Government-backed hacking groups from China, North Korea, and Russia are not letting a global pandemic go to waste and have begun using coronavirus-based phishing lures as part of their efforts to infect victims with malware and gain access to their infrastructure.
During the past weeks, the cyber-security community has seen state-sponsored hackers from China, North Korea, and Russia attempt these tactics.
The use of the COVID-19 (coronavirus) lure is not actually a surprise for those who have followed the information security (infosec) industry enough.
Cyberspies have not let a tragedy or national disaster go to waste. From the Paris terror attack of November 2015 to the oppression of the Uyghur population in China, state-sponsored groups have always crafted their email lures to achieve the maximum results at a certain given time, and, historically, tragic events have always presented the best lures.
The first state-sponsored hacking group to employ a coronavirus lure was the Hades group, believed to be operating out of Russia, and with a tie to APT28 (Fancy Bear), one of the groups who also hacked the DNC in 2016.
The documents were sent to targets in Ukraine, disguised as emails coming from the Center for Public Health of the Ministry of Health of Ukraine.
The targeted emails appear to have been part of a larger disinformation campaign that hit the entire country, on different fronts.
First, at the same time Hades was targeting its targets, a wave of coronavirus-themed spam emails hit the country. Second, the email campaign was followed by a flood of messages on social media claiming the COVID-19 disease had arrived in the country.
According to a BuzzFeed News report, one of these emails went viral, and supported by the wave of social media scaremongering led to a general panic and violent riots in some part of the country.
BuzzFeed News reported that in some Ukrainian cities residents blocked hospitals fearing their children could get infected by coronavirus-infected evacuees coming from Ukraine’s war-torn eastern region.
In this general panic, a few malware-laced emails had a much higher chance of passing undetected and reaching their targets, most of whom were most likely interested in the current events unfolding in the country.
The next country to weaponize COVID-19 for spear-phishing lures was North Korea, at the end of February, although in a campaign that was nowhere near as sophisticated like the one that hit Ukraine.
According to a tweet shared by South Korean cyber-security firm IssueMakersLab, a group of North Korean hackers also hid malware inside documents detailing South Korea’s response to the COVID-19 epidemic.
The documents — believed to have been sent to South Korean officials — were boobytrapped with BabyShark, a malware strain previously utilized by a North Korean hacker group known as Kimsuky.
But the most malware campaigns using coronavirus themes came from China, all being sent out over the past two weeks, just as China had pulled out of its own COVID-19 crisis.
The first of the two happened at the start of this month. Vietnamese cyber-security firm VinCSS detected a Chinese state-sponsored hacking group (codenamed Mustang Panda) spreading emails with a RAR file attachment purporting to carry a message about the coronavirus outbreak from the Vietnamese Prime Minister.
The attack, also confirmed by CrowdStrike, installed a basic backdoor trojan on the computers of users who downloaded and unzipped the file.
The second attack was detailed today by another cyber-security firm. The company said it had been tracking another Chinese group called Vicious Panda that had been targeting Mongolian government organizations with documents claiming to hold information about the prevalence of new coronavirus infections.
These attacks from cyber-espionage groups aren’t the only ones feeding on the COVID-19 global panic, though.
Regular cybercrime gangs have also been using the same lure for just as long as professional cyberspies, according to a ZDNet report published last week, citing findings from Fortinet, Sophos, Proofpoint, and others.