Russian and North Korean Groups Still Targeting #COVID19 Vaccine Firms

Microsoft has urged governments to act after revealing that three state-sponsored threat groups have been targeting seven companies currently developing COVID-19 vaccines and treatments.

VP for customer security and trust, Tom Burt, pointed the finger at the Russian military Strontium group (aka APT28, Fancy Bear) and North Korea’s Zinc (aka Lazarus) and Cerium groups.

The pharma and vaccine companies being targeted were not named, but Microsoft said they hailed from Canada, France, India, South Korea and the US, and have vaccines and COVID-19 tests in clinical trials.

“Strontium continues to use password spray and brute force login attempts to steal login credentials. These are attacks that aim to break into people’s accounts using thousands or millions of rapid attempts,” Burt explained.

“Zinc has primarily used spear-phishing lures for credential theft, sending messages with fabricated job descriptions pretending to be recruiters. Cerium engaged in spear-phishing email lures using COVID-19 themes while masquerading as WHO representatives. The majority of these attacks were blocked by security protections built into our products. We’ve notified all organizations targeted, and where attacks have been successful, we’ve offered help.”

Such companies have been targeted throughout the year. Back in May reports suggested state-backed APT attacks on the UK’s leading vaccine contender, being developed by AstraZeneca and Oxford University.

The same month, the US authorities blamed Chinese actors for trying to steal valuable virus research IP from domestic companies.

A couple of months later, Russia’s APT29 or Cozy Bear group were detected targeting vaccine developers in the UK, US and Canada in a campaign the National Cyber Security Centre (NCSC) branded “despicable.”

At the Paris Peace Forum on Friday, Microsoft’s Brad Smith urged governments to respond.

“Microsoft is calling on the world’s leaders to affirm that international law protects healthcare facilities and to take action to enforce the law,” said Burt.

“We believe the law should be enforced not just when attacks originate from government agencies but also when they originate from criminal groups that governments enable to operate – or even facilitate – within their borders. This is criminal activity that cannot be tolerated.”

What’s Hot on Infosecurity Magazine?