State-sponsored hackers are launching Coronavirus-themed attacks

In the last weeks, security experts reported many Coronavirus-themed attacks carried out by cybercrime gangs, now experts warn of similar attacks from nation–state actors.

Recently security experts reported many Coronavirus-themed attacks carried out by cybercrime gangs, but now experts are warning of similar attacks launched by nation-state actors.

State-sponsored hackers from Russia, China, and North Korea never stop their activities and seems to be exploiting the interest in the Coronavirus (COVID-19) outbreak to spread malware.

Since the end of February, North Korea-linked hackers was observed launching Coronavirus-themed attacks against other states.

Experts from security firm IssueMakersLab uncovered a malware campaign launched by North Korean hackers that used documents detailing South Korea’s response to the COVID-19 epidemic as a lure.

The hackers used documents boobytrapped with BabyShark, a malware that employed in campaigns carried out by the North Korea-linked APT tracked as Kimsuky.

China-linked hackers are also attempting to exploit the interest in the Coronavirus outbreak as documented by Vietnamese cyber-security firm VinCSS.

Researchers uncovered attacks carried out by a China-linked APT group tracked as Mustang Panda that in the past targeted Mongolian-based MIAT Airlines, the non-profit China Center (China-Zentrum e.V.), and countries including but not limited to Germany, Mongolia, Myanmar (Burma), Pakistan, Vietnam.

According to VinCSS experts, the APT group employed spear-phishing messages using a RAR file attachment purporting including information about the Coronavirus outbreak from the Vietnamese Prime Minister.

“We recently recorded a malicious code (suspected from Mustang Panda group) that faked the directives of Prime Minister Nguyen Xuan Phuc on preventing COVID-19.In this article we will analyze the method an attacker uses to infect a user’s computer.” reads the analysis published by VinCSS.

Security experts from CheckPoint also tracked a Coronavirus-themed campaign attributed to a China-linked APT group tracked as Vicious Panda.

The state-sponsored hackers were targeting Mongolian government organizations with spear-phishing messages using documents claiming to contain information about the prevalence of new Coronavirus infections.

“Check Point Research discovered a new campaign against the Mongolian public sector, which takes advantage of the current Coronavirus scare, in order to deliver a previously unknown malware implant to the target.” reads the analysis published by the CheckPoint experts.

“A closer look at this campaign allowed us to tie it to other operations which were carried out by the same anonymous group, dating back to at least 2016. Over the years, these operations targeted different sectors in multiple countries, such as Ukraine, Russia, and Belarus.”

Let’s close with a mention to Russia-linked APT groups exploiting Coronavirus as bait for the attacks.

Experts from cyber-security firm QiAnXin Technology uncovered a campaign targeting individuals in Ukraine using emails pretending to be from the Center for Public Health of the Ministry of Health of Ukraine.

The experts believe that the group behind the attack is the Hades APT, a Russian cyberespionage group linked to the APT28 nation-state group.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, coronavirus)

[adrotate banner=”5″]

[adrotate banner=”13″]