North Korean hackers recently targeted staff at British biopharmaceuticals company AstraZeneca which is conducting clinical trials of a coronavirus vaccine that it jointly developed with Oxford University.

According to Reuters, North Korean hackers posed as recruiters on LinkedIn and WhatsApp and targeted AstraZeneca employees with phishing emails that were laced with malware. The emails sent by hackers pertained to fresh job openings and required recipients to download malicious documents that were disguised as job descriptions.

The timing of the phishing campaign targeting AstraZeneca employees is both significant and unsurprising, considering the firm is presently conducting clinical trials of a coronavirus vaccine that it has jointly developed with Oxford University.

The UK recently purchased at least 5 million doses of a coronavirus vaccine developed by Moderna which is claimed to be around 95% effective and has also secured 355 million doses of potential vaccines developed by other organisations engaged in coronavirus vaccine research. The government is also monitoring the trials of the vaccine developed by AstraZeneca and Oxford University.

Reuters learned from people with knowledge of the matter that North Korean hackers recently targeted a “broad set of people” at AstraZeneca, including staff engaged in coronavirus vaccine research. The tools and techniques used in the campaign made it clear that the attacks were part of an ongoing hacking campaign being conducted by North Korean hackers.

Responding to the report published by Reuters, the National Cyber Security Centre said it is providing ongoing and proactive support to healthcare organisations in the UK and is fully committed to protecting the health sector and crucial vaccine research and development against cyber threats.

“Since the outbreak of Covid-19, the National Cyber Security Centre’s top priority has been the cyber security and resilience of the UK’s health sector. This includes ongoing and proactive support to the vaccine research taking place at organisations in the UK, in order to reduce and mitigate the risks of cyber attacks impacting their vital work.

“Working alongside our allies, the NCSC is committed to protecting our most critical assets, the health sector, and crucial vaccine research and development against threats,” it said.

Earlier this month, Microsoft had also issued a warning about the Rusian hacker group Strontium and North Korean hacker groups Zinc and Cerium targeting organisations engaged in COVID-19 vaccine research with credential stuffing, brute-force, and spear-phishing attacks. The targeted organisations are located in Canada, France, India, South Korea, and the United States.

The list of targeted organisations is dominated by vaccine research organisations that have Covid-19 vaccines in various stages of clinical trials as well as organisations that have developed COVID-19 tests. Many of these organisations have been beneficiaries of government funding and contracts in many countries for Covid-19 related work.

According to Tom Burt, the Corporate Vice President for Customer Security & Trust at Microsoft, the two North Korean nation-state actors have also been targeting COVID-19 research organisations with spear-phishing attacks that are aimed at exploiting the human factor to obtain information about research on COVID-19 vaccines.

"Zinc has primarily used spear-phishing lures for credential theft, sending messages with fabricated job descriptions pretending to be recruiters. Cerium engaged in spear-phishing email lures using Covid-19 themes while masquerading as World Health Organisation representatives," he said.

"The majority of these attacks were blocked by security protections built into our products. We’ve notified all organisations targeted, and where attacks have been successful, we’ve offered help.

"Microsoft is calling on the world’s leaders to affirm that international law protects health care facilities and to take action to enforce the law. We believe the law should be enforced not just when attacks originate from government agencies but also when they originate from criminal groups that governments enable to operate – or even facilitate – within their borders. This is criminal activity that cannot be tolerated," he added.