Three state-sponsored hacker groups have launched targeted campaigns aimed at leading pharmaceutical companies and researchers involved in the development of vaccines and treatments for Covid-19. According to Microsoft, the list of targets include entities in Canada, France, India, South Korea and the United States.

The culprits behind the attacks are believed to be the Strontium APT (aka Fancy Bear, APT28, Sofacy, Pawn storm, and Sednit), a group linked by security researchers to Russia, and two threat actor originating from North Korea that Microsoft calls Zinc (well-known as the Lazarus Group) and Cerium.

“Among the targets, the majority are vaccine makers that have Covid-19 vaccines in various stages of clinical trials. One is a clinical research organization involved in trials, and one has developed a Covid-19 test. Multiple organizations targeted have contracts with or investments from government agencies from various democratic countries for Covid-19 related work,” the company said.

In order to obtain sensitive information the Strontium hackers employed password spray and brute force techniques that allowed them to steal login credentials. To reach their goal the Lazarus Group mainly used spear-phishing lures for credential theft, sending messages with fake job descriptions ostensibly from recruiters.

Cerium appears to be a new player on the cybercrime threat landscape. Microsoft says in the observed campaign the group engaged in spear-phishing email lures using Covid-19 themes while masquerading as World Health Organization representatives.

“At a time when the world is united in wanting an end to the pandemic and anxiously awaiting the development of a safe and effective vaccine for Covid-19, it is essential for world leaders to unite around the security of our health care institutions and enforce the law against cyber attacks targeting those who endeavor to help us all,” said Tom Burt, Microsoft Vice President for Customer Security & Trust, in a blog post.