Blog General Infosec

The Usual Suspects: Which Nation-States are trying to Hack COVID Vaccine Development?


It will come as no surprise to readers who follow our regular series on Advanced Persistent Threats (APTs), but it seems that COVID-19 vaccines have become a target for state-sponsored cyberattacks. Specifically, reported the official Microsoft blog earlier this month, a sophisticated attempt to steal data and disrupt development is being led by Russia’s APT28 Fancy Bear, the Lazarus Group from North Korea, and another North Korea-linked group now being called Cerium.

It was only a matter of time, of course, before news of this type emerged. We’ve seen an increase in suspicious domain names mentioning COVID-19, as well as hackers leveraging panic about the virus for most of the past year. The fact that APTs are now being identified in relation to the vaccine, however, raises uncomfortable questions about how prepared healthcare companies are to meet these threats.

In this article, we’ll look at the recently identified threats, explain who is behind them, and then ponder a bit what this means for the future of cybersecurity in the healthcare sector.

The Vaccine Threat Landscape

The APTs that have been identified in the last few months have largely been focused on breaking into the systems of vaccine manufacturers, though at least one clinical research organization has also been affected, and one company that has developed a COVID-19 test. Organizations across the world have seen similar attacks, with companies in Canada, France, India, South Korea, and the United States all reporting attacks to Microsoft.

There appears to be a shared mechanism for these attacks—almost all of them have used spear phishing techniques. The Lazarus group, widely suspected to be operating from North Korea, is sending employees emails that appear to offer lucrative new jobs, but are in fact a credential-theft scheme. Similarly, Cerium (about who we know little at present) has deployed similar emails that claim to originate with the WHO (World Health Organization). Fancy Bear, with their typical lack of subtlety, are using password-spraying and brute-force attacks directly on clinical systems.

The Usual Suspects

The emergence of these attacks is worrying enough, but still more concerning is that some of them appear to have been “successful,” according to Microsoft. What “successful” actually means in this context is still unclear, however—it could mean that attackers were merely able to penetrate corporate systems, or it could mean that they have actively stolen clinical or research data.

Whatever the level of success, the motivation behind these attacks is clear enough. Access to data on how to produce an effective vaccine is worth, to state the obvious, an awful lot of money. For state actors such as Russia and North Korea, however, these recent hacks also achieve a number of other outcomes. Like many of the APTs that have been seen in the past decade, successful hacks of this type are a way of proving the capabilities of both countries, lending a sort of street cred to their operations.

More problematically, it could also be that the existence of successful hacks at all—even if no data has been stolen—undermines public confidence in an eventual vaccine in the West, and therefore prolongs the economic damage already caused by COVID-19.

COVID-19 and the Rise of APTs

There is never a good time for the emergence of a global pandemic, of course, but 2020 may have been the worst time for COVID-19 to arrive. This is because, as several analysts have argued, this particular year has also brought a new confidence when it comes to APTs.

The extent to which this is true can be overstated, of course. APTs have been around for decades, even if we did not call them that: in the early years of this century, Windows PCs were often infected with malware almost as soon as they went online, and that some of this was state sponsored. Nonetheless, it is difficult to imagine the recent run of attacks on research institutes happening a decade ago, when there was an unspoken agreement among state actors that they would be circumspect when it came to cyberwarfare.

Given this context, it’s worth looking again at the list of targets reported by Microsoft—do so, and you’ll notice that they are mostly manufacturers, rather than governmental licensing authorities that also hold data on how to produce vaccines. Among the recent targets have also been the WHO, which found itself in the crosshairs of the DarkHotel APT group, and (according to the US Justice Department) Moderna, the Massachusetts biotech company that has been one of the first two companies to develop a vaccine.

This list of targets suggests one thing: that Russian and North Korean authorities know a soft target when they see one. Rather than try to infiltrate the systems of (well-protected and well-funded) governmental agencies, they have worked out that vaccine manufacturers are nowhere near as well protected. This is particularly true given that many of these companies are based outside the US and Europe, where labor and therefore vaccine production is cheaper.

Up until now, an unspoken agreement would’ve protected these companies from APTs. Since most countries—Russia, Iran, and North Korea included—rely on manufacturers in the developing world, a decade ago it seemed counter productive to actively attack them. Now, with their confidence buoyed by the perceived intransigence of the Trump administration’s foreign policy, cyberwarfare is entering a period of great expansion. The COVID-19 vaccine might be it’s first real victim.

The Future

It remains to be seen, of course, whether any of the APTs identified by Microsoft are actually persistent. However, the fact that they have emerged at all indicates that governments will be almost required to put extra resources into protecting the systems of vaccine manufacturers. Not doing so risks exposing the technical details of an effective vaccine getting into the wrong hands, but also far more. As we’ve pointed out in our article on what COVID-19 can tell us about the future of disinformation, these attacks could also fatally undermine trust in the efficacy of these vaccines.