect their devices and networks by keeping their software up to date.
In a list of mitigations published alongside the announcement of the cyber attacks, the NCSC also urged people to use two-step or multi-factor authentication to help reduce the chance of password compromises.
It also urged businesses to “treat people as the first line of defence” and tell staff how to report suspicious emails and ensure reports are always investigated.