Last week, as reported in Threat Watch, the APT29 threat group, attributed to Russia’s intelligence service, was found to be targeting various organizations involved in researching a COVID-19 vaccine in Canada, the United States and the United Kingdom. The activity was threatening enough that the UK’s National Cyber Security Centre and Canada’s Communications Security Establishment issued a technical advisory detailing the nature of the attacks. The report stated that it was “highly likely” that these attacks are being carried out for the group to steal information and intellectual property (IP) relating to the development and testing of a COVID-19 vaccine. APT29 is using malware known as WellMess and WellMail, both of which have not been attributed to APT29 in the past.
With the COVID-19 pandemic still plaguing many areas of the globe, development of a vaccine is critical. What is the motivation behind these attacks during a time when the world should be banding together to provide a vaccine?
Government-funded groups attempt to steal research data
Russia has government-funded entities that routinely use computer network exploitation to steal strategically important information such as IP and research results. COVID-19 research is highly coveted due to the urgency of finding a vaccine, and the global demand. Any research that can be delivered into the hands of medical researchers from Russia—or any country—can give them an advantage in producing the vaccine.
The fact that the targeted nations released this advisory, which also details the types of malware tools used by APT29, is strategic. This is a tactic known as “burning” the adversaries’ tools. Putting the information out to the public allows organizations to adjust their software to be secure from the types of malware the criminals are using. The hacking groups, in turn, must go back to the drawing board and adjust their attack.
This is not a new tactic employed by nations attempting to steal other countries’ IP. Russia and China both have a history of IP theft, including medical research and patient information. Just last year, Microsoft publicly released evidence that another Russia-sponsored hacking group had broken into the computers of the World Anti-Doping Agency to steal information and modify results. The year before that, the US Department of Justice unsealed indictments against seven intelligence officers of Russia’s GRU (military intelligence service) for hacking related to sports events and the World Anti-Doping Agency.
Binary Defense Senior Director of Counterintelligence and Threat Hunting, Randy Pargman, who was recently interviewed about the APT29 hacks by Canadian network CTV, stated that government-to-government norms exist with regard to computer network exploitation, but when governments start attacking private entities, all governments should condemn such actions.
Unpatched vulnerabilities make organizations perfect targets
In this case, the Russian hackers took advantage of vulnerabilities in servers directly connected to the Internet to gain access to the data they were seeking. When vulnerabilities are identified, the software manufacturer will issue a patch to its users that will fix the vulnerability. Unfortunately, many organizations just aren’t able to keep up with patching, because new patches are released daily.
Healthcare organizations already have their hands full with infrastructure shifting telehealth visits, COVID-19 testing and tracking, and other IT challenges brought to light by the pandemic. Cybercriminals count on this and can easily identify unpatched servers. Randy Pargman describes it this way: “Finding vulnerable servers is easy, just like a burglar driving down a road with office buildings at night and looking for doors and windows that have been left open.”
Pargman, along with other cybersecurity experts, volunteers his time with the COVID-19 Cyber Threat Intelligence League to help identify vulnerable health organizations and inform the IT staff at those organizations on what needs to be patched to stay secure.
APT29 also used phishing attacks to attempt to trick employees in the targeted organizations into giving the hackers their password or opening a document file that allows attackers remote back door access to the employee’s computer. As long as the email is convincing enough, it is almost guaranteed that some employee will fall for it.
Binary Defense recommends patching vulnerabilities as soon as they become available and validated through testing, especially for any servers that are directly accessible from the Internet at a public IP address. Since the advisory pointed out that APT29 threat actors typically exploit vulnerable devices to steal passwords and then come back later to log in with valid credentials and expand their access to steal data from other computers inside the network. That means that companies should institute Multi-Factor Authentication (MFA) and change passwords on any device that was exposed with a vulnerability. Keeping detailed logs of events from all Internet-connected devices enables digital forensic investigators and incident responders to correctly assess whether exposure of a vulnerable device led to a breach. If logs have been deleted without explanation, a breach should be assumed. Companies should also ensure that employees are thoroughly trained on what a phishing email might look like. Vigilant employees reporting email phishing attempts to their employer’s security team can help the security team recognize when an attack has made it through their email filters and provided the crucial information needed to investigate whether any other employees were exploited before the attackers have time to expand their access. At the very least, have employees double check with a trusted leader if they are being asked to supply credentials or make a wire transfer.