The NCSC assesses that APT29, also named ‘The Dukes’ or ‘Cozy Bear’, has “almost certainly” operated as part of Russian intelligence services. To be precise, the NCSC is more than 95% certain this is the case. That assessment is also supported by partners at the Canadian Communication Security Establishment, the US Department for Homeland Security Cyber Security Infrastructure Security Agency and the National Security Agency.
APT29’s campaign of malicious activity is ongoing and predominantly focused on Government, diplomatic, Think Tank, healthcare and energy-centric targets in a bid to steal valuable Intellectual Property.
Paul Chichester, the NCSC’s director of operations, commented: “We condemn these despicable attacks against those doing vital work to combat the Coronavirus pandemic. Working with our allies, the NCSC is committed to protecting our most critical assets. Our top priority at this time is to protect the health sector. We would urge organisations to familiarise themselves with the advice we’ve published in order to help defend their networks.”
The NCSC has previously warned that Advanced Persistent Threat groups have been targeting organisations involved in both national and international COVID-19 responses.
Known targets
Known targets of APT29 include UK, US and Canadian vaccine R&D organisations. The group uses a variety of tools and techniques, including spear phishing and custom malware known as ‘WellMess’ and ‘WellMail’.
Spear phishing is a targeted and personalised form of cyber attack designed to trick a specific individual. Often, the e-mail appears to come from a trusted contact and may well include some personal information so as to make the message seem more convincing
The UK has called for an end to “irresponsible” cyber attacks by the Russian Intelligence Services, who have been collecting information on vaccine development and research into the COVID-19 virus.
Foreign Secretary Dominic Raab has issued a statement regarding the NCSC’s advisory. He said: “It’s completely unacceptable that the Russian Intelligence Services are targeting those working to combat the Coronavirus pandemic. While others pursue their selfish interests with reckless behaviour, the UK and its allies are continuing with the hard work of finding a vaccine and protecting global health. The UK will keep on countering those conducting such cyber attacks and will work with its allies to hold perpetrators to account.”
According to the Tass news agency, Russia has denied responsibility. “We do not have information about who may have hacked into pharmaceutical companies and research centres in Great Britain. We can say one thing - Russia has nothing at all to do with these attempts,” said Dmitry Peskov, a spokesperson for President Putin.
*Read the NCSC’s advisory in full: https://www.ncsc.gov.uk/news/advisory-apt29-targets-covid-19-vaccine-development
