Cozy Bear Conducting COVID-19 “Research”



The Russian hacker group Cozy Bear or APT29 (aka the Dukes, Office Monkeys, CozyCar) is targeting organizations involved in COVID-19 vaccine research according to key government cyber organizations from the United Kingdom (UK), Canada, and the United States (US).

The UK National Cyber Security Centre (NCSC) out of GCHQ, Canada’s Communications Security Establishment (CSE), the NSA, and the DHS Cybersecurity & Infrastructure Security Agency (CISA) released a 14-page joint cybersecurity advisory that lays out the malware used (WellMess, WellMail), example targeted vulnerabilities, and useful IOC information (hashes, IPs, YARA rules).

The advisory did not enumerate all the CVEs of targeted vulnerabilities, but provided this list of four examples, presumably the most important ones to note:

In the National Vulnerability Database (NVD), NIST lists all four as critical severity vulnerabilities, with CVSS 3.1 scores of 9.8, 10, 9.8, and 9.8 respectively, and CYR3CON’s hacker-centric, threat-based analysis assigns all four the maximum CyRating® currently possible. So, the advisory is certainly justified, and prudent organizations should, if they have not already, take action.

Back in May, we wrote about one of these vulnerabilities – CVE-2019-19781 – during our COVID-19-motivated article series. We noted then that the NSA had, in conjunction with the Australian Signals Directorate (ASD), recently released a 17-page CIS that included a warning about that particular vulnerability in the context of web shell malware. It makes for an illustrative case of why getting on top of high-risk vulnerabilities can be difficult.

The shifting sands of the cyber landscape are awash in details that make threat-based risk analysis challenging. As one example, on January 6, 2020 CISA released a vulnerability summary bulletin that contained information about CVE-2019-19781 and 288 other vulnerabilities. There were 9 high severity, 68 medium, 5 low, and 206 “severity not yet assigned.” Though CVE-2019-19781 was included among the 9 high severity vulnerabilities, it was listed with a CVSSv2 score of 7.5, along with 6 others, while the two other high vulnerabilities that week had scores of 10 and 7.8.

Given the provided 7.5 CVSSv2 score and it’s relative ranking on one of 52 weekly summaries, it likely was not clear then how much of a threat this particular vulnerability was going to be compared to the other 21,365 vulnerabilities that had been assigned a CVE ID starting with CVE-2019. Even the NSA/ASD CIS referenced in our May article did not provide crystal-like clarity. It listed CVE-2019-19781 as one vulnerability among 12 others on page 15 of a 17-page document. These kinds of data can be useful, but it takes an awful lot of time and attention to find, read, digest, and make use of them.

As noted above from our earlier post in May, one vulnerability that our AI analysis clearly indicates is of special interest to cyber criminals during the COVID-19 situation is CVE-2019-19781* related to Citrix® Gateway, Citrix® Application Delivery Controller, and Citrix® SD-WAN WANOP appliances. Watch this video from May of this year:


At CYR3CON, threat-based risk analysis is not just our business, it is our very reason for existing. We make threat-based analysis of vulnerabilities as easy as possible for our partners. We track the myriad factors that go into making a threat-based decision and use artificial intelligence (AI) to produce a single number – CyRating® – that reflects the likelihood of exploitation. Our process is transparent, so the underlying details are readily available whenever someone is interested to look. However, looking is not required to reap the benefits of advanced machine learning (ML) algorithms that provide results that are the AI-driven manifestation of an expert cybersecurity analyst’s evaluation of real-world threat.