The advanced threat actor known as APT29 has been hard at work attempting to pilfer COVID-19 vaccine research from academic and pharmaceutical research institutions in various countries around the world, including the U.S.
That’s according to a joint alert from the U.S. Department of Homeland Security (DHS), the U.K.’s National Cyber Security Centre (NCSC) and Canada’s Communications Security Establishment (CSE), issued Thursday.
The 14-page advisory details the recent activity of Russia-linked APT29 (a.k.a. CozyBear or the Dukes), including the use of custom malware called “WellMess” and “WellMail” for data exfiltration.
“Throughout 2020, APT29 has targeted various organizations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines,” the report noted.
This specific activity was seen starting in April, but security researchers noted that nation-state espionage targeted to coronavirus treatments and cures has been a phenomenon all year.
“COVID-19 is an existential threat to every government in the world, so it’s no surprise that cyber-espionage capabilities are being used to gather intelligence on a cure,” said John Hultquist, senior director of analysis at Mandiant Threat Intelligence, via email. “The organizations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian and Chinese actors seeking a leg up on their own research. We’ve also seen significant COVID-related targeting of governments that began as early as January.”
Exploits in Play
To mount the attacks, APT29 is using exploits for known vulnerabilities to gain initial access to targets, according to the analysis, along with spearphishing to obtain authentication credentials to internet-accessible login pages for target organizations. The exploits in rotation include the recent Citrix code-injection bug (CVE-2019-19781); a publicized Pulse Secure VPN flaw (CVE-2019-11510); and issues in FortiGate (CVE-2018-13379) and Zimbra (CVE-2019-9670).
“The group conducted basic vulnerability scanning against specific external IP addresses owned by the [targeted] organizations,” according to the report. “The group then deployed public exploits against the vulnerable services identified. The group has been successful using recently published exploits to gain initial footholds.”
Once a system is compromised, the group then looks to obtain additional authentication credentials to allow further access and spread laterally.
Custom Malware
Once established in a network, APT29 is employing homegrown malware that the NCSC is calling WellMess and WellMail, to conduct further operations on the victim’s system and exfiltrate data.
WellMess, first discovered in July 2018, is malware that comes in Golang or .NET versions and supports HTTP, TLS and DNS for communications.
Named after one of the function names in the malware, “WellMess is a lightweight malware designed to execute arbitrary shell commands, upload and download files,” according to the advisory.
WellMail malware meanwhile, named after file paths containing the word ‘mail’ and the use of server port 25, is also lightweight – and is designed to run commands or scripts while communicating with a hardcoded command-and-control (C2) server.
“The binary is an ELF utility written in Golang which receives a command or script to be run through the Linux shell,” according to the NCSC. “To our knowledge, WellMail has not been previously named in the public domain.”
Both malwares uses hard-coded client and certificate authority TLS certificates to communicate with their C2 servers.
“WellMess and WellMail samples contained TLS certificates with the hard-coded subjectKeyIdentifier (SKI) ‘0102030406’, and used the subjects ‘C=Tunis, O=IT’ and ‘O=GMO GlobalSign, Inc’ respectively,” detailed the report. “These certificates can be used to identify further malware samples and infrastructure. Servers with this GlobalSign certificate subject may be used for other functions in addition to WellMail malware communications.”
APT29 is also using another malware, dubbed ‘SoreFang’ by the NCSC, which is a first-stage downloader that uses HTTP to exfiltrate victim information and download second-stage malware. It’s using the same C2 infrastructure as a WellMess sample, the agencies concluded.
This sample is not a custom job: “It is likely that SoreFang targets SangFor devices. Industry reporting indicates that other actors, reportedly including DarkHotel, have also targeted SangFor devices,” noted the NCSC.
APT29: A Sporadically High-Profile Threat
APT29 has long been seen targeting high-value targets across the think-tank, law enforcement, media, U.S. military, imagery, transportation, pharmaceutical, national government and defense contracting sectors.
The group is is perhaps best-known for the intrusion at the Democratic National Committee ahead of the U.S. presidential election in 2016. It was also implicated in a widespread phishing campaign in November 2016, in attacks against the White House, State Department and Joint Chiefs of Staff.
It was next seen in November 2017 executing a Tor backdoor, and then it reemerged in 2018 with a widespread espionage campaign against military, media and public-sector targets.
Its history stretches back a few years though: It was also seen by Kaspersky Lab carrying out data-mining attacks against the White House and the Department of State in 2014.
Researchers from firms like Mandiant believe APT29 to be linked to Russian government-backed operations – an assessment that the DHS and NCSC reiterated in the latest advisory, saying that it is “almost certainly part of the Russian intelligence services.”
While its publicly profiled activity tends to be sporadic, APT29 is rarely at rest, according to Mandiant’s Hultquist.
“Despite involvement in several high-profile incidents, APT29 rarely receives the same attention as other Russian actors because they tend to quietly focus on intelligence collection,” he said via email. “Whereas GRU actors have brazenly leaked documents and carried out destructive attacks, APT29 digs in for the long term, siphoning intelligence away from its target.”
This latest case is no exception to that M.O., according to the advisory: “APT29 is likely to continue to target organizations involved in COVID-19 vaccine research and development, as they seek to answer additional intelligence questions relating to the pandemic,” the agencies concluded.
That said, at least one researcher warned that the end-game of the activity might be more nefarious than simply getting a leg up on a cure.
“APT29 (Cozy Bear, Office Monkeys) has successfully demonstrated the extension of nation-state power through cyber-action for more than a dozen years,” Michael Daly, CTO at Raytheon Intelligence & Space, said via email. “However, they are not focused on simple intellectual property theft. Instead, their focus is rooted in influence operations – the changing of hearts and minds to thwart and diminish the power of governments and organizations.”
He added, “In the case of this breach of vaccine research centers, we should be most concerned not that someone else might also get a vaccine, but that the information will be used to undermine the confidence of the public in the safety or efficacy of the vaccines, slowing their adoption, or in some way cause their release to be delayed. The effect of such a delay would be both impactful to the health of Western populations, but also to the social stability and economic stability of the West.”