The infamous advanced persistent threat group (APT) Lazarus is behind two recent cyber-attacks that targeted two separate entities related to COVID-19 research.
In one attack, a Ministry of Health body was hit with malware. The other incident involved the use of a different kind of malware against a pharmaceutical company that is developing a vaccine for the novel coronavirus. The company is authorized to produce and distribute the vaccine.
The attacks, which both occurred in the fall of 2020, were identified by researchers at Kaspersky. Despite the use of different tactics, techniques, and procedures (TTPs) in each assault, the researchers have now assessed “with high confidence” that both malicious activities can be attributed to the Lazarus group.
“Both attacks leveraged different malware clusters that do not overlap much,” wrote researchers. “However, we can confirm that both of them are connected to the Lazarus group, and we also found overlaps in the post-exploitation process.”
Researchers found that on October 27, two Windows servers belonging to the Ministry of Health entity were compromised with sophisticated malware known to Kaspersky as “wAgent.” Closer analysis found that the malware used against the public health office had the same infection scheme as Lazarus’ previous attacks on cryptocurrency businesses.
The attack on the pharmaceutical company took place on September 25. Researchers found that the threat actor deployed Bookcode malware in a supply-chain attack through a South Korean software company. This particular type of malware has been previously reported by security vendor ESET to be connected to Lazarus.
Bookcode and wAgent malware have similar functionalities, with both boasting a full-featured backdoor. After deploying the final payload, the malware operator can take control of the victim’s machine.
“These two incidents reveal Lazarus group’s interest in intelligence related to COVID-19,” said Seongsu Park, security expert at Kaspersky. “While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well.”
Park went on to issue a grave warning to all organizations striving to put an end to the long-running global health pandemic.
“We believe that all entities currently involved in activities such as vaccine research or crisis handling should be on high alert for cyber-attacks,” said Park.