State-backed actors from Russia and North Korea have launched cyber attacks against at least seven companies researching COVID-19 vaccines and treatments in India, USA, Canada, France and South Korea, Microsoft announced on November 13. Of these companies, one is a clinical research organisation involved in trials while another has developed a COVID-19 test. A number of targets have government contracts or investments for COVID-19 related work, Microsoft said.

We have reached out to Microsoft to know which Indian companies were targeted.

Who is behind the attack? Three nation-state actors — one from Russia (Strontium, also known as Fancy Bear, APT 28, Pawn Storm) and two from North Korea (Zinc, also known as Lazarus and Hidden Group; and Cerium).

The modus operandi: As per Microsoft, the three advanced persistent threat (APT) groups used different ways to target companies:

  • Strontium used password spray (using common passwords to break into multiple accounts) and brute force (trying multiple passwords on one account) login attempts to steal login credentials.
  • Zinc used spearphishing tactics (luring people with specially crafted emails and messages) to steal credentials. They masqueraded as recruiters and sent fabricated job descriptions.
  • Cerium used COVID-19 related themes in its spearphising emails and donned the guise of the World Health Organisation (WHO).

Dr Reddy, Lupin targeted by cyber attackers in the past

  • On October 22, Dr Reddy’s Laboratories disclosed that it was a victim of a cyber attack which it later revealed to be a ransomware attack. The disclosure came five days after the pharmaceutical company had announced that it, along with Russia’s sovereign wealth fund Russian Direct Investment (RDIF), had received approval from the Drugs Controller General of India (DGCI) to conduct phase 2/3 human clinical trial for Sputnik V vaccine in India. As part of a September 2020 partnership, RDIF will supply 100 million doses of the vaccine to Dr Reddy upon regulatory approval in India.
  • A fortnight after the Dr Reddy incident, Mumbai-based pharma company Lupin Limited also confirmed an “information security incident” that had affected its IT systems. In August, the company had launched a drug, called Favipiravir, to treat patients with mild to moderate COVID-19 symptoms in India.

It’s not just Indian companies that have been targeted. Hackers linked to the Chinese government also targeted American biotech company Moderna Inc. that has been working on developing a COVID-19 vaccine. As per Reuters, China has rejected this accusation. In July 2020, US Department of Justice had charged two Chinese hackers who, among other things, targeted companies developing COVID-19 vaccines, tests and treatments.

Lazarus Group sounds familiar

Lazarus Group from North Korea has been suspected to be behind a number of cyber attacks in India.

  • In June 2020, the Indian Computer Emergency Response Team (CERT-In) had warned about large-scale phishing campaign against Indian citizens and businesses under the pretext of dispensing government funds for COVID-19 related initiatives. CERT-In’s resources suggested that Lazarus was behind the attack.
  • As per a Kaspersky report from September 2019, Lazarus had created a spyware called Dtrack that Kaspersky had discovered in Indian ATMs in 2018 and was used to steal customer data.
  • The malware that infected Kudankulam Nuclear Power Plant’s external network in September 2019 had similar strains to Dtrack. Dtrack also had similarities with another campaign — DarkSeoul — in 2013 that targeted three television stations and bank in South Korea along with ATMs and mobile payments in the country.

Read more: