North Korean hackers targeting COVID-19 vaccine research firms, Microsoft warns

Microsoft has warned governments worldwide about the Rusian hacker group Strontium and North Korean hacker groups Zinc and Cerium targeting organisations engaged in COVID-19 vaccine research with credential stuffing, brute-force, and spear-phishing attacks.

In a blog post published Friday, Tom Burt, the Corporate Vice President for Customer Security & Trust at Microsoft, said three particular nation-state actors, one Russian and two North Korean, have recently been observed targeting leading pharmaceutical companies and vaccine research organisations in Canada, France, India, South Korea, and the United States.

The list of targeted organisations is dominated by vaccine research organisations that have Covid-19 vaccines in various stages of clinical trials as well as organisations that have developed COVID-19 tests. Many of these organisations have been beneficiaries of government funding and contracts in many countries for Covid-19 related work.

According to Microsoft, Russian nation-state hacker group Strontium, also known as APT28 and Fancy Bear, is carrying out large-scale password spray and brute force login attempts to steal login credentials of employees at COVID-19 vaccine research firms. Some of these brute-force attacks involve hackers making millions of rapid attempts to break into corporate networks and gain access to precious research material and intellectual property.

Last year, Microsoft had also flagged Strontium for targeting at last 16 anti-doping authorities and sporting organisations worldwide ahead of the Tokyo Summer Games. The company said that the hacker group used a variety of tools and methods such as spear-phishing, password spray, the exploitation of internet-connected devices, and the use of both open-source and custom malware to target organisations.

In his blog post that was published last week, Burt added that aside from Strontium, a couple of North Korean nation-state actors have also been targeting COVID-19 research organisations with spear-phishing attacks that are aimed at exploiting the human factor to obtain information about research on COVID-19 vaccines.

"Zinc has primarily used spear-phishing lures for credential theft, sending messages with fabricated job descriptions pretending to be recruiters. Cerium engaged in spear-phishing email lures using Covid-19 themes while masquerading as World Health Organisation representatives," he said.

"The majority of these attacks were blocked by security protections built into our products. We’ve notified all organizations targeted, and where attacks have been successful, we’ve offered help.

"Microsoft is calling on the world’s leaders to affirm that international law protects health care facilities and to take action to enforce the law. We believe the law should be enforced not just when attacks originate from government agencies but also when they originate from criminal groups that governments enable to operate – or even facilitate – within their borders. This is criminal activity that cannot be tolerated," he added.

Who are Zinc and Cerium?

While many may never have heard about Zinc before, the hacker group is none other than the feared state-sponsored Lazarus Group, which is also known as APT38, Hidden Cobra, Whois Team, and Guardians of Peace. Founded in 2009, the hacker group has carried out a large number of cyber-attacks on media, finance and aerospace companies as well as on governments worldwide. It is best known for conducting the global WannaCry attack which spread malicious ransomware to hundreds of thousands of computers around the world.

Unlike the Lazarus Group, Cerium is a relatively new hacker group based out of North Korea that has never been linked to any particular cyber attack or phishing campaign. We don't know yet if the group is an offshoot of the Lazarus Group or if is a solitary one, but considering Microsoft has regarded it malicious enough to mention its name alongside Fancy Bear and the Lazarus Group, we fear we'll hear more about the hacker group in the coming days.

Copyright Lyonsdown Limited 2020