North Korean and Russian state-backed hackers have intensified cyber attacks on pharmaceutical companies working to develop a COVID-19 vaccine, a top Microsoft official noted in November.
Attacks have been levied on seven companies researching vaccines and treatments for the virus in Canada, France, India, South Korea and the U.S. The vendor has blunted a "majority" of the attacks but a few have gotten through security defenses baked into its products, said Tom Burt, Microsoft customer security & trust corporate vice president, in a blog post.
The offensives were set in motion by the Russia-based Strontium crew, also known as Fancy Bear and APT28, and two actors originating from North Korea that Microsoft has dubbed Zinc and Cerium. Microsoft previously identified Strontium as responsible for attacks on some 200 organizations, including political campaigns and advocacy groups.
“We think these attacks are unconscionable and should be condemned by all civilized society,” Burt said. “We’ve notified all organizations targeted, and where attacks have been successful, we’ve offered help,” wrote Burt. “These are just among the most recent attacks on those combating COVID-19. Cyber attacks targeting the health care sector and taking advantage of the pandemic are not new.”
Most of the prey are vaccine makers with COVID-19 immunizations in various stages of clinical trials. Among them is a clinical research organization involved in trials, and another has developed a COVID-19 test, Burt said. A number of targets have contracts or investments with government agencies related to COVID-19 research and development.
There was no word from the technology giant on whether Pfizer or Moderna, both of which have recently announced successful clinical trials for a COVID-19 vaccine and may soon gain regulatory clearance, were among the companies where the hackers aimed the cyber attacks.
Of the three hacking syndicates, Strontium is best known for campaigns to harvest people’s log-in credentials or compromise their accounts to gather intelligence or disrupt operations. The gang has recently moved from spear phishing to brute force attacks and password spraying. Zinc has primarily used spear phishing lures for credential theft by impersonating job recruiters. Cerium has engaged in spear phishing email trickery using COVID-19 themes while masquerading as World Health Organization representatives.
Since the beginning of the pandemic, hackers have repeatedly tried to hijack critical information from pharmaceutical companies and medical facilities. In October, a ransomware attack hit eResearch Technology, a Philadelphia, Pennsylvania-based company that sells a digital platform for drug companies to manage seasonal and epidemic vaccine trials. Last July, the U.S. Justice Department charged two Chinese nationals with conducting a decade-long hacking campaign to steal intellectual property for that nation’s spy services from a number of organizations including drug makers. The cyber operatives allegedly probed into research facilities working to develop vaccines and treatments to derail COVID-19. Earlier that month, American, British and Canadian national security officials fingered the notorious, Kremlin-linked cyber crew CozyBear, also known as APT29, with trying to steal intelligence and supply chain information from research facilities and healthcare organizations engaged in COVID-19 vaccine development.
“At a time when the world is united in wanting an end to the pandemic and anxiously awaiting the development of a safe and effective vaccine for COVID-19, it is essential for world leaders to unite around the security of our health care institutions and enforce the law against cyber attacks targeting those who endeavor to help us all,” Burt said.