Pyongyang hackers eye more coronavirus research, Kaspersky says
North Korean-government linked hackers are continuing their effort to break into entities working on coronavirus-related research.
In their latest antics, the hackers, suspected to be part of the government-backed hacking team known as Lazarus Group, have zeroed in on a pharmaceutical company and a government health-focused entity, according to Kaspersky research published Wednesday. Kaspersky attribute the hacking spree to Lazarus Group with “high confidence.”
Kaspersky did not identify the targeted entities and did not reveal where the pharmaceutical company or the government entity are located.
The activity appears to be just the latest of Pyongyang’s campaigns targeting coronavirus-related work. In recent months, North Korean hackers have reportedly gone after Johnson & Johnson and Novavax, both U.S.-based firms working on potential coronavirus vaccines. North Korean hackers have also reportedly targeted three South Korean-based firms and U.K.-based AstraZeneca.
The hackers used malware known as “Bookcode” to target the unidentified pharmaceutical entity in their latest hacking spree, according to Kaspersky. Bookcode is used exclusively by Lazarus Group, according to previous Kaspersky research. This campaign, which Lazarus Group launched in late September, enabled the hackers to run some post-exploitation code against the target. The malware is also capable of sharing victims’ passwords with the hackers.
Kaspersky notes that the targeted entity is authorized to produce and distribute a coronavirus vaccine. Pfizer and BioNTech’s vaccine is currently approved under emergency protocol for distribution in the U.S., as well as in Canada, the U.K. and the European Union. Moderna’s vaccine has also been approved under emergency conditions for distribution in the U.S. There are also vaccines available for distribution in China and Russia.
In a separate campaign targeting the unidentified health ministry, which Kaspersky researchers say took place in October, the hackers installed malware called wAgent on two Windows servers. The hackers were able to use wAgent to retrieve other malicious payloads from an attacker-controlled server, the researchers said.
Early on in the pandemic, hackers began targeted government agencies working on COVID-19 response. In March, for instance, apparent hackers began scanning the networks of the U.S. Department of Health and Human Services at an increasing rate in what appeared to be a failed denial-of-service attack.
More recently, the European Medicines Agency, which has been working on rolling out vaccines from Pfizer-BioNTech and Moderna, said this month it had been targeted by hackers.
North Korea’s interest in COVID-19 response and research is not unique — hackers around the globe, including hackers linked with the Chinese and Russian governments, have been targeting coronavirus-related research and entities, according to government analysts.
The FBI has said that its primary concern with hackers targeting coronavirus-related work is if they are successful in causing any sort of disruption that could reduce the efficacy or safety of vaccines.