Russia & North Korea Hackers Target COVID-19 Vaccine Companies

Microsoft has disclosed that state-sponsored threat actors originating from Russia and North Korea have been actively targeting organizations involved in the creation of COVID-19 vaccines.

The tech corporation stated on Friday that the cyberattacks were directed at seven different entities located in the United States, Canada, France, India, and South Korea. While the company successfully prevented the majority of these intrusions, it confirmed that a number of attacks did achieve their objectives.

Microsoft indicated that the impacted organizations have been informed of the breaches, but refrained from publicly identifying them.

“We consider these actions to be deeply reprehensible and deserving of universal condemnation,” stated Tom Burt, Corporate Vice President of Customer Security & Trust at Microsoft, in a company blog post.

The technology firm attributed the attacks to three separate hacking groups. The Russian-linked group, identified by Microsoft as Strontium, but more commonly known as APT28 or Fancy Bear, employed password spraying techniques – often utilizing previously compromised or reused credentials – to compromise its targets. Fancy Bear is widely recognized for its disinformation campaigns and hacking activities surrounding the 2016 U.S. presidential election, and has also been implicated in numerous other significant attacks against news organizations and businesses.

The remaining two groups are associated with the North Korean government. One, designated Zinc by Microsoft but better known as the Lazarus Group, utilized highly targeted spearphishing emails, posing as recruiters, in an attempt to obtain login credentials. Lazarus has been previously linked to the 2016 Sony hack and the 2017 WannaCry ransomware incident, alongside other malicious software-based attacks.

Information regarding the other North Korea-backed group, which Microsoft refers to as Cerium, remains limited. Microsoft reported that this group also deployed targeted spearphishing emails, falsely representing themselves as officials from the World Health Organization and involved in coordinating the global response to the COVID-19 pandemic.

A representative from Microsoft confirmed this is the first instance the company has publicly mentioned Cerium, but offered no further details.

These incidents represent the latest attempts by malicious actors to capitalize on the COVID-19 pandemic for illicit gains. Earlier this year, both the FBI and the Department of Homeland Security issued warnings about potential efforts to steal research related to coronavirus vaccines.

This announcement coincides with the Paris Peace Forum, where Microsoft President Brad Smith will advocate for increased governmental action to counter cyberattacks targeting the healthcare industry, particularly during the current pandemic.

“Microsoft is urging global leaders to recognize that international law provides protection for healthcare facilities and to implement measures to uphold that law,” Burt explained. “We believe this law should be enforced not only when attacks originate from state-sponsored entities, but also when they are launched by criminal organizations that governments allow to operate – or even actively support – within their jurisdictions.”