And for the first time since the shady group’s existence became known, the allied agencies said that APT29 is “almost certainly” operating as part of Russian intelligence services.
It is believed that vaccine research facilities at Oxford University and Imperial College London are among institutions targeted by the hackers, who are thought to operate by exploiting weaknesses in VPN and external mail services used by researchers.
The attacks form part of a pattern which has seen both state and criminal organisations shift cyber activity to target potentially valuable intellectual property relating to vaccines and treatments for Covid-19 during the pandemic.
NCSC director of operations Paul Chichester said: “We condemn these despicable attacks against those doing vital work to combat the coronavirus pandemic.
“Working with our allies, the NCSC is committed to protecting our most critical assets and our top priority at this time is to protect the health sector.
“We would urge organisations to familiarise themselves with the advice we have published to help defend their networks.”
Known targets of APT29 include UK, US and Canadian vaccine research and development organisations.
The group uses a variety of tools and techniques, including spear-phishing and custom malware known as “WellMess” and “WellMail”.