Incident: Russian Spies Target Covid-19 Vaccine Research with Spear Phishing

Published Date: 2020-07-16

Postmortem Analysis
Timeline 1. The software failure incident happened in the past year, up to 31 August [107591]. 2. The incident was reported in July 2020 [102534]. Therefore, the software failure incident likely occurred between July and August 2020.
System 1. Spear phishing attack system 2. Vulnerable computer systems 3. Malware called WellMess and WellMail 4. Phishing emails system 5. Spear phishing system [Cybersecurity incident involving Russian spies targeting Covid-19 vaccine research - Article 102534]
Responsible Organization 1. A hacking group called APT29, also known as The Dukes or Cozy Bear, which is more than 95% certain to be part of the Russian intelligence services, was responsible for causing the software failure incident [102534].
Impacted Organization 1. The UK's National Cyber Security Centre (NCSC) [107591, 102534] 2. Canadian Communication Security Establishment (CSE) [102534] 3. United States Department for Homeland Security (DHS) Cyber-security Infrastructure Security Agency (CISA) [102534] 4. US National Security Agency (NSA) [102534]
Software Causes 1. Spear phishing attacks using emails with dangerous links and malware were a software cause of the failure incident [107591]. 2. Exploitation of software flaws to gain access to vulnerable computer systems and the use of malware like WellMess and WellMail were software causes of the failure incident [102534].
Non-software Causes 1. The failure incident was caused by hostile states and criminal gangs targeting British vaccine research and other parts of the NHS through spear phishing attacks and deception [107591]. 2. The failure incident was attributed to Russian spies targeting organizations developing a coronavirus vaccine in the UK, US, and Canada, exploiting software flaws and using malware to upload and download files from infected machines [102534].
Impacts 1. The software failure incident led to an increase in serious hacker attacks, reaching a record high of 723 incidents over the past year, with 194 coronavirus-related incidents involving hostile states and criminal gangs [107591]. 2. The incident resulted in hackers targeting British vaccine research and attempting online fraud through methods like spear phishing, posing as PPE suppliers, and using malware to exploit software flaws [107591, 102534]. 3. Ransomware incidents rose threefold in the past year, with criminals stealing sensitive data and threatening to leak it publicly, similar to "hack and leak" attacks used in the 2016 US election [107591]. 4. The software failure incident affected various organizations, including an unnamed English football league club, which suffered a "crippling attack" on its corporate and security systems, impacting its CCTV and turnstiles operations [107591].
Preventions 1. Implementing robust email security measures to prevent spear phishing attacks, which were a common method used by both state actors and criminal groups to target individuals and organizations [107591, 102534]. 2. Regularly updating and patching software to address vulnerabilities that hackers exploit to gain access to computer systems, as the hackers in the incidents exploited software flaws to access vulnerable systems [102534]. 3. Enhancing cybersecurity awareness and training for employees to recognize and avoid falling victim to phishing attacks, such as spear phishing, which trick individuals into handing over login credentials [102534]. 4. Collaborating with cybersecurity agencies like the National Cyber Security Centre (NCSC) to report suspicious emails and incidents promptly, as seen with the inundation of emails to the newly created service for reporting suspicious emails [107591]. 5. Employing multi-factor authentication to add an extra layer of security and prevent unauthorized access to sensitive data and systems, especially in the case of ransomware incidents where hackers demand payment for restoring data [107591].
Fixes 1. Enhancing cybersecurity measures to prevent spear phishing attacks and malware infiltration [107591, 102534] 2. Implementing robust software patching and vulnerability management processes to address software flaws exploited by hackers [102534] 3. Conducting regular cybersecurity training for employees to recognize and avoid phishing attempts [107591, 102534] 4. Utilizing advanced threat detection technologies to identify and mitigate cyber threats in real-time [107591, 102534] 5. Collaborating with international security agencies to share threat intelligence and coordinate responses to cyber-attacks [102534]
References 1. UK's National Cyber Security Centre (NCSC) [107591, 102534] 2. Canadian Communication Security Establishment (CSE) [102534] 3. United States Department for Homeland Security (DHS) Cyber-security Infrastructure Security Agency (CISA) [102534] 4. US National Security Agency (NSA) [102534] 5. Crowdstrike [102534] 6. Russian intelligence services [102534]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident having happened again at one_organization: - The National Cyber Security Centre (NCSC) reported that hackers, including nation-state actors like Russia and criminal gangs, targeted British vaccine research and other parts of the NHS using methods like spear phishing [107591]. - A hacking group called APT29, also known as Cozy Bear, was identified as part of Russian intelligence services and was involved in targeting organizations involved in Covid-19 vaccine development in the UK, US, and Canada [102534]. (b) The software failure incident having happened again at multiple_organization: - The articles mention that various organizations involved in Covid-19 vaccine development in Canada, the United States, and the United Kingdom were targeted by the hacking group APT29, indicating a widespread targeting of multiple organizations [102534].
Phase (Design/Operation) design, operation (a) The articles mention software failure incidents related to the development phases, specifically in the context of cyber-attacks targeting organizations involved in Covid-19 vaccine research. The hackers exploited software flaws to gain access to vulnerable computer systems and used malware like WellMess and WellMail to upload and download files from infected machines [102534]. These incidents highlight failures introduced during the design and development phases of the systems, where vulnerabilities in the software were exploited by malicious actors to compromise sensitive information. (b) The articles also discuss software failure incidents related to the operation phases, particularly through spear-phishing attacks. The hackers tricked individuals into handing over login credentials through spear-phishing emails, which are a form of social engineering attack designed to deceive recipients into divulging personal information [102534]. This type of attack targets the operation and users of the system, showcasing failures introduced by the operation or misuse of the system leading to security breaches.
Boundary (Internal/External) within_system, outside_system (a) within_system: The software failure incident reported in the articles is primarily attributed to hackers targeting organizations involved in Covid-19 vaccine research. The hackers exploited software flaws to gain access to vulnerable computer systems and used malware like WellMess and WellMail to upload and download files from infected machines [102534]. The hackers also tricked individuals into handing over login credentials through spear-phishing attacks [102534]. These actions were all carried out within the system, indicating a failure due to contributing factors originating from within the system. (b) outside_system: The software failure incident also involved external factors, such as hostile states and criminal gangs targeting organizations involved in Covid-19 vaccine research. The National Cyber Security Centre (NCSC) reported that Russia and other states, as well as criminal groups, were involved in these attacks [107591]. The hackers used tactics like spear phishing, creating plausible emails to deceive individuals into clicking on dangerous links [107591]. This external targeting and manipulation by hostile entities from outside the system contributed to the software failure incident.
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident occurring due to non-human actions: - The articles report on incidents where Russian spies, specifically a hacking group called APT29 or Cozy Bear, targeted organizations involved in Covid-19 vaccine research in the UK, US, and Canada [102534]. - The hackers exploited software flaws to gain access to vulnerable computer systems and used malware like WellMess and WellMail to upload and download files from infected machines [102534]. - The hackers also tricked individuals into handing over login credentials through spear-phishing attacks [102534]. - The software failure in this case was primarily due to the actions of the hackers and the exploitation of vulnerabilities in the systems, rather than any direct human error [102534]. (b) The software failure incident occurring due to human actions: - The articles mention that criminal groups posed as PPE suppliers, offering to supply equipment to NHS organizations to deceive busy purchasers into handing over money to a non-existent company [107591]. - This indicates a failure due to human actions, specifically the actions of the criminal groups engaging in fraudulent activities to exploit the pandemic situation [107591]. - Additionally, the articles highlight how hackers, both state actors and criminal gangs, used spear-phishing techniques to target key individuals in organizations, which involved human interaction in falling for the deceptive emails [107591]. - The rise in ransomware incidents, where hackers demand payment for restoring data, also reflects a failure due to human actions, as individuals within organizations may have been targeted or made vulnerable to such attacks [107591].
Dimension (Hardware/Software) software (a) The articles do not provide information about a software failure incident occurring due to contributing factors originating in hardware. (b) The software failure incidents reported in the articles are primarily due to contributing factors originating in software. Specifically, the incidents involve cyber-attacks targeting organizations involved in Covid-19 vaccine research. The hackers exploited software flaws to gain access to vulnerable computer systems and used malware like WellMess and WellMail to upload and download files from infected machines [102534]. The attacks also involved tricking individuals into handing over login credentials through spear-phishing emails [102534]. The incidents were attributed to hacking groups like APT29 (Cozy Bear), which are believed to be part of Russian intelligence services [102534].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident reported in the articles is malicious in nature. The failure was caused by malicious actors, specifically Russian spies, who targeted organizations involved in developing a coronavirus vaccine in the UK, US, and Canada. The hackers, identified as APT29 or Cozy Bear, were part of the Russian intelligence services and exploited software flaws to gain access to vulnerable computer systems. They used malware like WellMess and WellMail to upload and download files, as well as spear-phishing attacks to trick individuals into handing over login credentials [102534]. The National Cyber Security Centre (NCSC) mentioned that criminal gangs and hostile states, including Russia and China, targeted British vaccine research and other parts of the NHS through methods like spear phishing. The attacks were aimed at stealing vaccine secrets and disrupting critical infrastructure, reflecting a malicious intent to harm the system [107591].
Intent (Poor/Accidental Decisions) poor_decisions (a) The intent of the software failure incident related to poor decisions can be seen in the articles. The incidents involving hostile states and criminal gangs targeting British vaccine research and other parts of the NHS were a result of deliberate actions taken by these groups. The hackers used methods like spear phishing to deceive individuals into clicking on dangerous links or providing sensitive information [107591]. The actions of the hacking group APT29, also known as Cozy Bear, were identified as being part of the Russian intelligence services, with the intent of stealing information and intellectual property related to Covid-19 vaccine development in various countries [102534]. (b) The intent of the software failure incident related to accidental decisions is not evident in the articles. The failures discussed in the articles were primarily attributed to deliberate actions taken by state actors and criminal groups to target vaccine research and sensitive information. There is no indication of unintentional mistakes or unintended decisions leading to software failures in the context of these incidents.
Capability (Incompetence/Accidental) accidental (a) The articles do not provide information about a software failure incident related to development incompetence. (b) The articles mention a software failure incident related to accidental factors. The incident involves Russian spies targeting organizations involved in developing a coronavirus vaccine in the UK, US, and Canada. The hackers exploited software flaws to gain access to vulnerable computer systems and used malware like WellMess and WellMail to upload and download files from infected machines. Additionally, they tricked individuals into handing over login credentials through spear-phishing attacks [102534].
Duration temporary (a) The articles do not mention any permanent software failure incidents. (b) The articles discuss temporary software failure incidents related to cyber-attacks targeting organizations involved in Covid-19 vaccine research. The hackers exploited software flaws to gain access to vulnerable computer systems and used malware like WellMess and WellMail to upload and download files from infected machines [102534]. Additionally, phishing emails and spear-phishing attacks were used to trick individuals into handing over login credentials [102534]. These incidents were temporary as they were caused by specific circumstances, such as the actions of the hackers, rather than inherent permanent failures in the software systems themselves.
Behaviour crash, omission, value, other (a) crash: - The incident involving the English football league club's corporate and security systems suffered a "crippling attack" that prevented its CCTV and turnstiles from working, almost leading to a fixture being called off at short notice [Article 107591]. (b) omission: - The software failure incident related to the Russian spies targeting organizations developing a coronavirus vaccine did not hinder the vaccine research despite the hackers' activities [Article 102534]. (c) timing: - There is no specific information in the articles indicating a failure due to timing. (d) value: - The software failure incident involving Russian spies targeting Covid-19 vaccine research aimed at stealing information and intellectual property related to vaccine development, indicating a failure in the system performing its intended functions incorrectly [Article 102534]. (e) byzantine: - The articles do not provide information about a failure due to the system behaving erroneously with inconsistent responses and interactions. (f) other: - The incident involving criminal groups posing as PPE suppliers to NHS organizations, offering to supply equipment to persuade purchasers to hand over money to a non-existent company, could be considered a failure due to deceptive behavior not fitting into the other categories [Article 107591].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence property, delay, non-human, theoretical_consequence (a) death: People lost their lives due to the software failure - No information about people losing their lives due to the software failure was mentioned in the articles. (b) harm: People were physically harmed due to the software failure - No information about people being physically harmed due to the software failure was mentioned in the articles. (c) basic: People's access to food or shelter was impacted because of the software failure - No information about people's access to food or shelter being impacted due to the software failure was mentioned in the articles. (d) property: People's material goods, money, or data was impacted due to the software failure - The article mentioned ransomware incidents where hackers demanded payment for restoring or returning stolen sensitive data, impacting organizations' data security [107591]. (e) delay: People had to postpone an activity due to the software failure - The article mentioned an unnamed "English football league club" suffering a "crippling attack" on its corporate and security systems, which almost led to a fixture being called off at short notice due to the software failure [107591]. (f) non-human: Non-human entities were impacted due to the software failure - The articles discussed how hackers targeted organizations involved in Covid-19 vaccine research, exploiting software flaws and using malware to upload and download files from infected machines [102534]. (g) no_consequence: There were no real observed consequences of the software failure - The articles reported various consequences of software failures, such as ransomware incidents, attacks on vaccine research organizations, and disruptions to security systems [107591, 102534]. (h) theoretical_consequence: There were potential consequences discussed of the software failure that did not occur - The articles discussed the potential consequences of hackers stealing sensitive data and threatening to leak it publicly, similar to "hack and leak" attacks used in the 2016 US election [107591]. (i) other: Was there consequence(s) of the software failure not described in the (a to h) options? What is the other consequence(s)? - The articles did not mention any other specific consequences of the software failure beyond those already discussed.
Domain information, finance, government (a) The failed system was intended to support the production and distribution of information. The software failure incident involved hackers targeting organizations involved in developing a coronavirus vaccine in the UK, US, and Canada, as reported by the UK's National Cyber Security Centre (NCSC) and other security services [Article 102534]. (h) The failed system was also related to the finance industry. The article mentions that ransomware incidents rose threefold in the past year, where hackers demanded payment for restoring or returning sensitive data they had stolen, echoing tactics used by Russian actors in the 2016 US election [Article 107591]. (l) The failed system was connected to the government sector. The incident involved Russian spies targeting organizations involved in coronavirus vaccine research, which led to accusations against Russian intelligence services by the UK's NCSC, the Canadian Communication Security Establishment, and the US Department for Homeland Security [Article 102534].

Sources

Back to List