State-sponsored hackers are now using coronavirus to infect targets
Government-sponsored piracy groups from China, North Korea and Russia do not let the global pandemic go to waste and have begun to use non-coronavirus-based fishing attacks as part of their efforts to infect victims of malware. and access to its infrastructure.
In recent weeks, the cybersecurity community has seen state-sponsored hackers from China, North Korea and Russia try these tactics.
The use of the COVID-19 (coronavirus) can is no surprise to those who have sufficiently followed the information security industry (infosec).
Cyberspaces have not missed a national tragedy or disaster. From the Paris terrorist attack of November 2015 to the oppression of the Uyghur population in China, state-sponsored groups have always sent their emails to reach maximum results at any given time. and, historically, tragic events have always presented the best. lures.
Russia
The first state-sponsored piracy group to use a coronavirus lure was the Hades group, believed to be operating outside Russia, and tied APT28 (Fancy Bear), one of the groups that also hacked the DNC in 2016.
According to cybersecurity firm QiAnXin, hackers Hades launched a campaign in mid-February when they hid a Trojan in the back of C # in bait documents containing the latest news about COVID-19.
The documents were sent to Ukrainian targets, disguised as emails from the Ministry of Health of Ukraine’s Public Health Center.
It seems that targeted emails were part of a larger misinformation campaign that affected the entire country, on different fronts.
First, at the same time as Hades was aiming, a wave of spam emails about the coronavirus reached the country. Second, the email campaign was followed by an avalanche of messages on social media stating that COVID-19 had reached the country.
According to a report by BuzzFeed News, one of those emails went viral and the support of the wave of social media scandal triggered widespread panic and rioting in some parts of the country.
BuzzFeed News reported that in some cities in Ukraine, residents were blocking hospitals that feared their children could be infected with coronavirus-infected evacuees from the war-torn Eastern region of Ukraine.
In this panic, some malware emails had a much higher chance of being passed undetected and reach their goals, most of which were very interested in current events in the country.
North Korea
The next country to arm COVID-19 to attract fishing pesos was North Korea at the end of February, although in a campaign not as sophisticated as the one that struck Ukraine.
According to a tweet shared by South Korean cybersecurity firm IssueMakersLab, a group of North Korean hackers also hid malicious software inside documents detailing South Korea’s response to the COVID-19 epidemic.
The documents, believed to have been sent to South Korean officials, were packaged with BabyShark, a malware sound previously used by a North Korean pirate group known as Kimsuky.
China
But most malware campaigns using coronavirus topics came from China, and have been sent in the last two weeks just as China had come out of its own COVID-19 crisis.
The first of the two happened earlier this month. Vietnamese cybersecurity firm VinCSS detected a Chinese-state-sponsored piracy group (named after Mustang Panda) spreading emails with an RAR file attachment that was intended to send a message about the coronavirus outbreak. Vietnamese prime minister.
The attack, also confirmed by CrowdStrike, installed a basic backdoor trojan on the computers of users who downloaded and decompressed the file.
You don’t know about IRGC, but MUSTANG PANDA is in the grind COVID-19: https: //t.co/Uxjasy0knz
Rule # 7 in the Target Intrusism Games Notebook – Pandemics make great material to attract
– Matt Dahl (@ voodoodahl1) March 6, 2020
The second attack was detailed today by the cybersecurity firm. The company said it had tracked another Chinese group called Vicious Panda who had been targeted by Mongolian government organizations with documents that claimed to have information about the prevalence of new coronavirus infections.
These spy-group attacks are not the only ones fueling the global COVID-19 panic.
Regular cybercrime gangs have also been using the same daring for as long as professional cyberspace, according to a report by ZDNet published last week, citing findings from Fortinet, Sophos, Proofpoint and others.
Gloss