Two recent incidents point to the Lazarus group as the advanced persistent threat attacking a pharma company and a government agency.

As the pandemic and restrictive measures across the world continue, many parties involved are trying to speed up vaccine development by any means available. While most of the work is well-intentioned, there is another side to this coin as some threat actors are trying to capitalize on this for their own gain.

In the autumn of 2020, cybersecurity researchers identified two advanced persistent threat (APT) incidents that targeted entities related to COVID-19 research: a health ministry agency and a pharmaceutical company. The experts assessed with high confidence that the activities can be attributed to the infamous Lazarus group.

The first attack against a Ministry of Health body involved the compromise of two Windows servers in the organization with sophisticated malware on October 27, 2020. The malware used is known by the name ‘wAgent’. Closer analysis has shown that the wAgent malware used against the health agency has the same infection scheme as that used by the malware Lazarus group in attacks on cryptocurrency businesses.

The second incident involved a pharmaceutical company. According to Kaspersky telemetry, the company was breached on September 25, 2020. This company is developing a COVID-19 vaccine and is also authorized to produce and distribute it. This time, the attacker deployed the Bookcode malware, previously reported by security vendor to be connected to Lazarus, in a supply chain attack through a South Korean software company. In the past, Kaspersky researchers also witnessed Lazarus group carry out spear-phishing or strategically compromise websites in order to deliver Bookcode malware. Both wAgent and Bookcode malware, used in both attacks, have similar functionalities, such as a full-featured backdoor. After deploying the final payload, the malware operator can control a victim’s machine in nearly any manner they wish.

Relationship of recent Lazarus group attack

Given the noted overlaps, Kaspersky researchers confirm with high confidence that both incidents are connected to the Lazarus group. The research is still ongoing.

Said Seongsu Park, a security expert at Kaspersky: These two incidents reveal Lazarus group’s interest in intelligence related to COVID-19. While the group is mostly known for its financial activities, it is a good reminder that it can go after strategic research as well. We believe that all entities currently involved in activities such as vaccine research or crisis handling should be on high alert for cyberattacks.”