Nation State APT Groups Target Organizations Engaged in COVID-19 Research and Vaccine Development

According to Microsoft, Advanced Persistent Threat (APT) groups in North Korea and Russia are directing attacks on companies engaged in COVID-19 research and vaccine development. Three APT groups have targeted six big pharmaceutical companies and a clinical research firm with efforts to get access to research and vaccine information.

Pharmaceutical firms in Canada, India, France, South Korea and the United States are mainly hit by cyberattacks. Three APT groups were identified to be doing the attacks:

  • Russian APT group Strontium (aka Fancy Bear/APT28)
  • Two APT groups connected to North Korea – Cerium and The Lazarus Group (aka Zinc)

In summer 2020, several government agencies also issued warnings about cyberattacks on COVID-19 research companies by the Russian APT group Cozy Bear (aka APT29).

The targeted companies have dealings with or assets from governments to do COVID-19 research and develop vaccines. The majority of the targeted firms have made vaccines that are presently completing clinical trials. One targeted organization has created a COVID-19 test and the clinical research company is engaged in performing COVID-19 vaccine trials. Although Microsoft did not name the attacked companies, Indian pharma companies Lupin and Dr. Reddy’s, and the American biotech company Moderna have reported cyberattacks.

Microsoft mentioned that some attacks succeeded but there is no information on the systems breached or whether the attackers obtained intellectual property or vaccine and research information.

The Russian Strontium group uses brute force strategies to crack passwords of employee accounts. The Lazarus group use spear-phishing emails to get employees to key in passwords. The Lazarus group also poses as recruiters and sends bogus job descriptions. The North Korean hacking group Cerium uses phishing emails to get employee credentials access. It has been impersonating the World Health Organization (WHO) in their campaigns.

The intention behind the cyberattacks is obviously data theft. Research and vaccine data are potentially worth billions of dollars. The attacks to date do not seem to have the intention of hampering research efforts or vaccine development. But there are a lot of cybercriminal groups that are doing harmful cyberattacks.

In recent months, healthcare companies have experienced a lot of financially driven cyberattacks using ransomware. HHS, CISA, and the FBI issued a joint advisory recently because of a surge in Ryuk ransomware attacks on healthcare companies in the U.S. Healthcare organizations in France, Germany, Spain, Thailand, and the Czech Republic have also been attacked by Ryuk and other ransomware groups. A patient died because of a ransomware attack on a hospital in Germany. A number of attacks in the United States led to serious disruption and have compelled hospitals to cancel elective surgeries and bring patients to other healthcare facilities.

Many industry groups are giving support to healthcare organizations. For instance, the Health Sector Coordinating Council and Health-ISAC are giving indicators of compromise (IoCs) and comprehensive data on recent attacks to assist organizations in fortifying their defenses against cyberattacks and keep their networks and information secure.

Microsoft is very active in helping to prevent attacks and recently took part in the Paris Peace Forum. The forum is a multi-stakeholder coalition that is working to fight attacks, particularly to prevent attacks on critical infrastructure from being successful. Before the Paris Peace Forum, more than 65 healthcare companies participated in the Paris Call for Trust and Security in Cyberspace. The Paris Call is the biggest multi-stakeholder coalition to date that examines cybersecurity problems experienced by the healthcare sector.

Microsoft is appealing to world leaders to assert that international law safeguards healthcare companies and to do something to implement the law. The law must be enforced whether the attacks start from government agencies or from criminal groups within their borders. This criminal activity should not be tolerated.

About Christine Garcia 1310 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at