Lazarus Group Leveraged to Improve North Korea’s COVID-19 Vaccine Development
Researchers from Kaspersky Lab have released findings that claim that the APT Lazarus Group and other nation-state threat actors are actively trying to steal COVID-19 research in order to speed up their own country’s vaccine-development efforts. Widely believed to be linked to North Korea, Lazarus group has recently attacked a pharmaceutical company, as well as a government health ministry related to the COVID-19 response, with the express goal of IP theft related to vaccine development.
Two recent incidents were spotlighted in a blog post by SecureList investigators. The first was against a government health industry on October 27, 2020, in which two Windows servers were compromised. While the initial infection vector is unknown, the threat actor was able to install a sophisticated malware cluster on the servers, known as “wAgent.” wAgent’s main component only works in memory and fetches additional payloads from a remote server. A similar technique was used by the Lazarus Group during attacks against cryptocurrency businesses with an evolved downloader malware. It’s important to note that that malware’s debugging messages had the same structure as previous malware used in attacks against cryptocurrency businesses involving the Lazarus Group.
The second incident involves an attack against a pharmaceutical company. The unnamed company was breached on September 25, 2020, and Lazarus Group deployed the Bookcode malware. The attack vector was through a supply-chain attack through a South Korean software company. Upon execution, the Bookcode malware reads a configuration file and connects with its C2 – after which it provides standard backdoor functionalities, researchers said, and sends information about the victim to the attacker’s infrastructure, including password hashes.
It’s highly likely that attacks on COVID-19 vaccine and drug developers, and attempts to steal IP and other sensitive information, will increase significantly. As the race to develop a successful COVID-19 vaccine continues to evolve, these sorts of cybersecurity attacks will have significant geopolitical and financial ramifications.
Sources: