Alston & Bird Privacy Blog

UK National Cyber Security Centre Advisory: Russian Attackers, APT29, Targets Companies Involved in COVID-19 Vaccine Development

By , and

Yesterday, the UK National Cyber Security Centre and Canada’s Communications Security Establishment released an advisory linking APT29 (also known as, ‘the Dukes’ or ‘Cozy Bear’) to attacks against COVID-19 vaccine development in Canada, the US and the UK.  The Advisory stated that APT29 is “almost certainly part of the Russian intelligence services.”  APT29/Cozy Bear was previously linked to the attack against the Democratic National Committee’s networks during the last presidential election cycle.  Yesterday’s Advisory regarding COVID-19 vaccine development threats was publicly supported by the National Security Agency and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

Reportedly, APT29 is using custom malware to launch attacks that have not been sourced to the attack group, named “WellMess” and “WellMail.”  The attackers appear to be using vulnerability scanning to detect initial network footholds and to find a means to obtain legitimate credentials for persistent access, before, in some cases, deploying the custom malware.  The Advisory provides a non-exclusive list of the recently published exploits used to gain an initial foothold, as well as known indicators of compromise and detection rules.

Of course, the best defense is a good offense.  To defend against this campaign the Advisory recommends the following items below, to which we have added some detail.

Mitigation Measures

  • Vulnerability scan your external (and internal) environments, and promptly apply security patches and recommended security configuration changes.
  • Use multi-factor authentication (especially for accounts accessible from the Internet, such as a VPN login and accounts used to administer the computing environment).
  • Train users on phishing attacks.
    • Ensure users know how to report such attacks;
    • Do not penalize users for falling for the phish; and
    • Encourage users to promptly report any mistakes, such as clicking on a URL or opening an attachment.
  • Ensure that you have robust log collection practices and security monitoring capabilities, which we are pleased to discuss with you. Consider regularly reviewing and revising your logging and anomaly detection strategies.
  • Prevent and detect lateral movement within your organization’s network.

If you have any questions regarding this Advisory or attacks in general, please contact us.

About Amy Mushahwar

Amy Mushahwar is a partner on the Privacy & Data Security and Cybersecurity Preparedness & Response teams. Amy has over 20 years of experience in the technology space and focuses her practice on data security, cyber risk, privacy, and emerging technologies. She advises clients on proactive data security practices, data breach incident response, and regulatory compliance.

[Read Bio]

About Kimberly Peretti

Kim is a former DOJ cybercrime prosecutor and former director of PwC’s cyber forensics group. She has over 20 years of experience in cybercrime, data breach response, and cybersecurity and delivers top-of-the-line cyber risk management and information security counsel to her clients. Kim is co-lead of our Cybersecurity Preparedness & Response Team.

[Read Bio]

About Larry Sommerfeld

Lawrence (Larry) Sommerfeld is a partner on Alston & Bird’s Privacy & Data Security and Cybersecurity Preparedness & Response teams. As an assistant U.S. attorney, he led the Computer Crime and Intellectual Property Unit and investigated and prosecuted the leaders of one of the most sophisticated and coordinated cyber intrusions ever perpetrated. Larry was invited to join the Department of Justice’s Computer Hacking and Intellectual Property Working Group, where he advised the DOJ on developing technology and intellectual property issues, and potential legislation.

[Read Bio]