Three days before the end of 2020 SlashNext Threat Labs observed a flurry of spear-phishing attacks targeting companies working to deliver Covid-19 vaccines and therapeutics to curb the pandemic. Many of these attacks continue and have been active during the first quarter of 2021 with more than 1,000 spear phishing domains belonging to the same threat actors in the last 90 days. In all cases, these attacks point to Office 365 log-in pages, hosted on legitimate domains, and have recently moved to azure websites.
“There are strong indicators these attacks are sourced from nation-states which can be correlated to reports on activities from North Korea and Iran attempting to access Covid-19 vaccine data and intellectual property.” Atif Mushtaq, Founder and CPO SlashNext
These spear-phishing attacks are targeting specific, high-value individuals working on Covid-19 vaccines or therapeutics. Spear phishing typically targets employees working in finance with a monetary motive. These high target attacks are targeting high-value employees with access to lab technology and intellectual property in an attempt to steal sensitive account credentials including executives working in innovation, clinical research, patents, and manufacturing.
First seen 02/16/2021 07:49:55 PM
First seen 02/23/2021 02:51:29 PM
First seen 02/06/2021 08:05:58 PM
The following is a list of target titles:
| Company | Targeted Titles and Organizations |
| Optum | Federal Solutions, OptumServe
Data Engineering – Optum Life Sciences OptumInsight Advanced Technology Collaborative |
| Gilead Science | Clinical Research
Manufacturing Operations Development Operations at Gilead Sciences Medical Affairs Regulatory Operations Global Specialty Lab Outsourcing Patent Operations Outsourced Manufacturing Development at Gilead Process Lead at Gilead Sciences |
| Novartis | Global BioMedical Research
Novartis Institutes of Biomedical Research Regulatory Affairs North America Pharmaceuticals Counsel Immunology Transformation and Innovation Biomarker Coordination Scientific Computing and Consulting Biostatistics and Pharmacometrics Translational Medicine Drug Discovery |
| Astrazeneca | National Intermediaries
Clinical Research Global Operations |
The following is a list of companies and a subset of phishing domains involved in this outbreak. Update March 24, 2021
| Company | Phishing Domain |
| Optum | optum-2989[.]apponline-0238.xyz |
| Gilead Science | gilead-fax16[.]apponline-8473[.]xyz |
| Integrated DNA Technologies | idtdna-fax12[.]apponline-9234[.]xyz |
| Novartis | novartis-fax78[.]apponline-2641[.]xyz |
| Abbott Laboratories | abbott-9196[.]apponline-5673[.]xyz |
| Astrazeneca | astrazeneca-fax34[.]apponline-1424[.]xyz
astragroup-cloud[.]azurewebsites[.]net cloudastra-info[.]azurewebsites[.]net astragroup-info[.]azurewebsites[.]net |
| Johnson and Johnson | its-fax83[.]apponline-9234.xyz |
| Pfizer | pfizer-fax80[.]apponline-8473[.]xyz |
| Merck | merckgroup-2585[.]apponline-8473[.]xyz |