A Russian hacker group is behind a spate of cyber attacks on medical research centres tasked with finding a vaccine for COVID-19, warns intelligence agencies from the UK, US, and Canada.

In a joint advisory published on Friday morning, the agencies said advanced persistent threat group APT29 has been behind the attacks.

The UK’s National Cyber Security Centre (NCSC), Canada’s Communications Security Establishment (CSE) and the US National Security Agency (NSA) produced the report which says APT29 is “almost certainly” part of Russian intelligence.

UK Foreign Secretary, Dominic Raab, naturally condemned the Russian government for its involvement.

“It is completely unacceptable that the Russian Intelligence Services are targeting those working to combat the coronavirus pandemic,” Raab said.

“While others pursue their selfish interests with reckless behaviour, the UK and its allies are getting on with the hard work of finding a vaccine and protecting global health.”

The allegations come in the same week as US biotechnology company Moderna announced success in early-stage trials of its COVID-19 vaccine.

Vladimir Putin’s press secretary, Dmitry Peskov, denied Kremlin’s involvement in a statement to Russian state broadcaster, Sputnik.

"We have no information who could have hacked pharmaceutical companies and research centers in the UK,” Peskov said.

“We can say one thing – Russia has nothing to do with these attempts. We do not accept such accusations.”

Cozy Bear

APT29 – also known as Cozy Bear or the Dukes – has conducted its latest campaign by leaning on unpatched, publicly known vulnerabilities.

“In recent attacks targeting COVID-19 vaccine research and development, the group conducted basic vulnerability scanning against specific external IP addresses owned by the organisations,” the NCSC advisory said.

“The group then deployed public exploits against the vulnerable services identified.”

It’s another reminder for system administrators around the world to pay close attention to patch notes from vendors.

The Australian Cyber Security Centre posted a similar advisory just last month warning of persistent threat actors hacking Australian organisations.

That advisory mentioned a number of vulnerabilities used by the hackers, including Citrix CVE-2019-19781 which the UK agencies have again highlighted.

Once inside a system, Cozy Bear hackers try to maintain access through legitimate, if not stolen, credentials and by dropping custom malware known as WellMess or WellMail.

Cozy Bear has been targeting international government organisations since at least 2014 and was one of the groups behind the hacking of the US Democratic National Committee’s IT systems.

Emails from the breach were published by WikiLeaks on the eve of the 2016 US election.