Nation-State Attackers Actively Target COVID-19 Vaccine-Makers

apts attack covid-19 vaccine research

Three major APTs are involved in ongoing compromises at pharma and clinical organizations involved in COVID-19 research, Microsoft says.

Three nation-state cyberattack groups are actively attempting to hack companies involved in COVID-19 vaccine and treatment research, researchers said. Russia’s APT28 Fancy Bear, the Lazarus Group from North Korea and another North Korea-linked group dubbed Cerium are believed to be behind the ongoing assaults.

According to Tom Burt, corporate vice president of Customer Security and Trust at Microsoft, said on Friday that Microsoft has seen ongoing cyberattacks against at least seven different targets, spread out across the globe.

The majority of the targets are vaccine-makers that have advanced to various stages of clinical trials, Burt said – but one is a clinical research organization involved in trials, and one developed a COVID-19 test.

“These [are] companies directly involved in researching vaccines and treatments for COVID-19,” he wrote, in a blog post. “The targets include leading pharmaceutical companies and vaccine researchers in Canada, France, India, South Korea and the United States.”

He added, “Multiple organizations targeted have contracts with or investments from government agencies from various democratic countries for COVID-19-related work.”

At least some of the attacks have been successful, he added, but a Microsoft spokesperson declined to say what that exactly means. It’s unclear if the attackers were successful in initial compromise or in actually stealing research or other data.

As for the advanced persistent threat (APT) actors involved, Russia’s APT28 group (which Microsoft calls Strontium and which is also known as Fancy Bear or Sofacy) is using password-spraying and brute-force efforts to crack employee accounts, according to Microsoft telemetry.

Lazarus Group meanwhile (called “Zinc” by Microsoft) is using spear-phishing emails to accomplish credential theft, sending messages with fabricated job descriptions pretending to be recruiters.

And as for Cerium, it too is using spear-phishing emails, but in that case the messages masquerade as coming from World Health Organization (WHO) employees.

When reached for comment on the revelations, a Microsoft spokesperson said the company couldn’t comment further on which specific companies were targeted, nor could the software giant provide any further details on the attacks themselves.

“At a time when the world is united in wanting an end to the pandemic and anxiously awaiting the development of a safe and effective vaccine for COVID-19, it is essential for world leaders to unite around the security of our healthcare institutions and enforce the law against cyberattacks targeting those who endeavor to help us all,” Burt said.

The news is just the latest in a disturbing trend of cybercriminals targeting those focused on getting the world out of a deadly pandemic. Both private and state-sponsored groups are targeting pharmaceuticals because of the economic and influential advantages a successful vaccine will provide to countries, according to researchers.

Ongoing COVID-19 Research Attacks

In October, COVID-19 vaccine manufacturer Dr. Reddy’s Laboratories shut down its plants in Brazil, India, Russia, the U.K. and the U.S. following a cyberattack. The Indian company is the contractor for Russia’s “Sputinik V” COVID-19 vaccine, which has entered Phase 3 human trials. It’s unclear what the nature of the attack was.

In July, the U.S. Department of Homeland Security warned that Russia-linked group APT29 (a.k.a. CozyBear or the Dukes) has been targeting British, Canadian and U.S. research companies. The APT looks to pilfer COVID-19 vaccine research from academic and pharmaceutical institutions, in a likely attempt to get ahead on a cure for coronavirus, DHS warned.

Earlier on in the pandemic, WHO was targeted by the DarkHotel APT group, which looked to infiltrate its networks to steal information.

And meanwhile, the Justice Department recently accused Chinese government-linked hackers of spying on Moderna, the Massachusetts biotech company. The federal government is supporting the development of Moderna’s vaccine research, with nearly $1 billion invested and clinical trials underway.

“A vaccine for COVID is a strategically valuable (maybe crucial) asset: Whoever gets a vaccine first has an economic advantage and it is worth billions of dollars to a country and its economy,” Sam Curry, Cybereason CSO, told Threatpost. “It is the ultimate IP with immediate value. Having a six-month lead on ‘re-opening’ the world could have a lasting balance of power impact. It’s like having an oil rush, a data advantage or territorial gain in older real political terms. At the very least, there is the potential for trade, diplomacy, military and strategic advantage.”

Ray Kelly, principal security engineer at WhiteHat Security, said that stealing medical secrets is not the only potential motivation for the attacks.

“At the moment, vaccine manufacturers are ideal targets for ransomware as they are on the cusp of finalizing their COVID-19 trials,” he told Threatpost on Friday. “If a manufacturer is hit by ransomware right now, the malicious actors could ask for the type of money we have never seen when it comes to ransom payments.”

He added, “If it comes to choosing between saving lives, or a massive ransom payment, the choice would be clear.”

 2020 Healthcare Cybersecurity Priorities: Data Security, Ransomware and Patching
Hackers Put Bullseye on Healthcare: On Nov. 18 at 2 p.m. EDT find out why hospitals are getting hammered by ransomware attacks in 2020. Save your spot for this FREE webinar on healthcare cybersecurity priorities and hear from leading security voices on how data security, ransomware and patching need to be a priority for every sector, and why. Join us Wed., Nov. 18, 2-3 p.m. EDT for this LIVE, limited-engagement webinar.

Suggested articles