An advisory published by the UK National Cyber Security Centre (NCSC) details activity by the Russian hacking group and explicitly calls out efforts to target US, UK and Canadian vaccine research and development organizations.
“APT29’s campaign of malicious activity is ongoing, predominantly against government, diplomatic, think tank, healthcare and energy targets to steal valuable intellectual property,” a press release on the advisory said.
Cozy Bear is one of two hacking groups linked to Russian intelligence that is believed to have accessed the Democratic National Committee’s internal systems in the lead-up to the 2016 US election, but Thursday’s announcement is the first time this group has been named in connection to cyberattacks related to the coronavirus pandemic.
Kremlin spokesperson Dmitry Peskov said Thursday that Russia “has nothing to do” with the hacking attacks targeting organizations involved in coronavirus vaccine development, according to the state-run news agency TASS.
“We do not have information regarding who could have hacked pharmaceutical companies and research centers in the UK,” he said. Referring to a UK government statement Thursday that “it is almost certain” Russian actors sought to interfere in the country’s 2019 election, Peskov continued, saying: “We can say one thing — Russia has nothing to do with these attempts and we do not accept such accusations just like we don’t accept yet another set of unfounded accusations of interference in the 2019 elections.”
And Kirill Dmitriev, the head of the Russian Direct Investment Fund, which sponsors the development of a Russian coronavirus vaccine, said the “accusations against Russia regarding hacking attacks against western pharmaceutical companies are an attempt to tarnish the Russian coronavirus vaccine.”
Thursday’s advisory comes as the number of coronavirus cases in the US continues to surge while researchers race to develop a vaccine.
The US, UK and Canadian authorities have issued several warnings about state-backed cyberattacks against organizations involved in the coronavirus response in recent months.
In April, CNN also reported on a growing wave of cyberattacks on US government agencies and medical institutions leading the pandemic response by nation states and criminal groups.
Hospitals, research laboratories, health care providers and pharmaceutical companies have all been hit, officials said at the time.
The Department of Health and Human Services, which oversees the Centers for Disease Control and Prevention — has also been struck by a surge of daily strikes, an official with direct knowledge of the attacks previously told CNN, adding that Russia and China were the primary culprits.
“The National Security Agency (NSA), along with our partners, remains steadfast in its commitment to protecting national security by collectively issuing this critical cybersecurity advisory as foreign actors continue to take advantage of the ongoing COVID-19 pandemic,” NSA Cybersecurity Director Anne Neuberger said in a statement after Thursday’s advisory was published.
“APT29 has a long history of targeting governmental, diplomatic, think tank, healthcare and energy organizations for intelligence gain so we encourage everyone to take this threat seriously and apply the mitigations issued in the advisory,” she said.
The NCSC, which is the UK’s lead technical authority on cyber security and part of the UK’s Government Communications Headquarters (GCHQ), assessed that APT29 “almost certainly operate as part of Russian Intelligence Services.”
This assessment is also supported by partners at the Canadian Communication Security Establishment (CSE), the US Department for Homeland Security (DHS) Cybersecurity Infrastructure Security Agency (CISA) and the National Security Agency (NSA), the NCSC said.
Specifically, APT29 uses a variety of tools and techniques, including spear phishing and custom malware known as “WellMess” and “WellMail”, according to the NCSC.
The report concluded that: “APT29 is likely to continue to target organizations involved in COVID-19 vaccine research and development, as they seek to answer additional intelligence questions relating to the pandemic.”
“We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic,” NCSC Director of Operations, Paul Chichester, said in a statement. “Working with our allies, the NCSC is committed to protecting our most critical assets and our top priority at this time is to protect the health sector.”
British Foreign Secretary Dominic Raab said Thursday that it is “completely unacceptable” that Russian intelligence services are targeting those working to develop a vaccine.
“While others pursue their selfish interests with reckless behavior, the UK and its allies are getting on with the hard work of finding a vaccine and protecting global health,” he said, adding that the UK will “continue to counter those conducting such cyber attacks” and work with allies to hold them to account.
This story has been updated with additional background information.
CNN’s Donie O’Sullivan in New York and Mary Ilyushina in Moscow contributed to this report.