APT29 (Russia): New Tactics, Techniques, and Procedures (TTP’s) from the APT29 group, also known as The Dukes or Cozy Bear were publicly reported by the United Kingdom’s Security Centre (NCSC) and Canada’s Communications Security Establishment (CSE). APT29 was seen throughout 2020 targeting various organizations involved in researching a COVID-19 vaccine in Canada, the United States, and the United Kingdom. The report stated that it was “highly likely” that these attacks are being carried out for the group to steal information and intellectual property relating to the development and testing of a COVID-19 vaccine. APT29 is using malware known as WellMess and WellMail, both of which have not been attributed to APT29 in the past. The threat actor is also exploiting older vulnerabilities to gain a foothold into a network, including but not limited to
– Citrix (CVE-2019-18781)
– Pulse Secure (CVE-2019-11510)
– FortiGate 9CVE-2018-13379)
– Zimbra (CVE-2019-9670)
Analyst Notes
APT29 has been tracked for years and is most closely associated with the Russian intelligence services. Past attacks from the group utilized the same techniques and targets. The threat actor will commonly use spear-phishing attacks and scanning for unpatched servers to target government employees or government-backed research and steal sensitive information. The United States National Security Agency and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (DHS CISA) both endorsed the NCSC report. Defenders should keep in mind that proper security training, especially for government employees and companies, needs to be in place to teach people how to identify spear-phishing attacks. This attack is an example of why it is imperative to patch vulnerabilities as soon as they are available. Threat actors will continue to prey on companies who not patch vulnerabilities within their network.
More information can be read here: https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development
The full report and IOC’s can be found here: https://www.ncsc.gov.uk/files/Advisory-APT29-targets-COVID-19-vaccine-development.pdf