Late last week, intelligence agencies in Canada, the United Kingdom, and the United States have identified the APT29 threat group (also known as YTTRIUM, The Dukes, Cozy Bear1) as behind a targeted attack on pharmaceutical and academic research organizations involved in COVID-19 vaccine development and research. These and other APT29 threat group operations appear to be directly backed by the Russian government. It is surmised that the APT29 threat group may likely be an integral part of the Russian intelligence service.2
The APT29 threat group has been behind a long string of malicious activities that have been identified since 2008. The APT29 threat group is the same group implicated in the criminal hacking of the Democratic National Committee that started in the summer of 2015 and was intended to influence the 2016 U.S. presidential elections. Phishing campaigns against the White House and other U.S. government agencies were also attributed to APT29.
The U.K.’s National Cyber Security Centre noted that the APT29 threat group uses custom malware known as “WellMess” and “WellMail” in support of this attack upon COVID-19 vaccine development. These recent attacks on COVID-19 vaccine research are the first time that this WellMess and WellMail malware has been publicly associated with the APT29 threat group.
The APT29 threat group modus operandi is to use publicly available exploits for known vulnerabilities to gain authentication credentials. In these very recent attacks, APT29 was found to conduct vulnerability scanning against the IP addresses owned by the targeted organizations. They have also used spear-phishing to obtain authentication credentials to internet access login pages.
APT29 then deploys WellMess malware to conduct operations on the compromised systems. WellMail malware is a tool that runs scripts or commands and then sends the results so the command and control (C2) server. This malware is named “WellMail” as the NCSC has noted the word “mail” in the file paths in the samples they analyzed.3 The malware can communicate with the C2 server via three communication methods, which include HTTP, HTTPS, and DNS.4
APT29 knows that DNS is a well-established and trusted protocol. They also understand that many organizations still do not examine their DNS traffic for malicious activity. DNS tunneling enables the APT29 threat group to insert malware or pass stolen information into DNS queries, creating a covert communication channel that bypasses most firewalls. DNS tunneling often includes data payloads that can be added to an attacked DNS server and used to control a remote server and applications.
DNS tunneling doesn’t require the compromised system to have external network connectivity, as DNS tunneling involves access to an internal DNS server with network access. The APT29 threat group must also control a domain and a server that can act as an authoritative server to execute the server-side tunneling and data payload executable programs.
Other sources of information on this attack may be referenced here:
- Detailed information on the DNS Communications used in the APT29 attack chain: https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html
- National Cyber Security Centre Advisory on APT29 Targeting COVID-19 vaccine development: https://media.defense.gov/2020/Jul/16/2002457639/-1/-1/0/NCSC_APT29_ADVISORY-QUAD-OFFICIAL-20200709-1810.PDF
- MITRE ATT&CK – APT29 Attack Group disambiguation: https://attack.mitre.org/groups/G0016/
- AP News – Russian is hacking virus vaccine trials: https://apnews.com/47797e89ddb470b3244fae3a799481c5