CSE Statement on Threat Activity Targeting COVID-19 Vaccine Development – Thursday, July 16, 2020

Today, together with our United Kingdom and United States partners, CSE and its Canadian Centre for Cyber Security (Cyber Centre) are issuing technical information about Russian cyber threat activity directed at Canadian, United Kingdom and United States organizations, including vaccine research entities, involved in COVID-19 response and recovery efforts. These malicious cyber activities were very likely undertaken to steal information and intellectual property relating to the development and testing of COVID-19 vaccines, and serve to hinder response efforts at a time when healthcare experts and medical researchers need every available resource to help fight the pandemic.

CSE assesses that APT29, also named “the Dukes” or “Cozy Bear” was responsible for this malicious activity, and almost certainly operates as part of Russian intelligence services. This assessment is supported by partners at Government Communications Headquarters’ National Cyber Security Centre, the National Security Agency, and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.

Technical details of APT29 cyber threat activity targeting Canadian, United Kingdom and United States organizations can be found in this joint technical advisory. The advisory includes tactics, techniques and procedures (TTPs) used by the Russian actors throughout 2020, including custom malware known as “WellMess” and “WellMail” to target a number of organizations globally. WellMess and WellMail have not previously been publicly associated to APT29.

CSE and its Cyber Centre have assessed that the COVID-19 pandemic presents an elevated risk to the cyber security of Canadian health organizations involved in the national response to the pandemic. We strongly recommend these organizations review this technical advisory, including the indicators of compromise (IOCs), and take any necessary actions to protect themselves from cyber threats. We encourage them as well to contact the Cyber Centre if they suspect they have been targeted by cyber actors.

Since the start of the COVID-19 pandemic, CSE’s Cyber Centre has been posting advice and guidance online to help inform and educate Canadians on the cyber threats that may be directed against Canada:

In addition, the Cyber Centre recently posted two cyber threat bulletins: Impact of COVID-19 on Cyber Threat Activity and Impact of COVID-19 on Cyber Threats to the Health Care Sector. We continue to work with Canadian health organizations by sharing information, advice and guidance to help mitigate these threats.

Canadians can stay informed by visiting getcybersafe.gc.ca or cyber.gc.ca for more on how to stay cyber secure. In particular, Canadians can protect themselves from a wide range of cyber threats—not just COVID-19-related threats-by taking just a few simple steps:

Businesses and organizations can protect their systems by using the Cyber Centre’s baseline security controls. If any Canadian businesses or organizations suspect they have been targeted by cyber threat activity, we encourage them to contact local law enforcement or the Cyber Centre.