Written by Catalin Cimpanu for Zero Day – November 13th, 2020

Microsoft says it detected three state-sponsored hacking operations (also known as APTs) that have launched cyber-attacks on at least seven prominent companies involved in COVID-19 vaccines research and treatments.

Microsoft traced the attacks back to one threat actor in Russia and two North Korean hacking groups.

Known as Strontium (aka Fancy Bear, APT28), the Russian group has employed password spraying and brute-force login attempts to obtain login credentials, break into victim accounts, and steal sensitive information.

The first North Korean group, known as Zinc (or the Lazarus Group), has primarily relied on spear-phishing email campaigns by sending messages with fabricated job descriptions, pretending to be recruiters, and targeting employees working at the targeted companies.

The second North Korean threat actor, known as Cerium, appears to be a new group. Microsoft says Cerium engaged in spear-phishing attacks with email lures using Covid-19 themes while pretending to be representatives from the World Health Organization.

Microsoft says these attacks targeted vaccine makers that have COVID-19 vaccines in various stages of clinical trials, a clinical research organization involved in trials, and one that developed a COVID-19 test.

The companies were in Canada, France, India, South Korea, and the United States, according to Microsoft.

These attacks represent just the latest in a long line of incidents that have targeted healthcare organizations during one of the most trying times in recent years. While healthcare organizations have been dealing with one of the most widespread pandemics in recent decades, hacking groups have taken advantage of the global crisis to increase their activity, sometimes targeting the organizations that were supposed to help fight this pandemic.

Instead of focusing on providing care to patients, hospitals have had to deal with ransomware attacks — such as those in the US, Germany, the Czech Republic, Spain, or Thailand.

Instead of focusing on researching a vaccine or treatment plan, pharma companies have had to deal with intrusions into their networks — such as Moderna, Dr.Reddy, or Lupin.

Across the summer, several organizations, like the Oxford Institute for Ethics, Law and Armed Conflict, and the CyberPeace Institute, have made calls to the world’s governments to protect healthcare organizations against hackers.

The organizations asked governments to agree on regulation, rules, and principles to prevent attacks from taking place or punish those that take part in targeting the healthcare orgs, citing the universal human rights law as the basis for creating a no-cyber-attack zone around the health sector

Today, Microsoft President Brad Smith, plans to make a similar call to the world’s leaders at the virtual Paris Peace Forum.

“Microsoft is calling on the world’s leaders to affirm that international law protects healthcare facilities and to take action to enforce the law,” said today Tom Burt, Microsoft Vice President for Customer Security & Trust, in a blog post on Microsoft’s website.

“We believe the law should be enforced not just when attacks originate from government agencies but also when they originate from criminal groups that governments enable to operate–or even facilitate –within their borders.”

UPHILL BATTLE

But experts in international politics do not believe these types of calls will ever lead to any progress in establishing international norms prohibiting attacks on healthcare, or any other sector. “In my opinion, there is no chance in hell that these calls and statements will create enough political pressure to force governments around the world to fulfill their due diligence in cyberspace,” Stefan Soesanto, Senior Cyber Defence Researcher at the Center for Security Studies at the Swiss Federal Institute of Technology (ETH) in Zurich, told ZDNet today.

“Most governments actually don’t have the capacity and capability to do so, other government simply don’t care, and probably a fraction of governments actually welcomes this activity when it doesn’t happen within their territory,” Soesanto added. “There is probably also a very strong strategic and tactical incentive to prevent the establishment of a no-cyber-attack zone altogether. Because once it is established in the health sector, then other critical infrastructure sectors will follow. In the end, everything will be normatively deemed untouchable.

“Also, if we look at the state of cybersecurity within the healthcare sector —which is dismay both in the US and Europe—, these normative calls and statements seem to be an attempt to push the problem of IT security onto ransomware groups and APT abroad. (i.e., ‘if they don’t target us than we will be fine’),” Soesanto said. “I think that logic is inherently flawed and even dangerous because then hospitals and research institutes lose all accountability for their own security posture and failures.”