Kaspersky has confirmed the Lazarus Advanced Persistent Threat (APT) group has conducted two cyberattacks on entities involved in COVID-19 vaccine research. The cyberattacks occurred in the fall of 2020, with the APT group using different tactics techniques and procedures (TTPs) in each of the attacks.
One attack was performed on October 27, 2020 on a government health ministry using a sophisticated malware known to Kaspersky as wAgent. The second attack was on a pharmaceutical company on September 25 and saw Bookcode malware deployed. While the TTPs were different in both attacks, both malware variants are connected to the Lazarus group and there were similarities in the post-exploitation process. The same infection scheme was used to deliver wAgent malware as was observed in previous Lazarus group cyberattacks on cryptocurrency businesses and Kaspersky had previously concluded that Bookcode malware is used exclusively by the Lazarus group.
The attack on the government health ministry saw two Windows servers compromised, but the researchers were unable to identify the initial infection vector. While the initial attack vector in the pharmaceutical company cyberattack could not be confirmed, Lazarus group previously conducted an attack on a South Korean software company and the researchers suspect the hackers may have compromised the company’s source code for use in a supply chain attack. Lazarus hackers have also previously delivered Bookcode malware via spear phishing campaigns and strategic website compromise.
While the wAgent and Bookcode malware variants do not share much of the same code, they both have similar functions and act as fully featured, persistent backdoors that allow the operators to gain full control of infected devices.
The Lazarus Group is believed to be a North Korean state-sponsored hacking organization. The group has conducted many cyberattacks over the past decade and is believed to be behind the cyberattack on Sony Pictures in 2014 and the WannaCry ransomware attacks in 2017. Attacks are performed for financial gain and to achieve the political goals of the North Korean regime. The goal of these attacks appears to be to steal COVID-19 vaccine data to advance COVID-19 vaccine development in North Korea.
Kaspersy has warned all organizations involved in COVID-19 research or vaccine development to be on high alert for cyberattacks as research and vaccine data is being sought by many APT groups.