The North Korea-linked threat actor known as Lazarus was recently observed launching cyberattacks against two entities involved in COVID-19 research.
Active since at least 2009 and believed to be backed by the North Korean government, Lazarus is said to have orchestrated some high-profile attacks, including the WannaCry outbreak. Last year, the group was observed mainly targeting cryptocurrency exchanges and expanding its toolset.
New Lazarus attacks in September and October 2020, Kaspersky reveals, targeted a Ministry of Health and a pharmaceutical company authorized to produce and distribute COVID-19 vaccines, revealing Lazarus’ interest in COVID-19 research.
In September, the hackers targeted a pharmaceutical company with the BookCode malware, which was attributed to the group a while ago. In late October, Lazarus targeted a Ministry of Health body with the wAgent malware, which was previously used to target cryptocurrency businesses.
Both pieces of malware were designed to function as full-featured backdoors, providing operators with full control over the infected machines. Different tactics, techniques and procedures (TTPs) were used in each attack, but Kaspersky is highly confident that Lazarus was behind both incidents.
Using wAgent, the attackers executed various shell commands to gather information from the victim machine. An additional payload that included a persistence mechanism was also deployed on two Windows servers, and the full-featured backdoor followed.
The BookCode backdoor was used to gather system and network information from the victim environment, along with a registry SAM dump containing password hashes. The adversary also attempted to collect information on other machines on the network, likely for lateral movement.
“We assess with high confidence that the activity […] is attributable to the Lazarus group. In our previous research, we already attributed the malware clusters used in both incidents […] to the Lazarus group,” Kaspersky notes.
The security firm was unable to identify the initial infection vector in either of the incidents, but notes that spear-phishing was used by the group in the past, along with strategic website compromise.
“These two incidents reveal Lazarus group’s interest in intelligence related to COVID-19. While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well. We believe that all entities currently involved in activities such as vaccine research or crisis handling should be on high alert for cyberattacks,” Seongsu Park, security expert at Kaspersky, said.
Microsoft reported last month that state-sponsored Russian and North Korean hackers had been trying to steal valuable data from pharmaceutical companies and vaccine researchers. Reuters reported that North Korean hackers had targeted British COVID-19 vaccine maker AstraZeneca.