Security News > 2020 > July > FYI Russia is totally hacking the West's labs in search of COVID-19 vaccine files, say UK, US, Canada cyber-spies
The Kremlin-backed APT29 crew, also known by a variety of other names such as Cozy Bear, Iron Hemlock, or The Dukes, depending on which threat intel company you're talking to that week, is believed by most reputable analysts to be a wholly owned subsidiary of the FSB, modern-day successor to the infamous Soviet KGB. NCSC ops director Paul Chichester said in a statement: "We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic."
Foreign Secretary Dominic Raab added: "It is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic. While others pursue their selfish interests with reckless behaviour, the UK and its allies are getting on with the hard work of finding a vaccine and protecting global health."
"WellMess is a lightweight malware designed to execute arbitrary shell commands, upload and download files. The malware supports HTTP, TLS and DNS communications methods," said NCSC in its advisory.
Intriguingly, NCSC - along with the US CISA and Canada's Communications Security Establishment - also said APT29 was deploying a custom malware it named SoreFang against products from Chinese enterprise networking biz Sangfor.
Back in 2015 Fireeye observed APT29 deploying a Twitter-dependent malware strain it called Hammertoss, while last year Eset spotted the same hackers quietly targeting EU nations' foreign offices and embassies.
News URL
https://go.theregister.com/feed/www.theregister.com/2020/07/16/russia_coronavirus_hacking/
Related news
- US and UK govts warn: Russia scanning for your unpatched vulnerabilities (source)
- Russia arrests US-sanctioned Cryptex founder, 95 other linked suspects (source)
- China Possibly Hacking US “Lawful Access” Backdoor (source)
- US, UK warn of Russian APT29 hackers targeting Zimbra, TeamCity servers (source)
- UK councils bat away DDoS barrage from pro-Russia keyboard warriors (source)