[Germany]Microsoft makes public the discovery of three hacker groups (APTs) from North Korea and Russia. The three state-sponsored hacker groups (APTs) are responsible for attacks on at least seven companies developing a COVID 19 vaccine or treatments. The hacker groups (APTs) are Russia's strontium (Fancy Bear) and North Korea's zinc (Lazarus Group) and cerium.
The world is currently experiencing two major threats. There is the coronavirus pandemic, which has people and the economy firmly in its grip. And it is the wave of cyber attacks that will increasingly threaten the IT landscape in 2020. Cyber criminals are on a digital rampage and state-sponsored hacker groups are in the process of disrupting society. Particularly worrying are the attacks on the healthcare system, ransomware attacks on hospitals and the fact that cyber attacks are being used to disrupt healthcare organizations fighting the pandemic. These attacks are unscrupulous and should be condemned by all civilized society.
Microsoft is therefore going public with new evidence on the cyber attacks by government-sponsored hacker groups (APTs) that have carried out attacks on at least seven companies developing a COVID 19 vaccine or treatments. Microsoft disclosed the whole thing on November 13, 2020 in the blog post Cyberattacks targeting health care must stop.
Attacks of the last months
In recent months, Microsoft security experts have discovered cyber attacks by three national players targeting seven prominent companies directly involved in researching vaccines and therapies for Covid-19. The targets include leading pharmaceutical companies and vaccine researchers in Canada, France, India, South Korea and the United States. The attacks came from Strontium, a hacker group originating from Russia, and two players originating from North Korea, which Microsoft calls zinc and cerium.
Target: Vaccine manufacturer and test provider for Covid-19
Among the targets are most of the vaccine manufacturers that have Covid-19 vaccines in various phases of clinical trials. One is a clinical research organization involved in trials and the other has developed a Covid-19 test. Several target organizations have contracts with or investments from government agencies in various democratic countries for work related to Covid-19.
Methods of attack disclosed
The Russian strontium group continues to use password spray and brute force logon attempts to steal credentials. These are attacks that aim to use thousands or millions of quick attempts to obtain user account credentials.
The North Korean zinc hacker group primarily uses spear-phishing bait to steal credentials and send messages with fake job descriptions, ostensibly from a headhunter. Cerium used spear-phishing email bait on Covid-19 issues, claiming to be sent by representatives of the World Health Organization.
Most of these attacks were fended off by the security measures integrated into Microsoft products. Microsoft's security team has notified all affected organizations, and where attacks were successful, Microsoft security people have offered help.
Governments need to act
I had reported here in the blog about numerous attacks on the health sector – and there are first investigations of the public prosecutor's office because of a death (see Ransomware attack in German hospital ends deadly for a women – blame Shitrix vulnerabil). There was also the German blog post Ransomware-Infektionen mit Datenlecks: Stoppt den Wahnsinn, in which I discussed new approaches to contain the IT security pandemic. The US Department of Justice is trying to put a stop to ransomware at least by prohibiting payments (see Empfehlungen des US-Finanzministeriums zu Ransomware-Forderungen).
At the Paris Peace Forum, Microsoft manager Brad Smith called on the governments of the world to do more. Microsoft calls on world leaders to reaffirm that international law protects healthcare institutions and to take action to enforce the law.
Microsoft believes that the law should not only be enforced when attacks are launched by government agencies. It also believes that the legal possibilities of international law should be used when the attacks originate from criminal groups that enable governments to operate in this area (espionage, data theft, health care disruption) – or facilitate such operations. This is a criminal activity that cannot be tolerated. Details can be found here at Microsoft, a further summary is available at ZDNet.