Yesterday, the UK National Cyber Security Centre and Canada’s Communications Security Establishment released an advisory linking APT29 (also known as, ‘the Dukes’ or ‘Cozy Bear’) to attacks against COVID-19 vaccine development in Canada, the US and the UK. The Advisory stated that APT29 is “almost certainly part of the Russian intelligence services.” APT29/Cozy Bear was previously linked to the attack against the Democratic National Committee’s networks during the last presidential election cycle. Yesterday’s Advisory regarding COVID-19 vaccine development threats was publicly supported by the National Security Agency and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
Reportedly, APT29 is using custom malware to launch attacks that have not been sourced to the attack group, named “WellMess” and “WellMail.” The attackers appear to be using vulnerability scanning to detect initial network footholds and to find a means to obtain legitimate credentials for persistent access, before, in some cases, deploying the custom malware. The Advisory provides a non-exclusive list of the recently published exploits used to gain an initial foothold, as well as known indicators of compromise and detection rules.
Of course, the best defense is a good offense. To defend against this campaign the Advisory recommends the following items below, to which we have added some detail.
- Vulnerability scan your external (and internal) environments, and promptly apply security patches and recommended security configuration changes.
- Use multi-factor authentication (especially for accounts accessible from the Internet, such as a VPN login and accounts used to administer the computing environment).
- Train users on phishing attacks.
- Ensure users know how to report such attacks;
- Do not penalize users for falling for the phish; and
- Encourage users to promptly report any mistakes, such as clicking on a URL or opening an attachment.
- Ensure that you have robust log collection practices and security monitoring capabilities, which we are pleased to discuss with you. Consider regularly reviewing and revising your logging and anomaly detection strategies.
- Prevent and detect lateral movement within your organization’s network.
If you have any questions regarding this Advisory or attacks in general, please contact us.