Getty Images

Nation-State Hacking Campaigns Targeting COVID-19 Research Firms

Microsoft has observed several hacking campaigns led by nation-state actors with ties to Russia and North Korea, actively targeting COVID-19 research, including firms developing vaccines.

COVID-19 vaccine developers and research firms are again facing targeted cyberattacks, with an ongoing campaign led by nation-state hackers with ties to North Korea and Russia, according to Microsoft.

Researchers have observed nation state threat actors targeting seven firms leading COVID-19 vaccine and treatment research, including pharmaceutical companies and researchers in the US, Canada, France, India, and South Korea.

The campaigns are led by the Russian hacking group known as Strontium and North Korean hackers, Zinc and Cerium.

Cybercriminals have ramped up their malicious attacks throughout the pandemic, from phishing attacks and fraud schemes tied to the coronavirus, to nation-state attacks on coronavirus research and human-operated ransomware attacks on the healthcare sector.

Most recently, a joint alert from the FBI and the Departments of Health and Human Services and Homeland Security warned of a wave of ransomware attacks on healthcare entities, which has already claimed at least a dozen victims.

The latest hacking campaign is primarily focused on COVID-19 vaccine manufacturers in various stages of clinical trials, including one clinical research foundation involved in clinical trials and one firm that developed a COVID-19 test, Tom Burt, Microsoft’s corporate vice president, customer security and trust, explained in a blog post.

Several targeted organizations are contracted with or have investments from the government to work on research tied to the virus.

The Russian-backed Strontium attacks leverage brute-force login or password-spray attacks, which are designed to break into user’s accounts using thousands or millions of rapid attacks.

Meanwhile, Zinc primarily uses spear-phishing lures masked as fabricated job descriptions sent from recruiters in an effort to steal credentials. The other North Korean-tied campaign, Cerium, also focuses on spear-phishing emails that use COVID-19 themes purportedly sent from fake World Health Organization representatives.

Microsoft was able to block the majority of the attempts, and officials said they’ve contacted all targeted organizations. Further, the tech giant offered assistance to firms that were successfully attacked.

“Two global issues will help shape people’s memories of this time in history – Covid-19 and the increased use of the internet by malign actors to disrupt society,” Burt explained. “It’s disturbing that these challenges have now merged as cyberattacks are being used to disrupt healthcare organizations fighting the pandemic.”

“We think these attacks are unconscionable and should be condemned by all civilized society,” he added. “Microsoft is calling on the world’s leaders to affirm that international law protects healthcare facilities and to take action to enforce the law… This is criminal activity that cannot be tolerated.”

Microsoft is currently participating in the Paris Peace forum, a multi-stakeholder coalition designed to put an end to these types of attacks. The first goal is to prevent malicious cyber activity targeting the critical infrastructure and thus, the safety of global citizens.

More than 65 global healthcare organizations have joined the Paris Call for Trust and Security in Cyberspace, including Merck, a pharmaceutical firm working on COVID-19 vaccines.

Healthcare organizations should heed the joint federal warning and immediately focus on shoring up known vulnerabilities, as these are not hypothetical attacks.

Entities should ensure they have a practiced business continuity plan in place to minimize service disruptions, while evaluating continuity and capability to identify security risks. Organizations must also review or establish patch management plans, security policies, and user agreements.

Officials have repeatedly warned against paying ransom demands for many reasons, with Coveware research finding several hacking groups publicly doxing victims, even after a ransom demand payment.

Email-based threats also continue to be a common foothold leveraged by attackers, as well as social engineering and open ports, security researchers from Cofense, Proofpoint, and Mimecast recently explained to HealthITSecurity.com

As such, covered entities must improve patch management processes and monitor for indicators of compromise, while ensuring the workforce is aware of these threats and knows how to report suspicious activity to administrators.

Next Steps

Dig Deeper on Cybersecurity strategies