North Korean hackers targeted AstraZeneca COVID vaccine development

Hidden inside those documents was malicious code designed to slip past a person's defenses
Describing how North Korean hackers embedded malware in fake job descriptions sent to AstraZeneca employees.

In the closing months of 2020, as humanity's most urgent scientific race unfolded, state-sponsored hackers allegedly linked to North Korea attempted to infiltrate AstraZeneca's vaccine research through the quiet deception of fabricated job offers. The attacks — disguised as professional opportunity, delivered through LinkedIn and WhatsApp — failed to breach any systems, yet their significance lay not in what was stolen but in what was attempted: the weaponization of a global health crisis for strategic gain. This episode joins a widening pattern in which the pandemic's most vital knowledge has become a target for governments willing to blur the line between espionage and sabotage.

  • Hackers posing as corporate recruiters sent malicious documents to AstraZeneca employees working directly on COVID-19 vaccine research, exploiting professional trust as a vector for intrusion.
  • The attack methods matched a well-documented North Korean playbook previously aimed at defense contractors and media organizations — now retrained on the world's most consequential pharmaceutical race.
  • Microsoft identified two separate North Korean hacking groups pursuing vaccine developers across multiple countries simultaneously, signaling a coordinated and escalating campaign rather than an isolated incident.
  • South Korean intelligence intervened to block some attempts, and AstraZeneca's systems were ultimately not compromised — but the near-misses revealed how thin the margin between failure and catastrophic IP theft had become.
  • With Iran, China, and Russia also implicated in pandemic-era cyberattacks on health institutions, the question facing vaccine developers is no longer whether they are targets, but whether their defenses can outlast the pressure.

In the autumn of 2020, as AstraZeneca pressed forward on its COVID-19 vaccine, an unseen campaign was underway to break into its systems. Hackers reached out to company employees through LinkedIn and WhatsApp, presenting themselves as recruiters with attractive job offers. The documents they sent looked legitimate. Concealed within them was malicious code intended to open a pathway into the recipient's machine.

Two sources with direct knowledge of the attempts told Reuters what had happened. The attackers had targeted a broad range of staff, with particular focus on those involved in vaccine research. The intrusions failed — no systems were compromised — but the attempt itself revealed the extraordinary pressures surrounding the companies at the center of the pandemic response.

The techniques used bore the hallmarks of North Korean state-sponsored hacking, a threat that had previously been directed at defense contractors and media organizations before pivoting toward COVID-related targets. Microsoft had tracked two separate North Korean groups pursuing vaccine developers across multiple countries using nearly identical methods. South Korean intelligence officials said they had intercepted some of these attempts before they could cause harm.

The broader landscape was already alarming. Cyberattacks on health institutions and pharmaceutical companies had surged throughout the pandemic, with state-backed and criminal groups alike seeking to steal research for profit, extortion, or strategic advantage. Reuters had previously documented similar campaigns attributed to hackers from Iran, China, and Russia — all of which denied involvement. AstraZeneca declined to comment. North Korea did not respond.

One detail hinted at deliberate misdirection: some email accounts used in the attacks had been registered to Russian addresses, though whether this was meant to mislead investigators remained unclear. What was certain was that the attacks had failed, the vaccine work had continued, and the contest for advantage in the pandemic showed no sign of easing.

In the autumn of 2020, as AstraZeneca raced to complete its COVID-19 vaccine, someone was trying to break into the company's computers. The attackers posed as recruiters, reaching out to AstraZeneca employees through LinkedIn and WhatsApp with offers of employment. The messages looked professional. The job descriptions attached to them were not what they appeared to be. Hidden inside those documents was malicious code designed to slip past a person's defenses and open a door into their machine.

Two people with direct knowledge of the breach attempts told Reuters what had happened. The hackers had cast a wide net, targeting a broad range of AstraZeneca staff, but their focus was clear: they wanted to reach people working on the vaccine itself. The attacks, according to these sources, did not succeed. No systems were compromised. But the attempt itself was significant—a window into the kinds of pressure bearing down on the companies racing to develop the world's most urgent pharmaceutical product.

The tools and techniques used in these attacks matched patterns that U.S. officials and cybersecurity researchers had long associated with North Korea. This was not a new threat emerging from Pyongyang; it was an established campaign that had previously targeted defense contractors and media organizations, now pivoting toward a new prize. Three people who had investigated the attacks confirmed that the campaign had shifted focus in recent weeks, turning its attention to COVID-related targets. Microsoft, the software giant, had observed two separate North Korean hacking groups pursuing vaccine developers across multiple countries using nearly identical methods—fabricated job descriptions sent through social channels. South Korean intelligence officials said they had managed to stop some of these attempts before they could do damage.

The broader context made the threat clear. Cyberattacks on health institutions, vaccine scientists, and pharmaceutical companies had multiplied throughout the pandemic as both state-backed and criminal groups competed to steal research and gain advantage. The potential uses for such information were numerous: sell it for profit, use it to extort the victims, or hand it to a government seeking strategic advantage in the fight against a disease that had by then killed 1.4 million people worldwide. Reuters had already documented similar attempts by hackers from Iran, China, and Russia against leading drugmakers and the World Health Organization. All three countries denied involvement.

AstraZeneca, one of the world's top three vaccine developers, declined to comment on the attack. The North Korean mission to the United Nations in Geneva did not respond to requests for comment. Pyongyang has a long history of denying cyberattack allegations, and this case would be no different. What made the North Korean threat distinctive was its track record. U.S. prosecutors had attributed some of the world's most destructive cyberattacks to the regime: the 2014 hack of Sony Pictures, the 2016 theft of $81 million from Bangladesh's central bank, and the 2017 release of the Wannacry ransomware that crippled systems across the globe. North Korea's government dismissed such accusations as American propaganda designed to damage its reputation.

One detail suggested an attempt at misdirection. Some of the email accounts used in the AstraZeneca attacks had been registered to Russian addresses, according to one of the sources. Whether this was meant to confuse investigators or simply a tactic borrowed from other campaigns remained unclear. What was certain was that the attack had failed, the vaccine development had continued, and the competition for advantage in the pandemic had only intensified. The question now was whether other companies would face similar pressure, and whether the defenses in place would hold.

The hackers targeted a broad set of people including staff working on COVID-19 research, but the attacks are not thought to have been successful
— Sources with knowledge of the matter
Microsoft observed two North Korean hacking groups targeting vaccine developers in multiple countries by sending messages with fabricated job descriptions
— Microsoft
La Conversación del Hearth Otra perspectiva de la historia
Inventor

Why would North Korea care about a British vaccine company's research? What's the strategic value?

Model

Control over vaccine information is leverage—you can sell it, use it to extort, or hand it to your own scientists to accelerate your program. In a pandemic, that's power. It's also intelligence about Western pharmaceutical capabilities.

Inventor

But the attacks failed. Does that matter?

Model

It matters that they tried. It tells us the threat is real and active. It also tells us the defenses worked, at least this time. But AstraZeneca wasn't the only target. Multiple countries' hackers were going after vaccine makers simultaneously.

Inventor

Why pose as recruiters specifically? Why not just try to break in directly?

Model

Because people trust job offers. They open attachments. They click links. It's social engineering—the easiest way through a firewall is through someone's willingness to help. A fake job description is more likely to get opened than a random email from an unknown sender.

Inventor

The article mentions Russian email addresses were used. Does that mean Russia was involved?

Model

Probably not. It's likely misdirection—making investigators look in the wrong direction. It's a tactic. When you're trying to hide your tracks, you use someone else's footprints.

Inventor

What happens next? Is this threat over?

Model

No. This was one attempt at one company. The campaign is ongoing, and it's shifting targets. As long as the vaccine is valuable, people will keep trying to steal it.

Quieres la nota completa? Lee el original en Reuters ↗
Contáctanos FAQ