Recently, this blog warned about Advanced Persistent Threats (APTs)—state-sponsored hackers that attack U.S. companies in the hopes of sowing political, technological, or financial disruption. In particular, we warned that healthcare companies were a favorite APT target, as foreign governments sought to extract data relating to healthcare research.

Security officials in the United States, the United Kingdom, and Canada recently announced that a Russian APT called APT29 is targeting organizations involved in national and international COVID-19 responses. According to U.S. intelligence services, APT29 is part of the SVR, Russia’s CIA equivalent, and UK officials also blame it for attacks against the 2016 presidential election.

APT29’s targets include vaccine research and development organizations. Officials believe that it is “highly likely” that APT29 is trying to steal information and intellectual property relating to the development and testing of COVID-19 vaccines through the typical APT tactics of spear-phishing and custom malware, according to the UK statement. The malware programs, known as “WellMess” and “WellMail,” use publicly available exploits to conduct widespread scanning and exploitation against vulnerable systems.

APT29 has apparently selected a broad array of targets for its COVID-19 attacks, some of which are only tangentially related to the COVID-19 research they currently seek. According to the UK, APT29 targeted government, diplomatic, think-tank, healthcare and energy groups to obtain the COVID-19 data it seeks. The Department of Defense notes that, by choosing its targets broadly, APT29 could potentially gain access to a large number of systems globally, and it may maintain a store of stolen credentials to access these systems if they become more useful in the future. APTs will typically cast a wide net of cyberattacks, both to ensnare the information it wants in the near term and to gather information that may become useful in the long term.

The lesson remains clear. APTs’ attacks on an array of organizations make any U.S. organization a potential APT target—regardless of whether or not the organization is “political” or involved in high-profile industries. Organizations must learn about APTs and their tactics, and they must prepare themselves to detect and repel sophisticated APT cyberattacks.

For more information regarding this article, please contact Sean Griffin.

For information regarding Dykema’s Privacy and Data Security Team, please contact Cindy Motley.

To sign up for Dykema’s Privacy and Data Security Blog e-mail updates, please click here.

As part of our service to you, we regularly compile short reports on new and interesting developments and the issues the developments raise. Please recognize that these reports do not constitute legal advice and that we do not attempt to cover all such developments. Rules of certain state supreme courts may consider this advertising and require us to advise you of such designation. Your comments are always welcome. ©2020 Dykema Gossett PLLC.