State-sponsored hackers using coronavirus lures to infect their targets

March 16, 2020

During the past weeks, the cyber-security community has seen state-sponsored hackers from China, North Korea, and Russia attempt these tactics. These government cyber-spies have been caught using COVID-19-themed emails to infect victims with malware.

The first state-sponsored hacking group to employ a coronavirus lure was the Hades group, believed to be operating out of Russia, and with a tie to APT28 (Fancy Bear), one of the groups who also hacked the DNC in 2016. According to cyber-security firm QiAnXin, Hades hackers carried out a campaign in mid-February when they hid a C# backdoor trojan in bait documents containing the latest news regarding COVID-19.

The documents were sent to targets in Ukraine, disguised as emails coming from the Center for Public Health of the Ministry of Health of Ukraine. The targeted emails appear to have been part of a larger disinformation campaign that hit the entire country, on different fronts.

First, at the same time Hades was targeting its targets, a wave of coronavirus-themed spam emails hit the country. Second, the email campaign was followed by a flood of messages on social media claiming the COVID-19 disease had arrived in the country. According to a BuzzFeed News report, one of these emails went viral, and supported by the wave of social media scaremongering led to a general panic and violent riots in some part of the country.

BuzzFeed News reported that in some Ukrainian cities residents blocked hospitals fearing their children could get infected by coronavirus-infected evacuees coming from Ukraine's war-torn eastern region. In this general panic, a few malware-laced emails had a much higher chance of passing undetected and reaching their targets, most of whom were most likely interested in the current events unfolding in the country.

The next country to weaponize COVID-19 for spear-phishing lures was North Korea, at the end of February, although in a campaign that was nowhere near as sophisticated like the one that hit Ukraine.

According to a tweet shared by South Korean cyber-security firm IssueMakersLab, a group of North Korean hackers also hid malware inside documents detailing South Korea's response to the COVID-19 epidemic.

The documents -- believed to have been sent to South Korean officials -- were boobytrapped with BabyShark, a malware strain previously utilized by a North Korean hacker group known as Kimsuky.

But the most malware campaigns using coronavirus themes came from China, all being sent out over the past two weeks, just as China had pulled out of its own COVID-19 crisis. The first of the two happened at the start of this month. Vietnamese cyber-security firm VinCSS detected a Chinese state-sponsored hacking group (codenamed Mustang Panda) spreading emails with a RAR file attachment purporting to carry a message about the coronavirus outbreak from the Vietnamese Prime Minister.

The attack, also confirmed by CrowdStrike, installed a basic backdoor trojan on the computers of users who downloaded and unzipped the file. The second attack was detailed today by another cyber-security firm. The company said it had been tracking another Chinese group called Vicious Panda that had been targeting Mongolian government organizations with documents claiming to hold information about the prevalence of new coronavirus infections. These attacks from cyber-espionage groups aren't the only ones feeding on the COVID-19 global panic, though.

Regular cybercrime gangs have also been using the same lure for just as long as professional cyber-spies, according to a ZDNet report published last week, citing findings from Fortinet, Sophos, Proofpoint, and others.

National Cyber Security Centre has the story.

More COVID-19 coverage HERE.