Cozy Bear: Everything we know about the hackers reportedly targeting COVID-19 vaccine research

The UK security agency says it is over 80 percent certain the attacks were to collect information on COVID-19 vaccine research or the COVID-19 virus itself.


A group of hackers in Russia have been accused by the governments of the United Kingdom, the United States, and Canada, of stealing information about ongoing COVID-19 vaccine research from various laboratories in their respective countries.

The Advanced Persistent Threat 29 (APT-29), more popularly known as "Cozy Bear" and The Dukes, are a familiar name in cybersecurity circles. They are one of two groups that researchers in cybersecurity have long since thought is linked to Russia's intelligence services. APT29, for one, has even been accused of having a key part to play in affective the US elections in 2016.

The UK's National Cyber Security Centre (NCSC) has said that it is 95 percent confident that the hacker group is part of Russian intelligence services.

Multiple reports quoting cybersecurity experts reveal that APT29 – which has a rap sheet going back to 2008 – has targeted several governments, diplomatic, think-tank, healthcare, energy and research organizations around the world to gather intelligence that reportedly informs the Russian government's policymaking process.

 Cozy Bear: Everything we know about the hackers reportedly targeting COVID-19 vaccine research

Staying safe and ahead of criminals lurking in the ever-changing cyber world needs strong protection measures for identity, data and other assets.

Cozy Bear: Who are they?

The APT29 (a.k.a. Cozy Bear) hackers, experts say, has kept a low profile, prioritising intelligence gathering over creating a ruckus. That was till earlier this week, when the group used a combination of malware and known vulnerabilities in security to access the servers of organizations involved in COVID-19 vaccine research, UK and US cybersecurity agencies have said.

The group is thought to be run by Russian domestic intelligence (the FSB), as per am ABC News report. Though more recently they have come to believe it belongs to Russia's foreign intelligence service, the SVR.

The group first made news as a "threat actor" in 2014, American cyber-security firm Crowdstrike said in a statement. Unlike many other nation-state hackers in the intelligence arena, Cozy Bear casts a wide net, sending out thousands of phishing emails to a broad set of targets, it adds.

The intelligence service went on to describe the group as "aggressive" in its tactics, and "nothing if not flexible", changing tools and methods to suit the target operating system, and successfully evade antivirus and other security tools.

What data did they steal?

News about APT29's targetting "various organizations involved in COVID-19 vaccine development" came on Thursday in the form of a joint announcement by the UK, US, and Canadian governments. They didn’t identify specific victims of the hack, but added that the hackers were probably "acting with the intention of stealing information and intellectual property" relating to vaccine development and testing for COVID-19.

The Kremlin, however, denied the accusations. The Spokesman Dimitry Peskov simply said, "Russia has nothing to do with these attempts."

"Russia’s efforts to steal information regarding COVID-19 vaccine development is part of an ongoing pattern of behavior by hostile foreign intelligence services to use cyberattacks as a means to gather sensitive information and even conduct covert attacks," security expert John Cohen told ABC News.

The hackers targetted "valuable intellectual property (IP) and public health data related to vaccines, treatments, and testing from networks and personnel affiliated with COVID-19-related research," According to a statement by the US Federal Bureau of Investigation (FBI).

However, it is still unclear whether the hackers’ efforts in stealing information about ongoing COVID-19 research were successful.

Technical details released by the UK NCSC said the hackers used a combination of methods to break into their victims’ computers.

"APT29 is using custom malware known as ‘WellMess’ and ‘WellMail’ to target a number of organisations globally...[including] those organisations involved with COVID-19 vaccine development," the NCSC statement said. "WellMess and WellMail have not previously been publicly associated to APT29."

“It’s no surprise that cyber-espionage capabilities are being used to gather intelligence on a cure, John Hultquist, senior director of intelligence analysis for cybersecurity firm FireEye, told Bloomberg. "The organizations developing vaccines and treatments for the virus are being heavily targeted by Russian, Iranian and Chinese actors seeking a leg up on their own research. We’ve also seen significant COVID-related targeting of governments that began as early as January."

Digital shadows,

Digital shadows

APT29 is likely to continue to target organisations involved in COVID-19 vaccine research and development, to answer additional intelligence questions relating to the pandemic, as per an NCSC report on the cyber threat.

In the last decade, APT29 has allegedly hacked governments and political organizations in the US, Georgia, Turkey, Uganda, Norway, and the Netherlands. Most famously, it was confirmed to be behind an attack on the US Democratic National Committee's servers.

Cybersecurity firm Crowdstrike found an intrusion by Cozy Bear at the Democratic National Congress going back to 2015. Another hacker group, known as Fancy Bear, is thought to have breached the network in a separate attack on April 2016. Crowdstrike added in a statement that they didn't find the two groups collaborating, or even that they were aware of each other's activity.


Find latest and upcoming tech gadgets online on Tech2 Gadgets. Get technology news, gadgets reviews & ratings. Popular gadgets including laptop, tablet and mobile specifications, features, prices, comparison.