The British National Cyber Security Centre (NCSC) published an advisory detailing the activity of the threat group known as APT29, which “has exploited organizations globally.”
The NCSC assessed that APT29, also named “the Dukes” or “Cozy Bear,” almost certainly operate as part of Russian Intelligence Services. The assessment is supported by partners at the Canadian Communication Security Establishment (CSE), the U.S. Department of Homeland Security (DHS), the Cybersecurity Infrastructure Security Agency (CISA) and the National Security Agency (NSA).
“It is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic,'' U.K.'s Foreign Secretary Dominic Raab said in a statement. “While others pursue their selfish interests with reckless behavior, the U.K. and its allies are getting on with the hard work of finding a vaccine and protecting global health.''
The NCSC made the announcement in a press release, where it claimed “APT29’s campaign of malicious activity is ongoing, predominantly against government, diplomatic, think-tank, health care and energy targets to steal valuable intellectual property.”
“We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic,” Paul Chichester, NCSC's director of operations, said in a statement. “Working with our allies, the NCSC is committed to protecting our most critical assets and our top priority at this time is to protect the health sector."
Chichester also urged "organizations to familiarize themselves with the advice we have published to help defend their networks.”
The NCSC said they are more than 95 percent certain that APT29 is part of the Russian Intelligence Services. It also assessed it is highly likely – between 80 and 90 percent – that this activity was to collect information on COVID-19 vaccine research or research into the COVID-19 virus itself.
The persistent and ongoing attacks are seen by intelligence officials as an effort to steal intellectual property, rather than to disrupt research. It was unclear whether any information actually was stolen but the British center says individuals’ confidential information is not believed to have been compromised.
Cozy Bear, also known as "the Dukes," has been identified by Washington as one of two Russian government-linked hacking groups that broke into the Democratic National Committee computer network and stole emails ahead of the 2016 presidential election. The other group is usually called Fancy Bear.
The NCSC has previously warned that APT – which stands for Advanced Persistent Threats – groups have been targeting organizations involved in both national and international COVID-19 responses. It said known targets of APT29 include British, American and Canadian vaccine research and development organizations. Officials claim the group uses a variety of tools and techniques, including spear-phishing and custom malware known as “WellMess” and “WellMail.”
The statement did not say whether Russian President Vladimir Putin knew about the vaccine research hacking, but British officials believe such intelligence would be highly prized.
U.S. authorities have for months leveled similar accusations against China. FBI Director Chris Wray said last week, “At this very moment, China is working to compromise American health care organizations, pharmaceutical companies, and academic institutions conducting essential COVID-19 research.”
The Associated Press contributed to this report.