Russia behind APT29 cyberattack on UK vaccine trials

Today (16 July) the UK Government confirmed an APT29 cyberattack on COVID-19 vaccine trials and previously the 2019 General Election

Dominic Raab, foreign secretary, announced that a Russian cyberattack group, APT29 or Cozy Bear, have been stealing information about the UK’s ongoing vaccine trials. The US and Canada were hit with the same APT29 cyberattack.

This news breaks as the UK anticipates the release of the Russia Report in a few days.

What is an APT?

APT stands for Advanced Persistent Threat. Iran, China, Uzbekistan, North Korea, the US, and Vietnam also have APT groups, which work to extract information in different fields over a series of years or months. According to FireEye:

“APT groups try to steal data, disrupt operations or destroy infrastructure. Unlike most cyber criminals, APT attackers pursue their objectives over months or years. They adapt to cyber defenses and frequently retarget the same victim.”

Who are APT29?

APT29 is a well-known cyber espionage group, also known as Cozy Bear. Cyber security firms have given them other names: Office Monkeys, CozyCar, The Dukes and most commonly, CozyDuke. This group is 95% likely to be associated with Russian intelligence forces, so is essentially a Russia-supported group. They are estimated to have been operating since atleast 2010.

Cozy Bear has recently targeted UK, US and Canadian COVID-19 vaccine research and development. According to the National Cyber Security Centre (NCSC), the group are attempting to steal “information and intellectual property” on the development of a COVID-19 vaccine and knowledge about the virus itself. The group is most known for their use of spear-phishing, and custom malware named “WellMess” and “WellMail”.

Dominic Raab, foreign secretary, said:

“It is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic.

“While others pursue their selfish interests with reckless behaviour, the UK and its allies are getting on with the hard work of finding a vaccine and protecting global health. The UK will continue to counter those conducting such cyber attacks, and work with our allies to hold perpetrators to account.”

Paul Chichester, NCSC Director of Operations, said:

“We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic.
“Working with our allies, the NCSC is committed to protecting our most critical assets and our top priority at this time is to protect the health sector.

“We would urge organisations to familiarise themselves with the advice we have published to help defend their networks.”

Five ways to protect your organisation from Cozy Bear:

1. Protect your devices and networks by keeping them up to date: use the latest
   supported versions, apply security patches promptly, use anti-virus and scan
   regularly to guard against known malware threats.
2. Use multi-factor authentication (/2-factor authentication/two-step
   authentication) to reduce the impact of password compromises.
3. Treat people as your first line of defence. Tell staff how to report suspected
   phishing emails, and ensure they feel confident to do so. Investigate their reports
   promptly and thoroughly. Never punish users for clicking phishing links or opening
   attachments.
4. Set up a security monitoring capability so you are collecting the data that will be
   needed to analyse network intrusions.
5. Prevent and detect lateral movement in your organisation’s networks.

In relation to Russian interference

PM Boris Johnson blocked the Russia Report from release during the 2019 General Election. This report contains clear analysis on confirmed Russian interference in the democracy of the UK, such as releasing secret government plans for the UK-US free trade deal.

This report is due to be released next week, over six months after it was created.

The documents leaked by Cozy Bear in 2019 contained government information that was later highlighted by Labour. This information was posted to Reddit, where it circulated until emerging in mainstream consciousness. The documents spoke about UK-US free trade agreement ideas, and explicitly discussed the NHS as part of those deals. This was picked up by a pressure group, given to Labour and then used by Jeremy Corbyn as a campaign tool to highlight Conservative party plans.

The tactic failed to gain traction, despite wide-spread demand on social media for a thorough report on the potential of Russian interference.

Writing about the presence of Russia in the 2019 elections, Dominic Raab said:

“On the basis of extensive analysis, the government has concluded that it is almost certain that Russian actors sought to interfere in the 2019 general election through the online amplification of illicitly acquired and leaked government documents.

“Whilst there is no evidence of a broad spectrum Russian campaign against the general election, any attempt to interfere in our democratic processes is completely unacceptable. It is, and will always be, an absolute priority to protect our democracy and elections.”