Microsoft says hackers backed by Russia and North Korea targeted COVID-19 vaccine makers

ANKARA, TURKEY – OCTOBER 27: A health care worker holds an injection syringe of the phase 3 vaccine trial, developed against the novel coronavirus (COVID-19) pandemic by the U.S. Pfizer and German BioNTech company, at the Ankara University Ibni Sina Hospital in Ankara, Turkey on October 27, 2020. This vaccine candidate, within the scope of phase 3 studies, was injected to volunteers in Ankara University Ibni Sina Hospital. (Photo by Dogukan Keskinkilic/Anadolu Agency via Getty Images)

Microsoft has revealed that hackers backed by Russia and North Korea have targeted pharmaceutical companies involved in the COVID-19 vaccine development efforts.

The technology giant said Friday that the attacks targeted seven companies in the U.S., Canada, France, India, and South Korea. But while it blocked the “majority” of the attacks, Microsoft acknowledged that some were successful.

Microsoft said it had notified the affected companies, but declined to name them.

“We think these attacks are unconscionable and should be condemned by all civilized society,” said Tom Burt, Microsoft’s customer security and trust chief, in a blog post.

The technology giant blamed the attacks on three distinct hacker groups. The Russian group, which Microsoft calls Strontium but is better known as APT28 or Fancy Bear, used password spraying attacks to target their victims, which often involves recycled or reused passwords. Fancy Bear may be best known for its disinformation and hacking operations in the run-up to the 2016 presidential election, but the group has also been blamed for a string of other high-profile attacks against media outlets and businesses.

The other two groups are backed by the North Korean regime, one of which Microsoft calls Zinc but is better known as the Lazarus Group, which used targeted spearphishing emails disguised as recruiters in an effort to steal passwords from their victims. Lazarus was blamed for the Sony hack in 2016 and the WannaCry ransomware attack in 2017, as well as other malware-driven attacks.

But little is known about the other North Korea-backed hacker group, which Microsoft calls Cerium. Microsoft said the group also used targeted spearphishing emails masquerading as representatives from the World Health Organization, charged with coordinating the effort to combat the COVID-19 pandemic.

A Microsoft spokesperson acknowledged it was the first time the company had referenced Cerium, but the company did not offer more.

This is the latest effort by hackers trying to exploit the COVID-19 pandemic for their own goals. Earlier this year, the FBI and Homeland Security warned that hackers would try to steal coronavirus vaccine research.

Today’s news coincides with the Paris Peace Forum, where Microsoft president Brad Smith will urge governments to do more to combat cyberattacks against the healthcare sector, particularly during the pandemic.

“Microsoft is calling on the world’s leaders to affirm that international law protects health care facilities and to take action to enforce the law,” Burt said. “We believe the law should be enforced not just when attacks originate from government agencies but also when they originate from criminal groups that governments enable to operate — or even facilitate — within their borders.”