In a joint release on Thursday with the U.S. and U.K., the Communications Security Establishment (CSE) said a group called Cozy Bear has been targeting organizations carrying out vaccine research — “very likely” in attempts to steal data and intellectual property.
Cozy Bear’s activities include the use of a type of malware known as “WellMess” and “WellMail,” according to a statement from the CSE.
While the group is being freshly linked to hacking efforts related to the pandemic, Cozy Bear is a familiar name to cybersecurity experts.
The group — also known as The Dukes or Advanced Persistent Threat 29 (APT29) — is best known for a hack that took place in the lead-up to the 2016 U.S. election.
Cozy Bear, along with another presumed Russian hacking unit called Fancy Bear, is widely suspected to be behind breaches of networks belonging to the Democratic National Committee.
Stephanie MacLellan, a disinformation and cybersecurity expert, said the two groups differ in their activities.
In addition to the Democratic National Convention hack, Cozy Bear has been connected to attacks on the Pentagon email system in 2015, U.S. think tanks in 2016, and Norwegian government networks in 2017, according to a cybersecurity database established by the Council on Foreign Relations.
Cozy Bear has been strongly linked with Russia. Thursday’s statement said that Cozy Bear is “almost certainly” operating as part of Russian intelligence operations.
While Fancy Bear is said to be tied to the Russian military, Cozy Bear has been linked to Russia’s foreign intelligence service, said Mark Nunnikhoven, vice-president of cloud research for TrendMicro.
Nunnikhoven also noted that generally speaking, it’s very tough to identify the actors behind cyberattacks — attributions are made based on patterns observed.
“Right now, when this kind of nation-state political play starts to happen, all we have is the word of various spy agencies or intelligence agencies as to who is doing this activity,” Nunnikhoven told the Geoff Currier Show on Global News Radio Friday.
Based on the advisory from cybersecurity agencies, Cozy Bear’s alleged activities during the COVID-19 pandemic appear to be in keeping with a pattern of information gathering as opposed to direct sabotage or disruption, said MacLellan, the managing editor of Ryerson University’s First Policy Response, a policy project focused on COVID-19 recovery.
Researchers and companies around the world are scrambling to develop vaccine candidates to curb the rate of COVID-19 infection, a process that experts say could take a year or even longer.
“It could very well be that countries like Russia are trying to get the information as soon as they can,” MacLellan said.
“They’re probably under huge pressure internally to try and develop vaccines before some of their international rivals. It could be a matter of not wanting to be beholden to countries like the United States or Canada for vaccines that come to market first.”
The joint report from cybersecurity authorities warned that Cozy Bear is likely to continue its activities as the pandemic unfolds.
The Kremlin has rejected the allegations made in the joint report, which a spokesperson said were not backed by proper evidence, Russian news agency RIA reported.
–With files from The Associated Press and ReutersView link »