The Coronavirus outbreak has triggered worldwide Cyberattacks from cybercriminals with economic motivation and state-sponsored cyber threat actors operating for cyber espionage. It is estimated that victims will be increasingly targeted with Coronavirus-themed activities, apps, websites and armed documents, reports Cyber Security expert Ersin Çahmutoğlu for GreatGameIndia.
- EXCLUSIVE: Coronavirus Bioweapon – How China Stole Coronavirus From Canada And Weaponized It (watch here Visualizing The Secret History Of Coronavirus)
- Watch the exclusive interview of Bioweapons Expert Dr. Francis Boyle on Coronavirus Biological Warfare blocked by the Deep State
Contents
- 1 Coronavirus Triggers Worldwide Cyberattacks
- 2 Iran – AC19 App
- 3 Israel – NSO Group’s Tracking App
- 4 China – Mustang & Vicious Panda APT Group
- 5 Russia – Hades APT Group
- 6 North Korea – BabyShark APT Group
- 7 Pakistan – APT36 Group
- 8 Coronavirus-Themed Phishing and Scam Activities
- 9 Coronavirus Panic attracts Cyber Threat Actors
It is a known fact that global cyberattacks are getting more intense day by day. Hackers, hacktivists, cyber threat groups, and state-sponsored cyber organizations are taking advantage at every turn. Sometimes their motivation is economical (ransom requests) and sometimes it is for political and intelligence purposes.
While hackers target their victims with ransomware, state-sponsored organizations target their victims for intelligence gathering and surveillance. The fear and panic environment caused by the Coronavirus (COVID-19) epidemic causes these attacks to be successful.
Hackers and hacker groups that carry out operations with financial motivation demand ransom. State-sponsored APT (Advanced Persistent Threat) groups infiltrate critical institutions or private systems with the documents they use as lures.
Iran – AC19 App
Iran has developed a mobile app called AC19 for citizens who think they have been infected with Coronavirus to perform their own tests at home. Citizens who report their identity and location information to the authorities through the app can be tested without going to hospitals.
AC19 in the Google Play store has been removed by Google on suspicion of spying, according to ZDNet news. According to allegations, this app collects Iranian citizens’ identity and location information and uses them for spying purposes. After the Iranians who downloaded the app sent this complaint to Google Play, Google removed this app from the store.
از دادهکاوی اطلاعات ۳ میلیون نفر از مشارکتکنندگان در اپلیکیشن ac19، این نقشهی میزان خطر احتمال ابتلا به #کرونا در مناطق تهران به دست آمد.
رسانه باشید تا دیگران نیز از مخاطرات اطراف خود آگاه شوند. لطفا در خانه بمانید!
#همهباهم برای ایران🇮🇷 pic.twitter.com/5slrA8iDhW— MJ Azari Jahromi (@azarijahromi) March 9, 2020
According to Recorded Future, Coronavirus pandemic was armed by the Iranian government as a way to spread spyware. The Iranian Ministry of Health sent an SMS to victims recommending that they download a special app to track the potential symptoms of COVID-19. The Android app called “Ac19.apk” containing spyware is downloaded to mobile devices through a website created by the Iranian government.
Iranians say the AC19 app developed for Coronavirus detection is suspect and it is not possible to test a virus using the app. It is also believed that the company, Smart Land Solutions (new name Sarzamin Housmand), which developed the app, has developed suspicious apps for the Iranian regime such as Hotgram and Talagram. These apps were also removed from Google Play. It is also claimed that the company and some of its important employees are related to Iranian intelligence services.
Israel – NSO Group’s Tracking App
As for Israel, the situation is not very different. In order to track the spread of the Coronavirus epidemic, the Israeli government is negotiating to track its citizens’ mobile phones. In addition, there are claims that a software has already been developed. The Israeli technology company NSO Group, which has become popular with its spyware (Pegasus) and surveillance technologies, has developed a new product that is said to have the ability to track the spread of Coronavirus.
#Pegasus was created by Israeli #cyber weapons dealer #NSOGroup whose parent company Francisco Partners also owns #CrossMatch contracted by #UIDAI for #Aadhaar. This was revealed by us already in 2017. Took almost 2 years for Indian media to catchup. #RIPhttps://t.co/N3ADEOxRN6
— GreatGameIndia (@GreatGameIndia) October 31, 2019
According to Bloomberg, the software receives mobile phone tracking information from the infected person for two weeks, which is the incubation period of the virus, and then maps them to location data from the operator. This product of NSO is tested just like Israel’s approval of the use of “an counter terrorism tracking technology” to track the movements of Coronavirus patients and the people they encounter. This practice, a controversial step, raises criticism that the privacy of Israeli citizens will be violated.
China – Mustang & Vicious Panda APT Group
State-supported cyber activities of countries such as China, Russia, North Korea are implemented through APT groups. Attacks targeting states, multinational companies and individuals are usually carried out with a malicious document. The contents of such Coronavirus outbreak related malicious documents are remarkable. Documents sent to the target as baits may contain statement such as “important, urgent, alert”.
Mustang Panda APT Group
One of the attacks detected in this context is the attack of the Chinese Mustang Panda APT group. Mustang Panda attracts people’s attention with an expression such as “The latest situation about the Coronavirus incident in your city and the security measures to be taken” regarding the APT group Coronavirus.
Vicious Panda APT Group
Another Chinese-origin attack that is thought to have been caused by APT targeted Mongolia. According to the Check Point study, the Vicious Panda APT group, which is considered to be state-sponsored in China, targeted Mongolian government officials by imitating e-mails from the Mongolian Foreign Ministry. As a result of the analysis of RTF documents written in Mongolian language, malicious activity was detected. The APT group, which attacks various states and organizations around the world, takes advantage of the COVID-19 outbreak. The main purpose of the Vicious Panda group remains the mystery and this threat actor is constantly updating their attack tools.
Russia – Hades APT Group
Another Coronavirus-themed APT attack is known to originate from Russia. The cyber threat group called Hades APT (thought to be linked to APT28) is targeting Ukraine. According to the findings of RedDrip Team, the malicious document imitated as sent from the Ministry of Health Public Health Center of Ukraine opens the back door in the system by triggering the macro code. Researchers believe that a Word document containing malware named COVID-19 was triggered by remote code execution (RCE).
Attacks pretend to be from the Center for Public Health of the Ministry of Health of Ukraine and deliver bait document containing the latest news regarding #COVID-19. A backdoor written in C# gets dropped by malicious macro code to perform remote control.https://t.co/yT0iUZxMji pic.twitter.com/fb2ECmbSKX
— RedDrip Team (@RedDrip7) February 21, 2020
North Korea – BabyShark APT Group
North Korea, which is one of the prominent countries in global ransomware and data theft, also seems to have exploited the Coronavirus outbreak. A Word document identified by a cyber threat investigator named IssueMakersLab is allegedly armed by a North Korean origin BabyShark APT group. The document targeting South Koreans was imitated as if it contained information about South Korea’s reactions and responsibilities against the COVID-19 outbreak.
North Korea's BabyShark malware has been found in the form of document on South Korea's response to COVID-19. pic.twitter.com/yAWuWt6Qkq
— IssueMakersLab (@issuemakerslab) February 27, 2020
Pakistan – APT36 Group
A different actor has recently been added to similar threat actors. RedDrip Team researchers reported that the Pakistani APT36 threat group is using a trap health advisory to spread malware containing a Remote Administration Tool (RAT). According to Malwarebytes researchers, APT36 used a spear-phishing email with a link to a malicious document that seemed to have been prepared from the Indian government in the Coronavirus-themed cyber attack. The malicious document has two hidden macros that drop a RAT variant called Crimson RAT.
Malicious document, pretending to be from the Government of #India with health advisory of Coronavirus, seems delivered by #Transparent Tribe (#ProjectM). Victims are lured to enable macro to execute #Crimson #RAT payload.https://t.co/0DftZL5IxC pic.twitter.com/jTsxA38Ubg
— RedDrip Team (@RedDrip7) March 12, 2020
The APT36 threat group is believed to target embassies and the Indian government as a state-sponsored actor in Pakistan. APT36, which is thought to act according to Pakistan’s military and diplomatic interests, is reported to have carried out cyber espionage operations to collect sensitive information from India. APT36 group is also known as Transparent Tribe, ProjectM, Mythic Leopard and TEMP.Lapis.
Japanese speakers targeted with AZORult Malware
In addition to state-sponsored cyber threat actors and APT groups, hackers and hacker groups exploit the global Coronavirus panic. In February, cyber attackers took advantage of targets’ Coronavirus fears by sending malicious health information emails to Japanese speakers. According to Proofpoint researchers, these Coronavirus-themed attacks target many industries, including almost all manufacturing, industry, finance, transportation, pharmaceutical and cosmetic companies. Accordingly, this specific Coronavirus-themed e-mail campaign has Microsoft Word documents containing malware and installs AZORult, known as a malware that steals information, using a two and a half year vulnerability. The actors behind this campaign are thought to be of Russian and Eastern European origin.
Malicious links disguised as official CDC & WHO
Another global phishing attack that occurred in March was detected by Cofense. The detected emails mimic as if they came from The Centers for Disease Control (CDC) and seem to show the spread of Coronavirus and the current outbreak situation. In addition to this attack campaign, Cofense Intelligence Agent detected a phishing campaign mimicking the World Health Organization (WHO) to deliver the Tesla keylogger. The phishing campaign is designed to arouse fear and curiosity about Coronavirus.
Trickbot spam campaign targeting Italians
Another phishing attack detected by the Sophos company takes place with the Word document targeting the Italians and containing malicious macros. According to Sophos, the actors of the Trickbot spam campaign caused from panic, anxiety and fears that spread across the country after the Coronavirus outbreak in Italy, with spam emails targeting Italian email addresses. Sophos also detected other e-mail campaigns different than malware that produced the same spam e-mails dating back to September of last year. The latest detected attack worries victims about COVID-19 and tries to mobilize them.
TEMP.Armageddon targets Asia
Another campaign using the Coronavirus outbreak and exploiting victims’ emotions was spotted by FireEye. According to Forbes news, a group of Chinese hackers suspected that in late February and early March, malicious documents were sent to targets in Vietnam, Philippines and Taiwan. The documents included recommendations for Coronavirus from official sources, but there were spyware hidden in the documents, and they were stealing data. FireEye also reported that the espionage group named TEMP.Armageddon, which is thought to be of Russian origin, sent Ukrainians a phishing email containing a malicious, Coronavirus-themed document.
In addition to malicious software, cyber threat actors also use websites and apps that contain malicious content in Coronavirus-themed campaigns. In this context, the security and research team from DomainTools has discovered a website that claims to have a real-time Coronavirus outbreak tracer with a mobile app. The application named “Covid19 Tracker App” actually contains ransomware. This Android ransomware, which was discovered for the first time, was named “CovidLock” because of the malware’s capabilities and background story. CovidLock uses techniques to deny access to the victim’s phone by forcing the password used to unlock the phone. When the phone is locked, a ransom note appears on the screen, and the attackers demand $100 ransom to unlock it.
list of corona-related websites including suspected malicious content and scam.. 👉https://t.co/1rbKJ1AtcF
by @dustyfreshi wonder what kind of "dating" they do in coronavirusdating 🙂 #corona #malware #scam pic.twitter.com/4TY9h3xsfM
— Ersin Çahmutoğlu (@ersincmt) March 16, 2020
In addition to these campaigns, it is determined that websites containing malicious content are on the rise. Many of the hundreds of Coronavirus-themed domains are known to infect malware or redirect to different content. Some actors, including cybercriminals, operate on such sites for their own benefit. In order to combat Coronavirus, sales of products such as masks, gloves, disinfectants are also illegally seen on these sites.
The Coronavirus outbreak, which has been going on for about three months, has created an atmosphere of panic and fear all over the world. Cyber criminals and threat actors also want to use this environment of fear and panic for their own benefit. They use their own best-known methods for this.
Malicious websites, apps, documents and e-mail campaigns for phishing purposes are the most used cyber attack methods by cyber threat actors. These global campaigns are detected and reported in various countries. It is predicted that such attacks will increase in the coming days.
It is believed that especially cybercriminals with economic motivation and state-sponsored cyber threat actors operating for cyber espionage will continue their activities during the Coronavirus outbreak. It is estimated that victims will be increasingly targeted with Coronavirus-themed activities, apps, websites and armed documents.
Ersin Çahmutoğlu for GreatGameIndia. Ersin is a Cyber Security Researcher at the Turkish National Defense University. Twitter: @ersincmt. Send in your tips and submissions by filling out this form or write to us directly at the email provided. Join us on WhatsApp for more intel and updates.
For latest updates on the outbreak check out our Coronavirus Coverage.
GreatGameIndia is a journal on Geopolitics and International Relations. Get to know the Geopolitical threats India is facing in our exclusive book India in Cognitive Dissonance. Past magazine issues can be accessed from the Archives section.
Read more on Chinese Biological and Chemical warfare activities against India in our exclusive History of Narco-Terrorism issue.
