Cozy Bear hackers exposed themselves by taking days off from targeting UK coronavirus vaccines on Russian bank holidays
KREMLIN hackers Cozy Bear gave away their identity as state-backed cyber spies by taking Russian holidays off.
UK cyber-spies have accused the group of launching a new campaign to snatch the secrets of Britain's prototype Covid-19 jab.
Russia has denied involvement in the latest cyber attack – or any others the group is thought to have been behind – along with any links to the gang.
Dmitry Peskov, a spokesman for President Putin, said: “We do not have information about who may have hacked into pharmaceutical companies and research centres in Great Britain.
“We can say one thing – Russia has nothing at all to do with these attempts.”
But Cozy Bear gave the game away by taking Russian holidays off work – just like any other state employees.
Western experts monitoring the hackers over the years noticed their attacks mysteriously stopped on days that coincided with public holidays in Russia, Sun Online understands.
And one piece of malware used by the group was reportedly only active during office hours in Moscow and Saint Petersburg.
Britain’s National Cyber Security Council yesterday said the group, which is also known as APT29 and the Dukes “almost certainly operate as part of Russian Intelligence Services”.
Little is known about the mysterious gang, apart from the fingerprints they have left on a series of cyberattacks over the years.
Despite Russia's repeated denials, their attacks bear all the hallmarks of a state-run spying operation.
The hacks are usually aimed at stealing intellectual property, state secrets or other intelligence – rather than scamming cash like a criminal gang.
Evidence suggests Cozy Bear's targets have included commercial entities and government organisations in Germany, Uzbekistan, South Korea, the US – and now the UK.
The group – which is believed to have been active since 2008 – first came to the attention of spooks in 2014 when it launched a cyber attack on the US government.
The group used a comic video of monkeys working in an office to lure victims into clicking into an email link and unwittingly downloading malware.
Cyber-spies from the US National Security Council said they battled with the Russian hackers during 24-hours of “hand-to-hand” cyber combat.
Shocked officials said it showed record levels of aggression in modern cyber warfare.
The State Department had to close its email server for a weekend to purge the Russians from the system.
The Dutch intelligence service AIVD later managed to infiltrate the group, Volksrant reported.
Dutch spies were able to compromise computers and even CCTV cameras in a Moscow-based university building the hackers were using.
The agents reportedly watched over the hackers’ shoulders as they carried out their remote attacks.
The Netherlands was able to definitively identify Cozy Bear as agents of Russia's SVR agency, Wired reported.
Dutch spooks warned their American counterparts about what they were witnessing – the Russians hacking into 2016 Democratic National Committee, it added.
The infamous hack – which also involved another Russian group called Fancy Bear – saw the group stealing opposition research on Donald Trump, as well as reading all email and chats.
The groups were expelled from the DNC systems within hours of detection.
But it wasn’t the last the world would hear from them.
In 2016 and 2017, phishing emails believed to have been sent by the group hit a series of American think tanks and NGOs.
The Norwegian government was also targeted – as well as the Dutch government, possibly in revenge for the previous bust.
The group then went quiet for a number of years, leading to claims they had packed up.
But these suspicions were dispelled in 2019 when three new malware families– PolyglotDuke, RegDuke and FatDuke – were discovered that Cozy Bear was found to be behind.
They rebuilt their arsenal. They never stopped their espionage activity.”
The latest malware attacks – collectively known as Operation Ghost – showed Cozy Bear did not cease operations – they just developed new tools that were harder to detect.
Researcher Matthieu Faou, of Slovakian cybersecurity firm ESET, said: “They rebuilt their arsenal.
“They never stopped their espionage activity.”
ESET found the group had penetrated the networks of at least three targets – the ministries of foreign affairs at two Eastern European countries and one unnamed European Union nation, including the network of that EU country's embassy in Washington DC.
Cybersecurity firm Crowdstrike, which has been monitoring the group for some time, said: “Unlike many of the other nation-state actors that CrowdStrike monitors, Cozy Bear tends to cast a wide net, sending out thousands of phishing emails to a broad set of targets.”
How to stay safe from hackers
- Protect your devices and networks by keeping them up to date: use the latest supported versions, use anti-virus and scan regularly to guard against known malware threats.
- Use multi-factor authenticationto reduce the impact of password compromises.
- Tell staff how to report suspected phishing emails, and ensure they feel confident to do so, investigate their reports promptly and thoroughly.
- Set up a security monitoring capability so you are collecting the data that will be needed to analyse network intrusions
- Prevent and detect lateral movement in your organisation’s networks.
It added that the “aggressive” group was “nothing if not flexible, changing tool sets frequently”.
And now it seems the group have struck again – this time at Britain.
A joint operation with the US and Canada uncovered a "malicious campaign" to steal information uncovered by Britain's top scientists on coronavirus with targeted attacks since March.
The hackers have been trying to break into data held by pharmaceutical companies and research bodies by exploiting well-known vulnerabilities in security software – such as VPN and external mail servers.
UK security services are "almost certain" Russian President Vladimir Putin knew about the attacks.
The PM's official spokesman said today: "The attacks which are taking place against scientists and others doing vital work to combat coronavirus are despicable.
"Working with our allies, we will call out those who seek to do us harm in cyber space and hold them to account."
Source: Read Full Article