Russian state hackers are said to actively attack health institutions in the U.S., the United Kingdom, and Canada working on a corona vaccine, several national security centers say. It would be APT29, a hacker group affiliated with the Kremlin.
The British National Cyber Security Center and the Canadian Communications Security Establishment, among others, warn of the attacks. The American NSA would also endorse the findings. The security centers warn that an advanced persistent threat group known as APT29, The Dukes, or Cozy Bear is engaged in espionage campaigns. The centers say that APT29 is “almost certainly” part of the Russian intelligence services. Cozy Bear is linked to this by most security researchers.
The hackers are said to have attacked several organizations in Canada, the US, and the United Kingdom in recent months. These are organizations that are working on a vaccine for the coronavirus. The security centers say the hackers “most likely” intend to steal information about the development of the vaccine.
The group would use publicly known exploits to search for vulnerable systems. The NCSC describes the methods in the investigation . The hackers are specifically looking for systems that use Citrix or the Pulse Secure VPN, which are known to have serious vulnerabilities, for which there is a patch. In this way, the hackers hope to get into the systems and retain further access there. In some cases, the hackers also use malware called WellMess and WellMail. They can execute shell commands on a server.
The security centers recommend companies and health institutions to listen to national security services for tips. Institutions should also pay close attention to intruders and patch vulnerable systems as soon as possible.