Kaspersky reveals two APT incidents related to vaccine research

The researchers at Kaspersky has recently identified two APT incidents that targeted entities related to COVID-19 research – a Ministry of Health body and a pharmaceutical company. Kaspersky experts assessed with high confidence that the activities can be attributed to the infamous Lazarus group.

As the pandemic and restrictive measures across the world continue, many parties involved are trying to speed up vaccine development by any means available. Kaspersky experts have discovered that the actor went after COVID-19-related entities just a couple of months ago. Namely, two incidents were identified.

The first one was an attack against a Ministry of Health body. Two Windows servers in the organization were compromised with sophisticated malware on October 27, 2020. The malware used is known by Kaspersky, named ‘wAgent’. Closer analysis has shown that the wAgent malware used against the Ministry of Health has the same infection scheme as the malware Lazarus group previously used in attacks on cryptocurrency businesses.recent-lazarus-attack.png

 

The second incident involved a pharmaceutical company. According to Kaspersky telemetry, the company was breached on September 25, 2020. This company is developing a COVID-19 vaccine and is also authorized to produce and distribute it. This time, the attacker deployed the Bookcode malware, previously reported by security vendor to be connected to Lazarus, in a supply chain attack through a South Korean software company. Kaspersky researchers also witnessed Lazarus group carry out spear-phishing or strategically compromise websites in order to deliver Bookcode malware in the past.

Both wAgent and Bookcode malware, used in both attacks, have similar functionalities, such as a full-featured backdoor. After deploying the final payload, the malware operator can control a victim’s machine in nearly any manner they wish.

Given the noted overlaps, Kaspersky researchers confirm with high confidence that both incidents are connected to the Lazarus group. The research is still ongoing.

“These two incidents reveal Lazarus group’s interest in intelligence related to COVID-19. While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well. We believe that all entities currently involved in activities such as vaccine research or crisis handling should be on high alert for cyberattacks,” comments Seongsu Park, security expert at Kaspersky.