Hackers sponsored by Russia and North Korea are targeting COVID-19 researchers
Three nation-state-sponsored groups are targeting organizations throughout the world.
Hackers sponsored by the Russian and North Korean governments have been targeting companies directly involved in researching vaccines and treatments for COVID-19, and in some cases, the attacks have succeeded, Microsoft said on Friday.
In all, there are seven prominent companies that have been targeted, Microsoft Corporate VP for Customer Security & Trust Tom Burt said. They include vaccine-makers with COVID-19 vaccines in various clinical trial stages, a clinical research organization involved in trials, and a developer of a COVID-19 test. Also targeted were organizations with contracts with or investments from governmental agencies around the world for COVID-19-related work. The targets are located in the US, Canada, France, India, and South Korea.
“Microsoft is calling on the world’s leaders to affirm that international law protects health care facilities and to take action to enforce the law,” Burt wrote in a blog post. “We believe the law should be enforced not just when attacks originate from government agencies but also when they originate from criminal groups that governments enable to operate—or even facilitate—within their borders. This is criminal activity that cannot be tolerated.”
One of the attack groups involved is Strontium, Microsoft’s moniker for hackers sponsored by the Russian government. They are using password spraying and brute force login attacks that bombard servers with large numbers of credentials in the hopes of guessing correct ones. Last year, Microsoft caught Strontium infecting printers and other devices and using them as beachheads to compromise the networks they’re connected to. More recently, Microsoft said Strontium targeted the Trump and Biden campaigns.
Two other groups—dubbed Zinc and Cerium—work on behalf of North Korea’s government. Both are using spear phishing emails, with those from Zinc fabricating job recruiters and those from Cerium masquerading as representatives from the World Health Organization.
“The majority of these attacks were blocked by security protections built into our products,” Burt said of activities from all three groups. “We’ve notified all organizations targeted, and where attacks have been successful, we’ve offered help.”
Friday’s blog post comes two weeks after officials from three US governmental organizations warned that Russian ransomware hackers were targeting hundreds of US hospitals.
Other attacks, Burt said, have targeted hospitals in the Czech Republic, France, Spain, Thailand, and the US. In September, a patient died after a ransomware attack rerouted her to a remote hospital in Germany.
In April, Microsoft said it was making its AccountGuard threat notification service available to health care and human rights organizations working on COVID-19. So far, 195 organizations have enrolled. Microsoft now protects 1.7 million email accounts for health-care-related groups.