A threat group associated with Russia’s intelligence service has been using publicly known vulnerabilities and exploits, along with previously unknown custom malware and tools, to compromise organizations in the United States, Canada, and the UK involved in COVID-19 vaccine research, according to a new warning from the NSA and the UK’s National Cyber Security Center.
The attacks have been ongoing for several months and are the work of APT29, an attack group also known as Cozy Bear that has been active for many years and is known to use a wide range of tools and techniques. APT29 has targeted organizations in a number of industries over the years, but in the current campaign the group has focused its attention on organizations involved in vaccine research and development.
“Throughout 2020, APT29 has targeted various organisations involved in COVID-19 vaccine development in Canada, the United States and the United Kingdom, highly likely with the intention of stealing information and intellectual property relating to the development and testing of COVID-19 vaccines,” the joint warning from the NCSC, NSA, and Canada’s Communications Security Establishment issued Thursday says.
“APT29 is using custom malware known as ‘WellMess’ and ‘WellMail’ to target a number of organisations globally. This includes those organisations involved with COVID-19 vaccine development.”
The recent campaign has included a number of different tactics, but typically the attacks begin with scanning for vulnerable systems in the target organization as a way to gain initial access and then steal credentials. As part of that initial step, APT29 has been seen using publicly available exploits for several vulnerabilities, including dangerous flaws in the Citrix Application Delivery Controller and the PulseSecure VPN that were disclosed last year. Detailed information about those vulnerabilities has been available for many months, as have working exploits, and the group has taken advantage of that situation.
But APT29 is also employing its own custom malware tools in these attacks, at least one of which has not been named publicly before. The WellMess and WellMail tools are designed to allow the attackers to run remote commands once they’re installed on the compromised system. WellMess has been known to researchers for about two years now, but WellMail is a recent discovery.
“Similar to WellMess, WellMail uses hard-coded client and certificate authority TLS certificates to communicate with C2 servers. The binary is an ELF utility written in Golang which receives a command or script to be run through the Linux shell,” the advisory says.
In addition to those two tools, APT29 is also deploying a piece of malware designed to target devices made by Sangfor, a Chinese company that sells security appliances. That malware, dubbed SoreFang, is specifically designed to target the company’s VPN product.
“The files are Trojan implants designed to exploit Sangfor Secure Sockets Layer (SSL) virtual private network (VPN) servers. The malware replaces the Sangfor VPN software distributed to VPN clients. When installed, the implants provide the remote operator total control over the infected systems,” an analysis by the Cybersecurity and Infrastructure Security Agency (CISA) says.
“The executable exploits a vulnerability identified within Sangfor SSL VPN devices. The vulnerability can be leveraged to gain control over systems because the VPN clients do not properly verify the integrity of software updates. The malware exploits this vulnerability by replacing software update binaries on compromised VPN servers. The malicious binaries are then delivered and executed on the VPN clients reporting to the infected VPN server.”
CISA has uploaded samples of WellMess, WellMail, and SoreFang to Virus Total.
As the COVID-19 pandemic has worn on, attackers of all varieties have tried to take advantage of the situation through themed phishing campaigns, targeted attacks, and other techniques. There have been reports of other APT groups targeting research organizations and enterprises involved in COVID-19 research, some of which were scanning for some of the same vulnerabilities that APT29 has been exploiting. The NCSC-NSA advisory warns that this activity is probably going to continue for the foreseeable future.
“APT29 is likely to continue to target organisations involved in COVID-19 vaccine research and development, as they seek to answer additional intelligence questions relating to the pandemic,” the advisory says.