author photo
By Clare O’Gara
Thu | Jul 16, 2020 | 1:40 PM PDT

When it comes to nation-state hackers, Russia tends to direct its cyber energies toward elections and disinformation campaigns, whereas China is known for going after intellectual property.

[Related podcast: Nation-State Cyber Threats]

But according to a recent joint advisory from the Cybersecurity and Infrastructure Security Agency, (CISA), it looks like COVID-19 is too valuable for even Russia to pass up.

CISA advisory: who is targeting COVID-19 research?

Cyberattacks on COVID-19 research are starting to feel as common as COVID-19.

SecureWorld has covered the stories time and time again. From attacks on a COVID-19 crunching supercomputer to the World Health Organization and everywhere in between, hackers are seeking coronavirus data wherever they can find it.

In fact, CISA has already published a general joint advisory on nation-state hackers targeting pandemic research.

"The NCSC and CISA are currently investigating a number of incidents in which threat actors are targeting pharmaceutical companies, medical research organisations, and universities. APT groups frequently target such organisations in order to steal sensitive research data and intellectual property (IP) for commercial and state benefit.

But this latest one takes things a step further.

New government advisory on Russia hacking for COVID-19 data

A new report from CISA, the UK's National Cyber Security Centre (NCSC), Canada's Communications Security Establishment (CSE), and the National Security Agency (NSA) sheds light on APT29, a Russian hacking group targeting COVID-19 data.

APT29 also goes by "the Dukes" or "Cozy Bear." Here's what NCSC says about the group:

"The group uses a variety of tools and techniques to predominantly target governmental, diplomatic, think-tank, healthcare and energy targets for intelligence gain.

Throughout 2020, APT29 has targeted various organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines."

Which attack vectors is APT29 using to hack COVID-19 data?

What TTPs does APT29 use? The advisory describes three different malware strains:

  1. SOREFANG: This application is a malicious 32-bit Windows executable. The executable exploits a vulnerability identified within Sangfor SSL VPN devices. The vulnerability can be leveraged to gain control over systems because the VPN clients do not properly verify the integrity of software updates.
  2. WELLMESS: This file is a malicious compiled .NET application. It decrypts and loads an embedded dynamic link library (DLL) ""
  3. WELLMAIL: This artifact is an ELF 64-bit file written in Go. This file has been identified as a variant of the malware family known as WellMail. When executed, it attempts to collect the IP address of the victim system and the current username.

Interested in the complete report? The full joint advisory is available here.

Mitigation against nation-state hackers

While CISA, NCSC, CSE, and the NSA are yet to develop a plan of attack for combating this Russian hacking group, the advisory does include some recommendations for mitigation.

This advice is particularly valuable for any organization researching a COVID-19 vaccine:

  • Protect your devices and networks by keeping them up to date: use the latest supported versions, apply security patches promptly, use anti-virus and scan regularly to guard against known malware threats.
  • Use multi-factor authentication to reduce the impact of password compromises.
  • Treat people as your first line of defense. Tell staff how to report suspected phishing emails, and ensure they feel confident to do so. Investigate their reports promptly and thoroughly. Never punish users for clicking phishing links or opening attachments.
  • Set up a security monitoring capability so you are collecting the data that will be needed to analyze network intrusions.
  • Prevent and detect lateral movement in your organization’s networks.
Related nation-state cyber threat podcasts

The man who uncovered the cyberattack on the WHO and how he did it:

Also, hear about geopolitics and their influence on cyber threats: