Inside Cozy Bear, the shadowy Russian hacker group accused of stealing British Covid vaccine
To cybersecurity experts well versed in the dark arts of hacking, it will come as no surprise that the blame for an attack on a UK coronavirus vaccine project has been pinned on a Russian group known as Cozy Bear.
With close links to the Kremlin’s foreign and domestic intelligence agencies, Cozy Bear, also known as ATP29, is among the world’s most infamous hacker groups, which over the past decade has been linked repeatedly with a string of high-profile attacks.
In 2015, it was implicated in an attack on the Pentagon that brought down the Joint Staff email system and its internet, while the following year it was widely blamed for an attack on the servers used by the Democratic National Committee.
“APT29 has been successfully compromising systems now for over a decade across the globe,” says Tony Cole, chief technology officer at Attivo Networks. “The pandemic has given them a new and additional target to steal research.”
The Oxford University and Imperial College hack on Covid-19 vaccine research has all the classic hallmarks of a Cozy Bear attack, including the use of “spear phishing” using emails targeted at specific groups and specialist malware designed to quietly harvest data from an infected device or server.
But who is behind the organisation and what are its aims?
Back in 2014, Dutch security services caught a unique glimpse of the perpetrators. In an effort to investigate Russian hacking attempts, Dutch officials managed to break into the security camera system of a Moscow university building close to Red Square.
It was here, inside a computer lab in the university building, that Dutch security personnel got their first glimpse of the hacker now known as Cozy Bear as they were preparing to carry out an attack on the US government.
The Dutch security services had stumbled upon an intelligence jackpot: The university security cameras allowed them to peer over the shoulders of Russian hackers to watch their screens, and even to identify the members of the group.
These findings are backed up by expert analysis of the malware tools used by the hackers. One hacking tool used by the group, named Hammertoss, was found to only have been active during office hours in Moscow and Saint Petersburg.
Researchers have also found that the cyberattacks stopped during Russian national holidays, indicating that the hackers had been given time off work and left their malicious software dormant.
The Russian government has for years recruited thousands of promising young computer programmers who could use their expertise for hacking into computer systems in other countries.
In 2014, Cozy Bear hackers broke into an American research organisation. They spread a video titled “Office Monkeys LOL Video.zip” which appeared to be an innocent-looking video of monkeys wearing shirts and ties. When amused employees of the organisation shared the video, in the background the file actually spread malware inside networks that gave hackers access to secret files.
Cozy Bear was also involved in the 2016 hack of the US Democratic National Committee. Cozy Bear hackers had sat on the private network for over a year, but were unaware that a rival Russian government hacking group, Fancy Bear, had also broken into the servers in search of valuable data.
And in 2017, the Cozy Bear and Fancy Bear groups launched attempts to steal secret files from Dutch government departments. The hackers were particularly interested in the country’s upcoming general election, and the hacking attacks forced the Dutch government to count votes by hand to avoid the risk of election interference.
What techniques do they use?
The group has an arsenal of cyber tactics at its disposal to exploit vulnerable people. Its basic strategy typically involves initially casting a net far out into the internet with thousands of emails designed to lure in unsuspecting people online.
In a tactic known as “spear phishing”, it poses as a trusted sender of a company or organisation that a person might be a customer of, for example. The aim is to deceive them and make the target think the email is legitimate. It’s a simple but effective trick that often forces users into sharing credit card details, passport information and more.
According to the National Cyber Security Centre (NCSC), the group targets what’s known as “publicly available exploits” in the early stages of its attacks. In practical terms, that means software and hardware that has seen increasing use since the start of lockdown as millions of people have been forced to work from home.
“They’re using known vulnerabilities in some Citrix equipment and other firewalls and routers and things like that and exploiting those to get into the network,” says Professor Alan Woodward, computer scientist at the University of Surrey.
The broad targeting “potentially gives the group access to a large number of systems globally” as part of its initial grab for log-ins and other sensitive credentials.
Once these systems of global interest are compromised through its initial strategy, it can make more targeted attacks with its roster of sophisticated malware too.
One type of malware, known as “SoreFang” among security officials at the NCSC, latches onto HTTP code typically carrying internet traffic in and out of IT systems to extract information from victims.
Another set of custom-made malware, known as WellMess or WellMail, has been in use since at least 2018, that employs computer code to upload and download files in a compromised system at will.
WellMess is a piece of software used by the Russian hackers that security experts have seen being used since it was first found on the computer networks of Japanese companies in 2018.
Hackers place the WellMess software on a target computer network to act as a portal to smuggle out stolen documents. They can also use WellMess to transfer new instructions into their malicious software, helping them to change which networks are targeted and which files are sneaked out.
WellMail is another piece of malicious software which hackers can plant on to computer systems to smuggle commands on to computer systems and then to remove data from networks.
The software, which has never publicly been named or examined before the revelation of the Russian hacks on coronavirus research, sends hackers information on the username of whoever is logged in to a computer.
Have they been successful?
On Thursday, the NCSC refused to say whether the Russian hackers had actually made away with any research information on the coronavirus vaccine.
But what’s clear is that the group has been successful in the past, breaking into research organisations and government systems alike.
Though the attack on Oxford researchers makes them just another in a long list of Cozy Bear’s victims, the university could be kicking itself over the ordeal.
For months, research organisations have been put on notice over the fact that a target may well be on their heads during the public health crisis, as experts pointed to evidence of government-funded hacking groups from the likes of China, Iran and Russia mobilising as far back as February.
In May, the NCSC issued a public warning about top level hackers eyeing up vaccine researchers in an attempt to steal critical information from them.
Healthcare workers and researchers were urged to change their passwords to avoid being caught up in so-called “password spraying” strategies that see hackers attempt to use commonly-used passwords for the log-ins of staff at organisations with prized information.
For now, it is unclear how much information was taken, or if anything was taken at all. But as Woodward makes clear: “They potentially could have got all of it.”