Hackers Targeted Chinese Agencies for COVID-19 Intel: Report

COVID-19 , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

FireEye Says APT Group Tied to Vietnam Involved

Hackers Targeted Chinese Agencies for COVID-19 Intel: Report
China’s Ministry of Emergency Management (headquarters picture above) apparently was targeted by hackers with connections to Vietnam

Hackers with suspected ties to Vietnam’s government targeted several Chinese agencies in an attempt to gather intelligence about the country’s response to the COVID-19 outbreak, according to security firm FireEye.

See Also: Role of Deception in the ‘New Normal’

Between January and April, hackers used spear-phishing emails that contained malware to target the China’s Ministry of Emergency Management as well as the government of Wuhan province, where COVID-19 was first identified in December 2019, according to a FireEye report. These phishing campaigns apparently were not successful in exfiltrating data, FireEye notes.

A hacking group known as APT32, or Ocean Lotus, is suspected as being responsible for this cyber espionage campaign to collect data and information about China’s response to the COVID-19 outbreak, the researchers say. They traced a domain used in these phishing attacks to a command-and-control server that APT32 used to deliver malware during a previous campaign in December 2019.

“The COVID-19 crisis poses an intense, existential concern to governments, and the current air of distrust is amplifying uncertainties, encouraging intelligence collection on a scale that rivals armed conflict,” according to the report.

APT32, active since at least 2014, has previously launched campaigns against private sector industries and government agencies throughout Southeast Asia (see: Vietnamese APT Group Targets BMW, Hyundai: Report)

On Thursday, a spokesperson for Vietnam’s foreign ministry told Reuters the report of the nation being involved in the hacks is “baseless.” “Vietnam forbids all cyberattacks, which should be denounced and strictly dealt with by law,” the spokesperson says.

Increase in Nation-State Hacking

Threat actors with ties to nation-states are attempting to gather intelligence about the COVID-19 pandemic from governments and others, says Cristiana Kittner, principal analyst at Mandiant Threat Intelligence, a unit of FireEye.

“While targeting of East Asia is consistent with previous activity we’ve reported on with APT32, this incident, and other publicly reported intrusions, are part of a global increase in cyber espionage related to the COVID19 crisis, carried out by states desperately seeking solutions and non-public information,” Kittner tells Information Security Media Group.

Earlier this week, Google’s Threat Analysis Group released a report about nation-state hacking in the wake of the COVID-19 pandemic. Researchers note that at least a dozen advanced persistent threat groups are using the current crisis to target healthcare organizations, governments and others throughout the world.

“Our security systems have detected examples ranging from fake solicitations for charities and NGOs, to messages that try to mimic employer communications to employees working from home, to websites posing as official government pages and public health agencies,” Google states.

In March, a nation-state group reportedly targeted the World Health Organization using a spear-phishing campaign that was designed to harvest credentials (see: Hackers Targeted World Health Organization).

Latest APT32 Campaign

In their report, the FireEye analysts describe a series of phishing campaigns that targeted Chinese agencies over four months. Some of these messages contained COVID-19 themes, such as the subject line “COVID-19 live updates: China is currently tracking all travelers coming from Hubei Province,” which also included a copy of a New York Times article to entice the targeted victim to open the email.

In one phishing email sent to the China’s Ministry of Emergency Management on Jan. 6, the message contained an embedded link with code that would report back to the hackers if the targeted victim opened the email, according to the FireEye report.

Most of the phishing emails contained an attached malicious document. If opened, the document deployed shellcode that would then attempt to install malware called Metaljack, according to FireEye.

Metaljack is type of backdoor that has been associated with APT32 since 2017, Kittner says. “Metaljack capabilities include – but are not limited to – system survey, process creation, file system interaction, registry modification, RC4 encryption/decryption, loading and writing of additional modules within registry, execute shellcode and modify environmental variables,” he says.