A Dozen Nation-Backed APTs Tap COVID-19 to Cover Spy Attacks

covid-19 state backed spy attacks

Iran’s Charming Kitten and other nation-state actors are using the coronavirus pandemic to their advantage, for espionage.

Cybercriminals have seized on the novel coronavirus as a theme in their attacks, and it turns out that the most sophisticated players on that scene are no exception. According to Google’s Threat Analysis Group (TAG), more than a dozen nation-state-backed APTs are using the COVID-19 pandemic as a cover for their various cyberespionage and malware activities.

Separately, FireEye Mandiant this week pinpointed one such effort, aimed at Chinese government agencies.

Like their financially motivated brethren, these state-backed threat groups are using the coronavirus pandemic as a theme and a lure for spearphishing and other social-engineering efforts. These campaigns are geared towards convincing victims to download booby-trapped files and click on malicious links that will ultimately unfurl spyware on victims’ machines.

“Our security systems have detected examples ranging from fake solicitations for charities and NGOs, to messages that try to mimic employer communications to employees working from home, to websites posing as official government pages and public health agencies,” said Shane Huntley, TAG researcher, in a posting on Wednesday.

TAG observed one major campaign attempting to target the personal accounts of U.S. government employees.

“[This was done] with phishing lures using American fast food franchises and COVID-19 messaging,” Huntley said. “Some messages offered free meals and coupons in response to COVID-19, others suggested recipients visit sites disguised as online ordering and delivery options.”

If the targets clicked on the links in the emails, they were led to phishing pages that were designed to harvest Google account credentials. From there, attackers could sign into email accounts, Google Docs accounts and more, thereby potentially accessing sensitive information or mounting impersonation campaigns.

Speaking of impersonation, one common tactic in TAG’s current telemetry is the phenomenon of attackers masquerading as officials from public health organizations like the World Health Organization (WHO). One example of this was seen earlier in April, when spearphishing emails designed to spread the LokiBot info-stealing trojan were sent to targets using the WHO trademark as a lure.

Also on the WHO front, Huntley said that Google’s research corroborates the findings reported in March about an espionage attempt on the organization itself. In that case, a malicious site was set up that mimicked the WHO’s internal email system. Its purpose was to steal passwords from multiple agency staffers, in an attempt to gain a foothold within WHO and steal non-public information regarding vaccine research and the like.

While Fortinet researchers at the time said that the DarkHotel APT group may have been behind the attack, Google’s conclusion was that the efforts were “consistent with the threat actor group often referred to as Charming Kitten.”

Huntley also said that TAG has seen similar activity from a South American APT called Packrat, with emails that linked to a domain spoofing the World Health Organization’s login page.

“These findings show that health organizations, public health agencies and the individuals who work there are becoming new targets as a result of COVID-19,” he wrote. “We’re proactively adding extra security protections, such as higher thresholds for Google Account sign in and recovery, to more than 50,000 of such high-risk accounts.”

Meanwhile, from at least January to April, the Vietnam-linked APT known as APT32 has been attacking China’s Ministry of Emergency Management, as well as the government of Wuhan province, in an apparent bid to steal intelligence regarding the country’s COVID-19 response, researchers announced this week.

According to the Wednesday analysis from FireEye Mandiant, the campaign is part of a global increase in nation-state backed cyber-espionage geared at gleaning information on possible health solutions and other nonpublic information.

On Jan. 6, APT32 sent an email purporting to relate to bids for office equipment, to China’s Ministry of Emergency Management. The email had an embedded tracking link, which Mandiant researchers said contained the victim’s email address and a code to report back to the actors if the email was opened.

Other emails using the same tactic also arrived at targets in China’s Wuhan government, as well as to other targets within the Ministry of Emergency Management. These emails claimed to offer news updates on the spread of the coronavirus, according to Mandiant.

In all cases, researchers said the emails delivered the METALJACK loader, which displayed a Chinese-language titled COVID-19 decoy document while launching its espionage payloads.

Interestingly, TAG found that the general rate of APT attacks has stayed steady through the crisis – it’s just that their tactics have changed in order to take advantage of the surging interest in anything having to do with COVID-19. This is consistent with cyberthreat trends overall.

“In fact, we saw a slight decrease in overall [attack] volumes in March compared to January and February,” Huntley said. “While it’s not unusual to see some fluctuations in these numbers, it could be that attackers, just like many other organizations, are experiencing productivity lags and issues due to global lockdowns and quarantine efforts.”

As the worldwide COVID-19 pandemic continues to play out, using the coronavirus as a theme has become the go-to tactic for cybercriminals of all stripes. TAG is detecting 18 million malware and phishing Gmail messages per day related to COVID-19, in addition to more than 240 million COVID-related daily spam messages, according to the analysis. Another such campaign was distributing a new variant of the HawkEye keylogging malware using spam that purported to be an “alert” from WHO Director-General Tedros Adhanom Ghebreyesus.

The results dovetail with other findings this week from Forcepoint analyzing coronavirus-themed attacks between Jan. 19 to April 18. The firm found that cyberattackers in general have reached a peak of sending 1.5 million malicious emails per day related to the COVID-19 pandemic.

Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.

Suggested articles