Lazarus APT group targets COVID-19 vaccine research

Read time 2min 00sec

Towards the end of last year, researchers from Kaspersky identified two APT events that targeted organisations related to COVID-19 research, a ministry of health body and a pharmaceutical company.

After a thorough assessment, the company’s experts said with confidence that the incidents can be attributed to the notorious Lazarus group that has strong links to North Korea.

With the global pandemic seeing restrictive measures put in place across the globe, public and private sector organisations are trying to speed up the development of a vaccine by any means available. Kaspersky warns that certain bad actors are attempting to capitalise on this for their own gain. In particular, the security firm's experts discovered that the Lazarus Group went after two COVID-19-related entities just a couple of months ago.

All entities currently involved in activities such as vaccine research or crisis handling should be on high alert for cyber attacks.

Seongsu Park, Kaspersky

The first incident, that involved a ministry of health, saw two Windows servers in the organisation compromised with sophisticated malware on 27 October last year. The malware employed, dubbed ‘wAgent’, has the same infection mechanism as the malware the Lazarus group has used before in attacks against crypto-currency businesses.

The other incident saw a pharmaceutical company being breached on 25 September. The entity involved is developing a COVID-19 vaccine and is also authorised to produce and distribute it. This time, the malefactor deployed the Bookcode malware, which Kaspersky says has also been connected to Lazarus, in a supply chain attack via a South Korean software company.

Researchers from Kaspersky also saw the Lazarus group carry out spear-phishing and strategically compromise Web sites in order to deliver Bookcode malware in the past.

wAgent and Bookcode malware have similar functionalities, including a full-featured backdoor. After deploying the final payload, the threat actors can control a victim’s machine in practically any manner they choose.

Seongsu Park, a security expert at Kaspersky, says the two incidents reveal the Lazarus group’s interest in information related to the coronavirus. “While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well. We believe that all entities currently involved in activities such as vaccine research or crisis handling should be on high alert for cyber attacks.”

See also