Microsoft warns Russian, North Korean hackers targeting groups researching COVID-19 vaccines

Microsoft warned Friday that the company witnessed efforts by Russian and North Korean hacking groups to target pharmaceutical companies and coronavirus vaccine researchers.

The announcement is part of a wider effort by the company to take action against these attacks. 

“In recent months, we’ve detected cyberattacks from three nation-state actors targeting seven prominent companies directly involved in researching vaccines and treatments for Covid-19,” Tom Burt, the corporate vice president of customer security and trust at Microsoft, wrote in a blog post.

“The targets include leading pharmaceutical companies and vaccine researchers in Canada, France, India, South Korea and the United States.”

Burt wrote that the three advanced persistent threat groups involved were a Russian group known as “Strontium” and two North Korean groups known as “Zinc” and “Cerium.”

Strontium, also known as “Fancy Bear,” is the same group that hacked into the Democratic National Committee’s networks ahead of the 2016 U.S. presidential election. 

Microsoft warned in September that Russia, China and Iran were targeting the 2020 U.S. elections, and noted that the Strontium hacking group had targeted more than 200 organizations, political campaigns and parties over the past year as part of this effort.

Burt noted that most of the groups targeted by the hacking groups were “vaccine makers that have Covid-19 vaccines in various stages of clinical trials.”

“One is a clinical research organization involved in trials, and one has developed a Covid-19 test,” Burt wrote. “Multiple organizations targeted have contracts with or investments from government agencies from various democratic countries for Covid-19 related work.”

News of the attempted hackings comes as the United States gears up for massive vaccine distribution to combat the coronavirus. Pharmaceutical company Pfizer announced earlier this week that they produced a vaccine that is over 90 percent effective, according to an interim analysis. Moderna said Thursday that trial results for its vaccine are anticipated at the end of November. 

Burt wrote that the Strontium hacking group was using “brute force login attempts” to access credentials for accounts of companies targeted, while the two North Korean hacking groups were mainly relying on malicious phishing emails to target the companies. 

Microsoft has notified all the organizations targeted and offered security assistance to the groups that were victims of successful attacks, though Burt emphasized that “the majority of these attacks were blocked by security protections built into our products.”

Sen. Ben Sasse (R-Neb.), a member of the Senate Intelligence Committee, condemned the hackers behind the attacks on Friday, advocating for the the U.S. government to take action to stop attacks on health care groups. 

“The future of war is no longer solely physical combat – it will also be in cyberspace,” Sasse said in a statement. “We cannot mistake that these cyber-attacks are an act of aggression towards the United States and the greater health of our citizens and economy. These Russian and North Korean actors are attempting to steal American IP and delay vaccine development.”

“The folks in the private sector are doing a great job exposing and combatting these malicious attacks, and our government must find better ways to leverage this kind private sector work and bring our cyber defenses into the future,” he added. 

Microsoft made the announcement as part of an effort to urge the international community to take action against these types of attacks. 

Microsoft President Brad Smith will address the Paris Peace Forum on Friday and call on the international community to take action to protect health care facilities, including through affirming that international law protects them. He will discuss these issues alongside top officials from France, Brazil and Switzerland. 

“We believe the law should be enforced not just when attacks originate from government agencies but also when they originate from criminal groups that governments enable to operate – or even facilitate – within their borders,” Burt wrote. “This is criminal activity that cannot be tolerated.”

The health care sector has been one of the main targets of malicious cyber actors since the start of the COVID-19 pandemic, with major organizations including the World Health Organization and hospitals around the world — including a recent spree of attacks in the U.S. — targeted by hackers.

The FBI, the Department of Health and Human Services and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency put out a joint alert last month warning of an “increased and imminent cybercrime threat to U.S. hospitals and healthcare providers.”

Microsoft made its AccountGuard threat notification program free to health care, humanitarian and human rights groups around the world in April as a way to combat escalating cyberattacks during the COVID-19 pandemic.

Burt wrote Friday that 195 organizations had enrolled in the program since April, with 1.7 million email accounts now protected by Microsoft. 

“At a time when the world is united in wanting an end to the pandemic and anxiously awaiting the development of a safe and effective vaccine for Covid-19, it is essential for world leaders to unite around the security of our health care institutions and enforce the law against cyberattacks targeting those who endeavor to help us all,” Burt wrote. 

-Updated at 1:05 p.m.