Covid-19 vaccine developers actively targeted by state-funded APTs

by Gabriel E. Hall - - 2020-11-16

North Korean and Russian hackers actively targeting seven labs developing Covid-19 vaccine, Microsoft reports

Microsoft: cyberattacks on healthcare must stop State-sponsored hackers are actively targeting at least seven pharmaceutical companies involved in the COVID-19 vaccine development

Amid the coronavirus pandemic, cybercriminal activity worldwide rose by a great margin and, while some ransomware gangs promised to leave hospitals alone, others targeted the medical industry in order to grab some more cash. State-sponsored attacks might have completely different goals, however, and it seems like several APT (Advanced Persistent Threat Groups) are targeting seven companies across the globe that are actively participating in the new vaccine development and testing.

Tom Burt, Microsoft's Corporate Vice president of Customer Security and Trust, claimed that all the resources to be undertaken to prevent cybercriminals from striking vital targets that are working hard to fight the pandemic:^[1]

Today, Microsoft’s president Brad Smith is participating in the Paris Peace Forum where he will urge governments to do more. Microsoft is calling on the world’s leaders to affirm that international law protects health care facilities and to take action to enforce the law. We believe the law should be enforced not just when attacks originate from government agencies but also when they originate from criminal groups that governments enable to operate – or even facilitate – within their borders. This is criminal activity that cannot be tolerated.

According to the report, Microsoft is not the only entity that is aware of the ever-increasing threat of cybercrime in the medical sector. Burt said that these matters were also discussed in the virtual Paris Pease Forum, joined by France’s Minister for Foreign Affairs Jean-Yves le Drian, Ambassador Guilherme de Aguiar Patriota of Brazil, Ambassador Jürg Lauber of Switzerland, and 65 healthcare organizations.

The on-going attacks organized by Lazarus, Fancy Bear, and Cerium

While many of the hospital-targeting attacks are based on financial gain, it is believed that APTs might have other cyber-espionage-based goals. Many of the pharmaceutical companies “have contracts with or investments from government agencies from various democratic countries for COVID-19-related work,” Tom Burt said. According to him, three prominent state-sponsored hacking groups are involved:

Russia's Fancy Bear (Strontium)
North Korea's Lazarus (Hidden Cobra)
North Korea's Cerium.

Lazarus is possibly one of the most recognized APTs globally. It has been responsible for such prominent attacks as Sony's Operation Blockbuster in 2014 and WannaCry global outbreak in 2017.^[2] This actor typically sends out spear-phishing emails that contain fake job applications.

Fancy Bear gang is active since at least 2004 and have believed to play a major role in the US presidential election of 2016.^[3] It usually employs password spraying and brute-force attacks to steal login credentials and then harvest relevant data.

Cerium is a relatively new player in the cybercriminal world but is also believed to be sponsored by the North Korean government. Security researchers have spotted the gang actively engaging in coronavirus-themed spam email delivery to various targets.

Hospitals still actively targeted by cybercriminal groups

The three cybercriminal gangs are targeting at least seven medical institutions based in various locations around the world, including Canada, France, India, South Korea, and the United States. Many of these medical institutions are actively developing the Covid-19 vaccine, and one of them was even responsible for engineering a working test:

Among the targets, the majority are vaccine makers that have Covid-19 vaccines in various stages of clinical trials. One is a clinical research organization involved in trials, and one has developed a Covid-19 test. Multiple organizations targeted have contracts with or investments from government agencies from various democratic countries for Covid-19 related work.

It is really concerning that healthcare providers have to deal with cybercriminal attacks during such a difficult time. Hospitals were struck by malware in the US,^[4] Germany, Spain, and many other countries. In fact, in Germany, one woman was pronounced dead after the local Duesseldorf University Hospital was unable to take in emergency patients due to disruptions caused by ransomware.^[5]

Tom Burt did mention that some of the attacks were successful, although he did not specify to what extent (i.e., whether the malware was implanted of whether some sensitive information was leaked). While government and local authority awareness is essential, hospitals and pharmaceutical sectors should also ensure that the systems are working correctly and all the security holes are patched on time.

About the author

Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions

References

^ Tom Burt. Cyberattacks targeting health care must stop. Microsoft. Official security research blog.
^ Mathew J. Schwartz. WannaCry Ransomware Outbreak Spreads Worldwide. BankInfoSecurity. Bank information security news, training.
^ Raphael Satter, Christopher Bing, Joel Schectman. Exclusive: Russian hackers targeted California, Indiana Democratic parties. Reuters. Business & Financial News.
^ Vivian Salama, Alex Marquardt, Lauren Mascarenhas and Zachary Cohen. Several hospitals targeted in new wave of ransomware attacks. CNN. News report.
^ Nicole Wetsman. Woman dies during a ransomware attack on a German hospital. The Verge. Technology news website.