{ "id": "fff2ee72-4cd6-4f32-b283-5beb9d01b2f5", "created_at": "2026-04-06T00:13:32.512091Z", "updated_at": "2026-04-10T03:38:06.646104Z", "deleted_at": null, "sha1_hash": "d9d6dafdf059865d6c6466e769a7954d039bac0e", "title": "Cyberattacks targeting health care must stop - Microsoft On the Issues", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 45083, "plain_text": "Cyberattacks targeting health care must stop - Microsoft On the\r\nIssues\r\nBy Tom Burt\r\nPublished: 2020-11-13 · Archived: 2026-04-05 12:46:13 UTC\r\nTwo global issues will help shape people’s memories of this time in history – Covid-19 and the increased use of\r\nthe internet by malign actors to disrupt society. It’s disturbing that these challenges have now merged as\r\ncyberattacks are being used to disrupt health care organizations fighting the pandemic. We think these attacks are\r\nunconscionable and should be condemned by all civilized society. Today, we’re sharing more about the attacks\r\nwe’ve seen most recently and are urging governments to act.\r\nIn recent months, we’ve detected cyberattacks from three nation-state actors targeting seven prominent companies\r\ndirectly involved in researching vaccines and treatments for Covid-19. The targets include leading pharmaceutical\r\ncompanies and vaccine researchers in Canada, France, India, South Korea and the United States. The attacks came\r\nfrom Strontium, an actor originating from Russia, and two actors originating from North Korea that we call Zinc\r\nand Cerium.\r\nAmong the targets, the majority are vaccine makers that have Covid-19 vaccines in various stages of clinical\r\ntrials. One is a clinical research organization involved in trials, and one has developed a Covid-19 test. Multiple\r\norganizations targeted have contracts with or investments from government agencies from various democratic\r\ncountries for Covid-19 related work.\r\nStrontium continues to use password spray and brute force login attempts to steal login credentials. These are\r\nattacks that aim to break into people’s accounts using thousands or millions of rapid attempts. Zinc has primarily\r\nused spear-phishing lures for credential theft, sending messages with fabricated job descriptions pretending to be\r\nrecruiters. Cerium engaged in spear-phishing email lures using Covid-19 themes while masquerading as World\r\nHealth Organization representatives. The majority of these attacks were blocked by security protections built into\r\nour products. We’ve notified all organizations targeted, and where attacks have been successful, we’ve offered\r\nhelp.\r\nThese are just among the most recent attacks on those combating Covid-19. Cyberattacks targeting the health care\r\nsector and taking advantage of the pandemic are not new. Attackers recently used ransomware attacks to target\r\nhospitals and healthcare organizations across the United States. Earlier in the pandemic, attacks targeted Brno\r\nUniversity Hospital in the Czech Republic, Paris’s hospital system, the computer systems of Spain’s hospitals,\r\nhospitals in Thailand, medical clinics in the U.S. state of Texas, a health care agency in the U.S. state of Illinois\r\nand even international bodies such as the World Health Organization. In Germany, we recently saw the resulting\r\nthreat to human health become tragic reality when a woman in Dusseldorf reportedly became the first known\r\ndeath as a result of a cyberattack on a hospital.\r\nToday, Microsoft’s president Brad Smith is participating in the Paris Peace Forum where he will urge governments\r\nto do more. Microsoft is calling on the world’s leaders to affirm that international law protects health care\r\nhttps://blogs.microsoft.com/on-the-issues/2020/11/13/health-care-cyberattacks-covid-19-paris-peace-forum/\r\nPage 1 of 2\n\nfacilities and to take action to enforce the law. We believe the law should be enforced not just when attacks\r\noriginate from government agencies but also when they originate from criminal groups that governments enable to\r\noperate – or even facilitate – within their borders. This is criminal activity that cannot be tolerated.\r\nThe good news is that we’re not alone. Our voice at Microsoft is just one of many speaking up from the multi-stakeholder coalition that will be needed to make progress. In today’s virtual Paris Peace Forum event addressing\r\nan audience of international leaders, Brad will discuss these issues with France’s Minister for Foreign Affairs\r\nJean-Yves le Drian, Ambassador Guilherme de Aguiar Patriota of Brazil and Ambassador Jürg Lauber of\r\nSwitzerland. Ambassador Patriota is chair of the UN’s Group of Governmental Experts, and Ambassador Lauber\r\nis chair of the UN’s Open-Ended Working Group – both important bodies in determining the future of cyberspace.\r\nIn the leadup to this year’s Paris Peace Forum, more than 65 health care-related organizations have joined the\r\nParis Call for Trust and Security in Cyberspace. They include organizations like Merck working on vaccines, top\r\nhospitals like Hospital Metropolitano in Ecuador, and government health institutes like Poland’s National Institute\r\nof Public Health. There is no question the attacks we’ve seen in recent months are creating energy for action\r\nacross the health sector. The Paris Call remains the largest multi-stakeholder coalition addressing these issues, and\r\nits first principle is the prevention of malicious cyber activities that threaten indiscriminate or systemic harm to\r\npeople and critical infrastructure.\r\nIn May, a 136-strong group of the world’s most prominent international law experts, in what has become known as\r\nthe Oxford Process, issued a statement making it clear that international law protects medical facilities at all times.\r\nIn August, the Oxford Process issued a second statement emphasizing that organizations that research,\r\nmanufacture and distribute of Covid-19 vaccines are also protected.\r\nEarlier this year, the CyberPeace Institute and International Committee of the Red Cross led an effort by 40\r\ninternational leaders calling on governments to stop the attacks on healthcare. They included former secretary of\r\nstate Madeline Albright, Archbishop Emeritus of Cape Town Desmond Tutu, former Member of the European\r\nParliament Marietje Schaake and former Secretary-General of the United Nations Ban Ki-moon among many\r\nothers.\r\nOrganizations are also taking steps to protect themselves. In April, we announced that we were making\r\nAccountGuard, our threat notification service, available to health care and human rights organizations working on\r\nCovid-19. Since then 195 of these organizations have enrolled in the service and we now protect 1.7 million email\r\naccounts for health care-related groups. Any health care-related organizations that wish to enroll can do so here.\r\nAt a time when the world is united in wanting an end to the pandemic and anxiously awaiting the development of\r\na safe and effective vaccine for Covid-19, it is essential for world leaders to unite around the security of our health\r\ncare institutions and enforce the law against cyberattacks targeting those who endeavor to help us all. You can\r\nlearn more about what Microsoft is doing to advance cybersecurity here.\r\nTags: COVID-19, cyberattacks, cybersecurity, Microsoft AccountGuard\r\nSource: https://blogs.microsoft.com/on-the-issues/2020/11/13/health-care-cyberattacks-covid-19-paris-peace-forum/\r\nhttps://blogs.microsoft.com/on-the-issues/2020/11/13/health-care-cyberattacks-covid-19-paris-peace-forum/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "references": [ "https://blogs.microsoft.com/on-the-issues/2020/11/13/health-care-cyberattacks-covid-19-paris-peace-forum/" ], "report_names": [ "health-care-cyberattacks-covid-19-paris-peace-forum" ], "threat_actors": [ { "id": "34eea331-d052-4096-ae03-a22f1d090bd4", "created_at": "2025-08-07T02:03:25.073494Z", "updated_at": "2026-04-10T02:00:03.709243Z", "deleted_at": null, "main_name": "NICKEL ACADEMY", "aliases": [ "ATK3 ", "Black Artemis ", "COVELLITE ", "CTG-2460 ", "Citrine Sleet ", "Diamond Sleet ", "Guardians of Peace", "HIDDEN COBRA ", "High Anonymous", "Labyrinth Chollima ", "Lazarus Group ", "NNPT Group", "New Romanic Cyber Army Team", "Temp.Hermit ", "UNC577 ", "Who Am I?", "Whois Team", "ZINC " ], "source_name": "Secureworks:NICKEL ACADEMY", "tools": [ "Destover", "KorHigh", "Volgmer" ], "source_id": "Secureworks", "reports": null }, { "id": "74a1f6b1-6790-44eb-9e31-9bea8ea0192b", "created_at": "2024-02-02T02:00:04.04584Z", "updated_at": "2026-04-10T02:00:03.539136Z", "deleted_at": null, "main_name": "Ruby Sleet", "aliases": [ "CERIUM" ], "source_name": "MISPGALAXY:Ruby Sleet", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "9b02c527-5077-489e-9a80-5d88947fddab", "created_at": "2022-10-25T16:07:24.103499Z", "updated_at": "2026-04-10T02:00:04.867181Z", "deleted_at": null, "main_name": "Reaper", "aliases": [ "APT 37", "ATK 4", "Cerium", "Crooked Pisces", "G0067", "Geumseong121", "Group 123", "ITG10", "InkySquid", "Moldy Pisces", "Opal Sleet", "Operation Are You Happy?", "Operation Battle Cruiser", "Operation Black Banner", "Operation Daybreak", "Operation Dragon messenger", "Operation Erebus", "Operation Evil New Year", "Operation Evil New Year 2018", "Operation Fractured Block", "Operation Fractured Statue", "Operation FreeMilk", "Operation Golden Bird", "Operation Golden Time", "Operation High Expert", "Operation Holiday Wiper", "Operation Korean Sword", "Operation North Korean Human Right", "Operation Onezero", "Operation Rocket Man", "Operation SHROUDED#SLEEP", "Operation STARK#MULE", "Operation STIFF#BIZON", "Operation Spy Cloud", "Operation Star Cruiser", "Operation ToyBox Story", "Osmium", "Red Eyes", "Ricochet Chollima", "Ruby Sleet", "ScarCruft", "TA-RedAnt", "TEMP.Reaper", "Venus 121" ], "source_name": "ETDA:Reaper", "tools": [ "Agentemis", "BLUELIGHT", "Backdoor.APT.POORAIM", "CARROTBALL", "CARROTBAT", "CORALDECK", "Cobalt Strike", "CobaltStrike", "DOGCALL", "Erebus", "Exploit.APT.RICECURRY", "Final1stSpy", "Freenki Loader", "GELCAPSULE", "GOLDBACKDOOR", "GreezeBackdoor", "HAPPYWORK", "JinhoSpy", "KARAE", "KevDroid", "Konni", "MILKDROP", "N1stAgent", "NavRAT", "Nokki", "Oceansalt", "POORAIM", "PoohMilk", "PoohMilk Loader", "RICECURRY", "RUHAPPY", "RokRAT", "SHUTTERSPEED", "SLOWDRIFT", "SOUNDWAVE", "SYSCON", "Sanny", "ScarCruft", "StarCruft", "Syscon", "VeilShell", "WINERACK", "ZUMKONG", "cobeacon" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434412, "ts_updated_at": 1775792286, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/d9d6dafdf059865d6c6466e769a7954d039bac0e.pdf", "text": "https://archive.orkl.eu/d9d6dafdf059865d6c6466e769a7954d039bac0e.txt", "img": "https://archive.orkl.eu/d9d6dafdf059865d6c6466e769a7954d039bac0e.jpg" } }