North Korea authorised cyber gang to steal Britain's Covid vaccine secrets, sources say

Robert Mendick
·4 min read
Vaccine cyber illustration
Vaccine cyber illustration

North Korea authorised a state-sponsored cyber gang to pose as headhunters in an attempt to steal Britain's Covid-19 vaccine secrets, security sources said on Friday.

The cyber criminals targeted AstraZeneca, the pharmaceutical company working with Oxford University to develop the UK's Covid vaccine. Initial results suggest the Oxford vaccine is anywhere between 60 per cent and 90 per cent effective, and regulators have now been asked to appraise it.

The hackers approached staff working with AstraZeneca, based at its headquarters in Cambridge, with fake job offers. Posing as recruiters working on behalf of rival firms, they sent messages over the past few weeks via the social networking site LinkedIn and also through messaging service WhatsApp.

AstraZeneca employees were then sent documents, claiming to be job descriptions, which included malicious computer code designed to allow the hackers access to the company's computer systems.

The tools and techniques used by the cyber gang are commonly deployed by North Korea, and security sources have confirmed that the country is believed to be behind the attempted hack. Sources said the attempt was believed to have been unsuccessful.

The targeting of AstraZeneca comes just a few weeks after Downing Street took the unusual step of going public in accusing Russia of being behind a separate "despicable" cyber attack on Britain's two vaccine teams, the one at Oxford and another run by Imperial College London.

The National Cyber Security Centre (NCSC), the intelligence agency tasked with protecting the UK from cyber warfare, said at the time it had the "highest level of confidence" that the Kremlin was behind the "ongoing" attack.

On Friday, the NCSC declined to give further detail on the North Korean hack but did not deny that attempts had been made by the rogue state to steal vaccine secrets.

An NCSC spokesman said: "Working alongside our allies, the NCSC is committed to protecting our most critical assets, the health sector and crucial vaccine research and development against threats."

The respected Reuters news agency said the North Korean gang had targeted a "broad set of people" including staff working on Covid-19 research, but are not thought to have been successful.

The North Korean mission to the United Nations in Geneva declined to respond to a request for comment. Pyongyang has previously denied carrying out cyber attacks. It has no direct line of contact for foreign media.

AstraZeneca, which has emerged as one of the top three Covid-19 vaccine developers, declined to comment.

Sources told Reuters the attacks were part of an ongoing hacking campaign that US officials and cybersecurity researchers have attributed to North Korea.

The campaign has previously focused on defence companies and media organisations but has become focused on Covid-19 related targets in recent weeks.

Cyber attacks against health bodies, vaccine scientists and drugmakers have soared during the Covid-19 pandemic as state-backed and criminal hacking groups scramble to obtain the latest research and information about the outbreak.

Western officials say any stolen information could be sold for profit, used to extort the victims, or give foreign governments a valuable strategic advantage as they fight to contain a disease that has killed 1.4 million people worldwide.

Microsoft said this month it had seen two North Korean hacking groups target vaccine developers in a number of countries, including by "sending messages with fabricated job descriptions". Microsoft did not name any of the targeted organisations.

South Korean lawmakers said on Friday that the country's intelligence agency had foiled some of those attempts.

It has previously been reported that hackers from Iran, China and Russia have all attempted to break into leading drugmakers and even the World Health Organisation this year. Tehran, Beijing and Moscow have all denied the allegations.

Some of the accounts used in the attacks on AstraZeneca were registered to Russian email addresses, one of the sources said, in a possible attempt to mislead investigators.

North Korea has been blamed by US prosecutors for some of the world's most audacious and damaging cyber attacks. Pyongyang has described the allegations as part of attempts by Washington to smear its image.

Posing as recruiters on social networking site LinkedIn is a favoured tactic of North Korean hackers seeking to steal money and valuable research. Hackers linked to the North Korean regime often pose as recruiters and message targets, asking them to download files which they claim contain job descriptions.

When downloaded and opened, the files actually contain computer code that gives the hackers access to protected computer systems, allowing them to silently search through servers and then smuggle out the files.

Cyber security experts have found that LinkedIn messages like this are commonly sent by the Lazarus hacking group which in 2014 had managed to break into the servers of Sony Pictures and in 2017 brought parts of the NHS to a standstill during the WannaCry ransomware attack.

Last year, the group posed as recruiters for defence contractors and messaged British employees of defence and aerospace companies in the hope that they could gain access to classified military documents.