Coronavirus Triggers Worldwide Cyberattacks

The Coronavirus outbreak has triggered worldwide Cyberattacks from cybercriminals with economic motivation and state-sponsored cyber threat actors operating for cyber espionage. It is estimated that victims will be increasingly targeted with Coronavirus-themed activities, apps, websites and armed documents, reports Cyber Security expert Ersin Çahmutoğlu for GreatGameIndia.

Coronavirus Triggers Cyber Espionage Operations Worldwide
Coronavirus Triggers Worldwide Cyberattacks

Coronavirus Triggers Worldwide Cyberattacks

It is a known fact that global cyberattacks are getting more intense day by day. Hackers, hacktivists, cyber threat groups, and state-sponsored cyber organizations are taking advantage at every turn. Sometimes their motivation is economical (ransom requests) and sometimes it is for political and intelligence purposes.

While hackers target their victims with ransomware, state-sponsored organizations target their victims for intelligence gathering and surveillance. The fear and panic environment caused by the Coronavirus (COVID-19) epidemic causes these attacks to be successful.

Hackers and hacker groups that carry out operations with financial motivation demand ransom. State-sponsored APT (Advanced Persistent Threat) groups infiltrate critical institutions or private systems with the documents they use as lures.

Iran – AC19 App

Iran has developed a mobile app called AC19 for citizens who think they have been infected with Coronavirus to perform their own tests at home. Citizens who report their identity and location information to the authorities through the app can be tested without going to hospitals.

[jetpack_subscription_form title="Subscribe to GreatGameIndia" subscribe_text="Enter your email address to subscribe to GGI and receive notifications of new posts by email."]

AC19 in the Google Play store has been removed by Google on suspicion of spying, according to ZDNet news. According to allegations, this app collects Iranian citizens’ identity and location information and uses them for spying purposes. After the Iranians who downloaded the app sent this complaint to Google Play, Google removed this app from the store.

According to Recorded Future, Coronavirus pandemic was armed by the Iranian government as a way to spread spyware. The Iranian Ministry of Health sent an SMS to victims recommending that they download a special app to track the potential symptoms of COVID-19. The Android app called “Ac19.apk” containing spyware is downloaded to mobile devices through a website created by the Iranian government.

Cyberattacks using Coronavirus
Cyberattacks using Coronavirus. Timeline by Recorded Future

Iranians say the AC19 app developed for Coronavirus detection is suspect and it is not possible to test a virus using the app. It is also believed that the company, Smart Land Solutions (new name Sarzamin Housmand), which developed the app, has developed suspicious apps for the Iranian regime such as Hotgram and Talagram. These apps were also removed from Google Play. It is also claimed that the company and some of its important employees are related to Iranian intelligence services.

Israel – NSO Group’s Tracking App

As for Israel, the situation is not very different. In order to track the spread of the Coronavirus epidemic, the Israeli government is negotiating to track its citizens’ mobile phones. In addition, there are claims that a software has already been developed. The Israeli technology company NSO Group, which has become popular with its spyware (Pegasus) and surveillance technologies, has developed a new product that is said to have the ability to track the spread of Coronavirus.

According to Bloomberg, the software receives mobile phone tracking information from the infected person for two weeks, which is the incubation period of the virus, and then maps them to location data from the operator. This product of NSO is tested just like Israel’s approval of the use of “an counter terrorism tracking technology” to track the movements of Coronavirus patients and the people they encounter. This practice, a controversial step, raises criticism that the privacy of Israeli citizens will be violated.

China – Mustang & Vicious Panda APT Group

State-supported cyber activities of countries such as China, Russia, North Korea are implemented through APT groups. Attacks targeting states, multinational companies and individuals are usually carried out with a malicious document. The contents of such Coronavirus outbreak related malicious documents are remarkable. Documents sent to the target as baits may contain statement such as “important, urgent, alert”.

Mustang Panda APT Group

One of the attacks detected in this context is the attack of the Chinese Mustang Panda APT group. Mustang Panda attracts people’s attention with an expression such as “The latest situation about the Coronavirus incident in your city and the security measures to be taken” regarding the APT group Coronavirus.

Information about the prevalence of new Coronavirus infections
Information about the prevalence of new Coronavirus infections. Check Point Research

Vicious Panda APT Group

Another Chinese-origin attack that is thought to have been caused by APT targeted Mongolia. According to the Check Point study, the Vicious Panda APT group, which is considered to be state-sponsored in China, targeted Mongolian government officials by imitating e-mails from the Mongolian Foreign Ministry. As a result of the analysis of RTF documents written in Mongolian language, malicious activity was detected. The APT group, which attacks various states and organizations around the world, takes advantage of the COVID-19 outbreak. The main purpose of the Vicious Panda group remains the mystery and this threat actor is constantly updating their attack tools.

Russia – Hades APT Group

Another Coronavirus-themed APT attack is known to originate from Russia. The cyber threat group called Hades APT (thought to be linked to APT28) is targeting Ukraine. According to the findings of RedDrip Team, the malicious document imitated as sent from the Ministry of Health Public Health Center of Ukraine opens the back door in the system by triggering the macro code. Researchers believe that a Word document containing malware named COVID-19 was triggered by remote code execution (RCE).

North Korea – BabyShark APT Group

North Korea, which is one of the prominent countries in global ransomware and data theft, also seems to have exploited the Coronavirus outbreak. A Word document identified by a cyber threat investigator named IssueMakersLab is allegedly armed by a North Korean origin BabyShark APT group. The document targeting South Koreans was imitated as if it contained information about South Korea’s reactions and responsibilities against the COVID-19 outbreak.

Pakistan – APT36 Group

A different actor has recently been added to similar threat actors. RedDrip Team researchers reported that the Pakistani APT36 threat group is using a trap health advisory to spread malware containing a Remote Administration Tool (RAT). According to Malwarebytes researchers, APT36 used a spear-phishing email with a link to a malicious document that seemed to have been prepared from the Indian government in the Coronavirus-themed cyber attack. The malicious document has two hidden macros that drop a RAT variant called Crimson RAT.

The APT36 threat group is believed to target embassies and the Indian government as a state-sponsored actor in Pakistan. APT36, which is thought to act according to Pakistan’s military and diplomatic interests, is reported to have carried out cyber espionage operations to collect sensitive information from India. APT36 group is also known as Transparent Tribe, ProjectM, Mythic Leopard and TEMP.Lapis.

Coronavirus-Themed Phishing and Scam Activities

Japanese speakers targeted with AZORult Malware

Coronavirus-theme Shipping Industry Lure
Coronavirus-theme Shipping Industry Lure. ProofPoint

In addition to state-sponsored cyber threat actors and APT groups, hackers and hacker groups exploit the global Coronavirus panic. In February, cyber attackers took advantage of targets’ Coronavirus fears by sending malicious health information emails to Japanese speakers. According to Proofpoint researchers, these Coronavirus-themed attacks target many industries, including almost all manufacturing, industry, finance, transportation, pharmaceutical and cosmetic companies. Accordingly, this specific Coronavirus-themed e-mail campaign has Microsoft Word documents containing malware and installs AZORult, known as a malware that steals information, using a two and a half year vulnerability. The actors behind this campaign are thought to be of Russian and Eastern European origin.

Malicious links disguised as official CDC & WHO

Coronavirus-theme Shipping Industry Lure
Coronavirus Phishing Email with malicious link disguised as from CDC. Cofense

Another global phishing attack that occurred in March was detected by Cofense. The detected emails mimic as if they came from The Centers for Disease Control (CDC) and seem to show the spread of Coronavirus and the current outbreak situation. In addition to this attack campaign, Cofense Intelligence Agent detected a phishing campaign mimicking the World Health Organization (WHO) to deliver the Tesla keylogger. The phishing campaign is designed to arouse fear and curiosity about Coronavirus.

Trickbot spam campaign targeting Italians

Trickbot spam campaign targeting Italians
Incidents of messages sent by the spambot behind the Trickbot campaign over the past six months caught by SophosLabs spam traps.

Another phishing attack detected by the Sophos company takes place with the Word document targeting the Italians and containing malicious macros. According to Sophos, the actors of the Trickbot spam campaign caused from panic, anxiety and fears that spread across the country after the Coronavirus outbreak in Italy, with spam emails targeting Italian email addresses. Sophos also detected other e-mail campaigns different than malware that produced the same spam e-mails dating back to September of last year. The latest detected attack worries victims about COVID-19 and tries to mobilize them.

TEMP.Armageddon targets Asia

A criminal phishing email seeking to take advantage of the coronavirus pandemic. FIREEYE
A criminal phishing email seeking to take advantage of the coronavirus pandemic. FIREEYE

Another campaign using the Coronavirus outbreak and exploiting victims’ emotions was spotted by FireEye. According to Forbes news, a group of Chinese hackers suspected that in late February and early March, malicious documents were sent to targets in Vietnam, Philippines and Taiwan. The documents included recommendations for Coronavirus from official sources, but there were spyware hidden in the documents, and they were stealing data. FireEye also reported that the espionage group named TEMP.Armageddon, which is thought to be of Russian origin, sent Ukrainians a phishing email containing a malicious, Coronavirus-themed document.

CovidLock – Malicious Coronavirus Tracker App with Ransomware

CovidLock - Malicious Coronavirus Tracker App with Ransomware
CovidLock – Malicious Coronavirus Tracker App with Ransomware

In addition to malicious software, cyber threat actors also use websites and apps that contain malicious content in Coronavirus-themed campaigns. In this context, the security and research team from DomainTools has discovered a website that claims to have a real-time Coronavirus outbreak tracer with a mobile app. The application named “Covid19 Tracker App” actually contains ransomware. This Android ransomware, which was discovered for the first time, was named “CovidLock” because of the malware’s capabilities and background story. CovidLock uses techniques to deny access to the victim’s phone by forcing the password used to unlock the phone. When the phone is locked, a ransom note appears on the screen, and the attackers demand $100 ransom to unlock it.

Coronavirus-themed malicious domains

In addition to these campaigns, it is determined that websites containing malicious content are on the rise. Many of the hundreds of Coronavirus-themed domains are known to infect malware or redirect to different content. Some actors, including cybercriminals, operate on such sites for their own benefit. In order to combat Coronavirus, sales of products such as masks, gloves, disinfectants are also illegally seen on these sites.

Coronavirus Panic attracts Cyber ​​Threat Actors

The Coronavirus outbreak, which has been going on for about three months, has created an atmosphere of panic and fear all over the world. Cyber ​​criminals and threat actors also want to use this environment of fear and panic for their own benefit. They use their own best-known methods for this.

Malicious websites, apps, documents and e-mail campaigns for phishing purposes are the most used cyber attack methods by cyber threat actors. These global campaigns are detected and reported in various countries. It is predicted that such attacks will increase in the coming days.

It is believed that especially cybercriminals with economic motivation and state-sponsored cyber threat actors operating for cyber espionage will continue their activities during the Coronavirus outbreak. It is estimated that victims will be increasingly targeted with Coronavirus-themed activities, apps, websites and armed documents.

Ersin Çahmutoğlu for GreatGameIndia. Ersin is a Cyber Security Researcher at the Turkish National Defense University. Twitter: @ersincmt. Send in your tips and submissions by filling out this form or write to us directly at the email provided. Join us on WhatsApp for more intel and updates.

For latest updates on the outbreak check out our Coronavirus Coverage.

GreatGameIndia is a journal on Geopolitics and International Relations. Get to know the Geopolitical threats India is facing in our exclusive book India in Cognitive Dissonance. Past magazine issues can be accessed from the Archives section.

Read more on Chinese Biological and Chemical warfare activities against India in our exclusive History of Narco-Terrorism issue.

GreatGameIndia is being actively targeted by powerful forces who do not wish us to survive. Your contribution, however small help us keep afloat. We accept voluntary payment for the content available for free on this website via UPI, PayPal and Bitcoin.

Support GreatGameIndia


Leave a Reply