Cyber Incident Victim: AstraZeneca
Date:
Nov 2020
Location:
United Kingdom
Summary
Suspected North Korea-linked hackers targeted a pharmaceutical company developing COVID-19 vaccines through social engineering attacks, posing as recruiters on platforms like LinkedIn and WhatsApp. The attackers sent malicious documents disguised as job descriptions to employees, including those involved in pandemic research, though these attempts were reportedly unsuccessful. Attribution to North Korean actors was based on technical overlaps with known state-sponsored campaigns targeting healthcare, defense, and media sectors. The operation exhibited potential false flags through Russian email addresses. While the victim organization declined to comment, Pyongyang has consistently denied involvement in cyber operations against medical entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In mid-November 2020, suspected North Korean state-sponsored hackers conducted cyber espionage attempts against AstraZeneca, a pharmaceutical company developing a COVID-19 vaccine. Attackers employed social engineering tactics by posing as recruiters on LinkedIn and WhatsApp to contact employees with fraudulent job offers. They distributed malicious documents disguised as job descriptions, designed to compromise victims' computers upon opening. The campaign specifically targeted personnel involved in COVID-19 research and vaccine development, though investigators assessed these intrusion attempts were ultimately unsuccessful. Security analysts identified technical overlaps between the attack infrastructure and known North Korean cyber operations, including tools and methodologies consistent with Pyongyang's advanced persistent threat groups. The operation formed part of a broader campaign targeting defense contractors, media outlets, and multiple COVID-19 research entities globally.
South Korean intelligence officials reported disrupting related cyber operations during the same timeframe, while Canadian cybersecurity authorities warned of increased state-sponsored threats against pandemic-related intellectual property from multiple nations including North Korea, China, Russia, and Iran. Forensic analysis revealed some attacker accounts used Russian email addresses, leading investigators to consider potential false flag operations designed to obscure attribution. AstraZeneca maintained no public acknowledgment of operational impacts from the attempted breaches and declined official commentary regarding the incident. The targeting occurred against the backdrop of North Korea's repeated denials of conducting cyber operations against healthcare organizations, despite multiple independent attributions of similar attacks to Pyongyang-affiliated groups.