Hacker groups linked to Russia Targets COVID 19 Vaccine developement

Hacker groups linked to Russia Targets COVID 19 Vaccine development

The National Cyber ​​Security Center (NCSC) of the United Kingdom, including Canada, on Thursday a hacker group with Russian intelligence services attempted to steal information on COVID-19 vaccine development globally. APT29 Canada, U.S. And was targeting vaccine development efforts in the U.K. to steal intelligence on the development and testing of CVOID-19 vaccines. U.K.

Both the NCSC and the Canadian Communications Security Establishment (CSE) believed the attackers to be a spy group linked to the Russian intelligence services. The US National Security Agency (NSA) agreed with his assessment.

"It is completely unacceptable that the Russian intelligence service is targeting those working to combat the coronovirus epidemic," Dominic Rabb, U.K.

The Foreign Secretary said in a press release. "While others pursue their selfishness with reckless behavior, the U.K. and its partners are getting on with the hard work of finding a vaccine and protecting global health."

Threat groups used custom wellware as "Wellmess" and "Wellmail" to target vulnerable organizations worldwide. Throughout 2020, the group used publicly available exploits to scan and attack vulnerabilities in enterprise tools.

The stolen credentials were stored for subsequent attacks when those organizations became interesting targets. Recently, the group limited its goals to specific external IP addresses and individuals. Major exploits deployed by the attackers targeted vulnerabilities in the tool by Citrix, Pulse Secure, FortaGate, Zombra, and others.

The group also carried out phishing attacks against specific individuals. Once this system is breached, attackers will try to establish persistent access using stolen credentials. The group sometimes complemented its attacks with WellMeS and WellMail, two known custom malware.

WellMace is a malware designed to execute arbitrary shell commands, while WellMail ran scripts and were controlled by the computer by an attacker (called a command and control server) for retrieval. "In the modern era, cyber-attacks have proven to be a very effective way of obtaining information that can be very difficult to obtain by other means,"

David Masson has written to the Director of Enterprise Security for Darktrace, the statement. "Russia is also facing the effects of this global pandemic and will be seeking in-aid to deal with it and in the future". Trying to gain an advantage in the fight against COVID-19 can lead to theft of research from around the world to avoid an otherwise necessary investment in time, money and effort (which may not be available). "

The Canadian Center for Cyber ​​Security (CCCS) said that during the COVID-19 pandemic, state-sponsored attacks zeroed in on intelligence gathering on foreign vaccine efforts.

In April 2020, a foreign cyberbat infiltrated a Canadian biopharmaceutical company, likely to steal information.

The World Health Organization (WHO) also added two phishing campaigns targeting state-sponsored attackers to its employees in March 2020. On 31 March, a foreign bomber attempted to infiltrate South Korean test kit manufacturing, although the attempt eventually failed.

The weaknesses used by ATP29 have been known for a long time, and some examples have already been patched. For example, Citrix had already patched the vulnerability used in this attack in January. Although the risk can be mitigated through proactive patching, Mac Samphi chief scientist Raj Samani highlighted some situations that could have hindered the patching process.

"Strong cyber hygiene requires a patching system," Samani said. "Sometimes ... you can't necessarily bring the system down to be able to patch them. I think there might be other examples that there might be some additional software applications that go over it that these May not work with particular factors.

"While these detailed descriptions slow down the patching process, Samani stressed that security must be retained to prevent attacks from multiple groups. “Citrix One has been known for some time to be exploited by other criminal gangs.

So it is not that this is the only remake of this particular group [APT29]. In fact, other groups also use the same approach and methodology, ”he said. Furthermore, Samani stated that society does not need to see technology as a major component of a functional society and be silent. "Organizations should implement a risk management strategy,"

Samani said. "In other words, what is the danger to us of leaving this particular system online? Organizations — and people around the world — have to recognize that cyber is not just about computer viruses and its aftermath.

It is about the foundation of our society. "NCSC recommends organizations to protect their data by doing the following:

Install security patches immediately.
Use multi-factor authentication.
Train employees to recognize signs of phishing and social engineering.
Set security monitoring capability
Prevent lateral movement within the organization's network.