Iran-linked hackers recently targeted coronavirus drugmaker Gilead

Hackers linked to Iran have targeted staff at U.S. drugmaker Gilead Sciences Inc in recent weeks, as the company races to deploy a treatment for the COVID-19 virus, according to Reuters.

In one case, a fake email login page designed to steal passwords was sent in April to a top Gilead executive involved in legal and corporate affairs, according to an archived version on a website used to scan for malicious web addresses. Reuters was not able to determine whether the attack was successful.

Ohad Zaidenberg, lead intelligence researcher at Israeli cybersecurity firm ClearSky, who closely tracks Iranian hacking activity and has investigated the attacks, said the attempt was part of an effort by an Iranian group to compromise email accounts of staff at the company using messages that impersonated journalists.

Two other cybersecurity researchers, who were not authorized to speak publicly about their analysis, confirmed that the web domains and hosting servers used in the hacking attempts were linked to Iran.

Reuters has reported in recent weeks that hackers with links to Iran and other groups have also attempted to break into the World Health Organization, and that attackers linked to Vietnam targeted the Chinese government over its handling of the coronavirus outbreak.

Britain and the United States warned this week that state-backed hackers are attacking pharmaceutical companies and research institutions working on treatments for the new disease.

The joint statement did not name any of the attacked organizations, but two people familiar with the matter said one of the targets was Gilead, whose antiviral drug remdesivir is the only treatment so far proven to help patients infected with COVID-19.

The hacking infrastructure used in the attempt to compromise the Gilead executive’s email account has previously been used in cyberattacks by a group of suspected Iranian hackers known as “Charming Kitten,” said Priscilla Moriuchi, director of strategic threat development at U.S. cybersecurity firm Recorded Future, who reviewed the web archives identified by Reuters.