Microsoft Warns Of Russia, North Korea Attacks On Vaccine Research

Microsoft said it has detected attacks by state-backed hackers from North Korea and Russia on coronavirus vaccine efforts in a number of countries, including a number of major pharmaceuticals companies.

The company’s findings, which are based on data from its security services, follow warnings earlier this year from cyber-security authorities that hackers were targeting vaccine research.

Microsoft said it had uncovered campaigns from three distinct hacking groups, one from Russia and two from North Korea.

The attackers targeted seven pharmaceuticals companies involved in coronavirus vaccine research, and also singled out individual researchers in Canada, France, India, South Korea and the United States.

Credential theft

The attacks on individual researchers were aimed at obtaining login credentials that could be used to access corporate files, Microsoft said.

The company said the attacks are ongoing.

The first group, known as Strontium or Fancy Bear, is best known for creating disruption during the 2016 US presidential campaign by stealing files from the Democratic National Committee.

The group, said to be backed by the Russian government, is carrying out login attacks using brute-force and “password spray” techniques.

These methods use large numbers of repeated login attempts and can make use of credentials that may have been reused elsewhere.

A second group, known as Zinc or Lazarus Group, is thought to be affiliated with the North Korean government and has been accused of launching a high-profile attack on Sony Pictures in 2014, the 2017 WannaCry malware attack and the theft of $81 million (£61.5m) from the national bank of Bangladesh, among other high-profile incidents.

Lazarus Group has mainly employed spear phishing attacks, sending malicious messages that pose as recruitment offers and attempt to steal login data, Microsoft said.

Healthcare risk

A third North Korean group, which Microsoft refers to as Cerium, has also carried out targeted phishing attacks posing as messages from the World Health Organisation.

Microsoft said most of the attacks had been blocked, but acknowledged that some had been successful.

In July the UK’s NCSC cyber-security agency said that Russian hackers were targeting vaccine research, including efforts being carried out in Oxford.

At the time Russia denied carrying out such attacks, and the Russian embassy to the US told Reuters it had nothing to add.

North Korea’s representative to the United Nations has not yet responded to messages requesting comment.

Microsoft called on governments not to target healthcare organisations.