Russian hackers accused of cyberattacks against COVID-19 research centers

It's the first time this hacking group has been named in connection to cyberattacks related to the coronavirus pandemic.


Russian cyber actors are targeting organizations involved in coronavirus vaccine development, according to a new warning by U.S., U.K. and Canadian security officials on Thursday that details activity by a Russian hacking group called APT29, which also goes by the name "the Dukes" or "Cozy Bear."

An advisory published by the UK National Cyber Security Centre (NCSC) details activity by the Russian hacking group and explicitly calls out efforts to target U.S., U.K. and Canadian vaccine research and development organizations.

Cozy Bear is one of two hacking groups linked to Russian intelligence that is believed to have accessed the Democratic National Committee's internal systems in the lead-up to the 2016 US election, but Thursday's announcement is the first time this group has been named in connection to cyberattacks related to the coronavirus pandemic.

The U.S., U.K. and Canadian authorities have issued several warnings about state-backed cyberattacks in recent month.

In May, the three countries issued an advisory warning of ongoing cyberattacks against organizations involved in the coronavirus response, including health care bodies, pharmaceutical companies, academics, medical research organizations and local government.

Hospitals, research laboratories, health care providers and pharmaceutical companies have all been hit, officials say, and the U.S. Department of Health and Human Services — which oversees the Centers for Disease Control and Prevention — has been struck by a surge of daily strikes, an official with direct knowledge of the attacks previously told CNN.

Video: 5 ways to avoid coronavirus scams

The NCSC, which is the U.K.'s lead technical authority on cyber security and part of the U.K.'s Government Communications Headquarters (GCHQ), assessed that APT29 "almost certainly operate as part of Russian Intelligence Services".

This assessment is also supported by partners at the Canadian Communication Security Establishment (CSE), the U.S. Department for Homeland Security (DHS) Cybersecurity Infrastructure Security Agency (CISA) and the National Security Agency (NSA), the NCSC said.

"APT29's campaign of malicious activity is ongoing, predominantly against government, diplomatic, think tank, healthcare and energy targets to steal valuable intellectual property," according to a news release.

"We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic," NCSC Director of Operations, Paul Chichester, said in a statement.

"Working with our allies, the NCSC is committed to protecting our most critical assets and our top priority at this time is to protect the health sector.

"We would urge organizations to familiarize themselves with the advice we have published to help defend their networks."

The news release said the NCSC has previously warned that APT (Advanced Persistent Threats) groups have been targeting organizations involved in both national and international COVID-19 responses.

APT29 uses a variety of tools and techniques, including spear phishing and custom malware known as "WellMess" and "WellMail", according to the NCSC.

The report concluded that: "APT29 is likely to continue to target [organizations] involved in COVID-19 vaccine research and development, as they seek to answer additional intelligence questions relating to the pandemic."