Nation State APT Groups Targeting Companies Involved in COVID-19 Research and Vaccine Development

Advanced Persistent Threat (APT) groups in Russia and North Korea are targeting companies involved in research into COVID-19 and vaccine development, according to Microsoft. Six large pharmaceutical firms and a clinical research company are known to have been targeted by three APT groups who are attempting to gain access to research and vaccine data.

The cyberattacks have been on “pharmaceutical companies in Canada, France, India, South Korea and the United States,” according to Microsoft and three APT groups are known to be conducting attacks – the Russian APT group Strontium (aka Fancy Bear/APT28) and two APT groups with links to North Korea – The Lazarus Group (aka Zinc) and Cerium. Additionally, in the summer of 2020, warnings were issued by several government agencies about attacks on COVID-19 research firms by another Russian APT group, Cozy Bear (aka APT29).

The targeted organizations have contracts with or investments from governments to advance research into COVID-19 and vaccine development. Most of the targeted companies have developed vaccines which are currently in advanced clinical trials. One of the targeted companies has developed a COVID-19 test and the clinical research firm is involved in conducting COVID-19 vaccine trials. While the attacked companies were not named by Microsoft, cyberattacks have been reported by the Indian pharma firms Dr. Reddy’s and Lupin, and the U.S. biotech firm Moderna is known to have been attacked.

Microsoft reports that some of the attacks have been successful, although Microsoft did not say whether that means systems have been breached or if intellectual property and vaccine and research data were obtained.

The Russian Strontium group has favored brute force tactics to crack passwords for employee accounts, while the Lazarus group has been sending spear phishing emails to key employees to obtain passwords. One tactic used by the Lazarus group involves posing as recruiters and sending fake job descriptions. Cerium, which is believed to be a new North Korean hacking group, has also been using phishing emails to gain access to employee credentials. Its campaign involved impersonating the World Health Organization (WHO).

The motivation behind the attacks are clear. Research and vaccine data would give foreign countries a huge strategic advantage, with research and vaccine data potentially worth billions of dollars. These attacks appear to be solely concerned with data theft. The attacks so far do not appear to have been conducted to hamper efforts to conduct research or develop vaccines but there are many cybercriminal groups that are conducting destructive cyberattacks.

Healthcare organizations have faced a barrage of financially motivated cyberattacks by cybercriminals organizations using ransomware in recent months. Recently, CISA, the FBI, and HHS issued a joint advisory following an increase in targeted Ryuk ransomware attacks on healthcare organizations in the United States. The Ryuk and other ransomware gangs have also attacked healthcare organizations in France, Germany, Thailand, Spain, and the Czech Republic. The ransomware attack on a hospital in Germany resulted in the first known patient death due to a ransomware attack, and several attacks in the United States have resulted in major disruption and have forced hospitals to cancel elective procedures and reroute patients to alternative healthcare facilities.

Several industry groups are offering assistance to organizations in the healthcare sector such as the Health Sector Coordinating Council and Health-ISAC, and are providing indicators of compromise (IoCs) and detailed information on recent attacks to help organizations improve their defenses against cyberattacks and better defend their networks and data.

Microsoft has been taking an active role in attack prevention and has recently participated in the Paris Peace forum, a multi-stakeholder coalition working on combating these attacks, in particular to stop attacks on critical infrastructure from succeeding. Prior to the Paris Peace Forum, over 65 healthcare organizations joined the Paris Call for Trust and Security in Cyberspace. The Paris Call is largest multi-stakeholder coalition to date that addresses cybersecurity issues faced by the healthcare industry.

“Microsoft is calling on the world’s leaders to affirm that international law protects healthcare facilities and to take action to enforce the law,” said Tom Burt, Microsoft Vice President for Customer Security & Trust, in a Friday blog post. “We believe the law should be enforced not just when attacks originate from government agencies but also when they originate from criminal groups that governments enable to operate – or even facilitate – within their borders. This is criminal activity that cannot be tolerated.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.