Russian and North Korean government operatives have attempted to breach seven high-profile companies developing coronavirus vaccines and treatments and have succeeded on several occasions, Microsoft said Friday.
“The targets include leading pharmaceutical companies and vaccine researchers in Canada, France, India, South Korea, and the United States,” Tom Burt, Microsoft’s corporate vice president of customer security and trust, wrote in a blog post.
Microsoft attributed the malicious activity to three groups: Strontium, a unit of Russia’s military intelligence agency that’s also known as Fancy Bear and APT28; Zinc, a North Korean hacker team better known as the Lazarus Group; and Cerium, another North Korean group.
Burt said Microsoft’s security tools blocked “the majority” of the attacks. “We’ve notified all organizations targeted,” he wrote, “and where attacks have been successful, we’ve offered help.”
A target on their backs: Coronavirus research and potential vaccines have become a major target of nation-state hackers during the pandemic. In May, CISA and the FBI announced an espionage campaign by Chinese hackers. At around the same time, Reuters reported that Iranian hackers had targeted the pharmaceutical giant Gilead Sciences, which is researching a treatment for the virus. Two months later, federal prosecutors included coronavirus-focused hacking in a sweeping indictment of two alleged Chinese hackers.
Cybercriminals have exploited anxieties about the pandemic in their hacking campaigns. In July, Microsoft announced an operation to dismantle the infrastructure used by one group of criminals who used coronavirus-themed lures to spread their malware.
The methods: The Russian hackers deployed a tried-and-true two-part strategy, according to Microsoft. They attempted to log in with commonly used credentials in what’s known as a “password spray” attack, and they repeatedly tried massive numbers of passwords at high speed in what’s called a “brute-force” attack.
The North Korean hackers preferred to use spearphishing emails to entice people into unwittingly handing over their passwords. Zinc sent fake job-recruiting messages, while Cerium posed as World Health Organization officials sharing coronavirus data.
Political priorities: Microsoft’s attribution of some of these attacks to Fancy Bear and the Lazarus Group is significant. Both groups are favorites of their governments, which regularly deploy them to steal information or disrupt operations in ways that benefit their foreign policy goals.
Fancy Bear was one of two Moscow-backed groups to breach the Democratic National Committee in 2016. It has also hacked the German parliament, the White House, NATO and the International Olympic Committee.
The Lazarus Group earned infamy for hacking Sony Pictures Entertainment in 2014 in apparent retaliation for a film that mocked North Korean leader Kim Jong-un. In 2017, it unleashed the WannaCry ransomware that struck hundreds of thousands of companies around the world. It has also frequently penetrated and wiped the computer networks of South Korean companies and government organizations.
Give cyber peace a chance: Microsoft used its announcement to argue for a global prohibition against cyberattacks on critical infrastructure such as healthcare systems. On Friday, Microsoft President Brad Smith will deliver this message in a speech at the Paris Peace Forum.
“Microsoft is calling on the world’s leaders to affirm that international law protects healthcare facilities and to take action to enforce these laws,” Burt wrote. “We believe these laws should be enforced not just when attacks originate from government agencies but also when they originate from criminal groups that governments enable to operate — or even facilitate — within their borders.”