UK National Cyber Security Centre Advisory: Russian Attackers, APT29, Targets Companies Involved in COVID-19 Vaccine Development

Alston & Bird

The UK National Cyber Security Centre and Canada’s Communications Security Establishment released an advisory linking APT29 (also known as, ‘the Dukes’ or ‘Cozy Bear’) to attacks against COVID-19 vaccine development in Canada, the US and the UK. The Advisory stated that APT29 is “almost certainly part of the Russian intelligence services.” APT29/Cozy Bear was previously linked to the attack against the Democratic National Committee’s networks during the last presidential election cycle. Yesterday’s Advisory regarding COVID-19 vaccine development threats was publicly supported by the National Security Agency and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

Reportedly, APT29 is using custom malware to launch attacks that have not been sourced to the attack group, named “WellMess” and “WellMail.” The attackers appear to be using vulnerability scanning to detect initial network footholds and to find a means to obtain legitimate credentials for persistent access, before, in some cases, deploying the custom malware. The Advisory provides a non-exclusive list of the recently published exploits used to gain an initial foothold, as well as known indicators of compromise and detection rules.

Of course, the best defense is a good offense. To defend against this campaign the Advisory recommends the following items below, to which we have added some detail.

Mitigation Measures

  • Vulnerability scan your external (and internal) environments, and promptly apply security patches and recommended security configuration changes.
  • Use multi-factor authentication (especially for accounts accessible from the Internet, such as a VPN login and accounts used to administer the computing environment).
  • Train users on phishing attacks.
    • Ensure users know how to report such attacks;
    • Do not penalize users for falling for the phish; and
    • Encourage users to promptly report any mistakes, such as clicking on a URL or opening an attachment.
  • Ensure that you have robust log collection practices and security monitoring capabilities, which we are pleased to discuss with you. Consider regularly reviewing and revising your logging and anomaly detection strategies.
  • Prevent and detect lateral movement within your organization’s network.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Alston & Bird | Attorney Advertising

Written by:

Alston & Bird

Alston & Bird on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.