As if attempting to steal hard-won research wasn’t bad enough, hackers are now hitting people where it really hurts – with e-documents containing malicious code embedded in false offers of employment.
AstraZeneca was a recent victim of a cyber attack where the actors sought to steal COVID-19 research, Reuters reported, citing two people familiar with the matter. The attack was thought to be at the hands of hackers from Pyongyang, North Korea, posing as recruiters on LinkedIn and WhatsApp.
The e-documents were designed to gain access to the target employee’s computer. According to one of the individuals, the hackers were targeting a “broad set of people”, including those working on COVID-19 research.
AstraZeneca is hardly alone, as the Wall Street Journal reported yesterday that at least six pharmaceutical companies working on vaccines and therapeutics for COVID-19 were targeted. According to people familiar with the matter, the actors are suspected to be from a well-known hacking unit previously referred to by the U.S. government as “Kimsuky.”
According to the same sources, the hackers’ hit list included U.S.-based companies Johnson & Johnson and Novavax, along with three South Korean companies with COVID-19 therapies in earlier stage development: Genexine Inc., Shin Poong Pharmaceutical Co. and Celltrion Healthcare – whose website currently opens up to a warning about employment scams.
Novavax is “closely monitoring developments and continually in touch with and working with the appropriate government agencies and commercial cybersecurity experts to address any developments and threats that may emerge,” the company said in a statement, adding, “we are confident we can continue to progress with our COVID-19 vaccine candidate without disruption and that these incursions do not pose a risk to the integrity of our data.”
Novavax is moving closer to the finish line, announcing on November 30th that the full enrollment of two of its three planned late-stage trials of its experimental COVID-19 vaccine, NVX-CoV2373, which targets the SARS-CoV-2 coronavirus spike (S) protein.
In a statement to BioSpace, Celltrion confirmed “that it has recently identified and successfully blocked a number of hacking attempts.”
AstraZeneca did not respond to BioSpace’s request for comment.
The WSJ sources said that the attacks contained digital fingerprints, such as the use of the same IP addresses, that had previously been used in other North Korean campaigns against the U.S. State Department and South Korea’s unification ministry.
The same sources said that for the COVID-19-related attacks, Kimsuky operatives attempted to lure in victims with phishing tactics, posing as colleagues or trustworthy acquaintances by creating fake email accounts. Then, using a similar tactic to the one allegedly used in the AstraZeneca attack, they would send messages with benign-looking attachments or links. The desired end result was that the target would click on the attachment, thus allowing the phisher access to their computers, IDs and passwords.
According to the U.S. government, Kimsuky has been focused on stealing national security intelligence from U.S., Japanese and South Korean entities since at least 2012. With the heightened interest in the aforementioned companies due to the COVID-19 fight, their focus appears to have shifted.
AstraZeneca is not alone in being targeted by hackers posing as recruiters, as Microsoft said that in the month of November, it had seen two North Korean hacking groups target vaccine developers in multiple countries, including by “sending messages with fabricated job descriptions.”
On December 1st, the state department said, “it is vital for governments, network defenders, and the public to stay vigilant and to work together to mitigate the cyber threat posed by North Korea.”
You would be forgiven for thinking that in our current global situation, the hacking group would be going after this coveted intellectual property in an attempt to secure a vaccine for North Korea.
Robert Potter, co-founder of cybersecurity technology company, 2.0 in Canberra, Australia, and Subject Matter Expert for the U.S. Department of State on North Korean cyber capabilities, told BioSpace that this is not likely the case as the companies listed above have been targets of Democratic People’s Republic of Korea (D.P.R.K.) cyber attacks for “some years.” He added that they also lack the infrastructure to use the information directly.
“We tend to see most of North Korea’s cyber activity is around the generation of foreign currency. Most of what we see them targeting are things that they can use for this purpose, not necessarily using the secrets themselves, or developing them. They don’t have very large levers in their economy for the development of large scale medical research and things like that, but they can sell them,” Potter said.
“It may not be the case that they’re specifically targeting COVID-19 research. But it is the case that companies that are engaged in developing COVID-19 vaccines have been long-standing targets of the North Korean hacking capability,” he added.
Potter also said that the pharmaceutical industry appears to be fending off the attacks quite well as the hackers do not appear to have been successful thus far:
“It seems like they’re doing a reasonably good job protecting themselves. They’re detecting the IP addresses. A number of these labs are targeted, but I’m not hearing any reports of them successfully getting anything. There is a kind of longstanding campaign, yes, but they don’t look like they’ve been super successful in actually getting a hold of intellectual property in these attacks.”
In terms of what AstraZeneca, Novavax, and their peers should be on the lookout for next from the group, Potter stated that “they seem to be trending increasingly toward cryptocurrency exchanges because they’re making quite a bit of money out of it.”