Hackers Use Coronavirus Scare To Attack Government Systems

Matthew Broersma,
coronavirus Image credit: World Health Organisation

Attack groups make use of chaos around coronavirus to target organisations in Mongolia, South Korea, Ukraine, Vietnam and elsewhere

Attackers have begun targeting government agencies, apparently for espionage purposes, using the spread of the novel coronavirus and Covid-19 as a lure, researchers have found.

Check Point Research said it has discovered an unknown threat actor targeting the Mongolian public sector, using documents that supposedly provide information about the prevalence of new coronavirus infections.

The documents, one of which was supposedly sent by the Mongolian Ministry of Foreign Affairs, exploit a vulnerability in Microsoft Word to implant previously unknown malware into recipients’ computer systems, Check Point said in an advisory.

The “Vicious Panda” attack, as Check Point calls it, attempts to take remote control of systems and steal documents.

coronavirus Image credit: World Health Organisation
Image credit: World Health Organisation

Espionage

The malware tries to establish remote control functionality as well as the ability to take screenshots of the system and send them back to a control server, Check Point said.

The attack group remains anonymous, but Check Point said it appears to be based in China and has been operating since at least 2016.

The company linked the attack group to incidents across various sectors in countries including the Ukraine, Russia, and Belarus.

“The full intention of this Chinese APT group is still a mystery, but it is clear they are here to stay and will update their tools and do whatever it takes to attract new victims to their network,” Check Point said.

State-backed attacks

Separately, security firms including CrowdStrike and Vietnam’s VinCSS said a Chinese state-backed group known as Mustang Panda was using coronavirus-themed documents to spread malware in Vietnam.

Russian state-backed group Hades is believed to be behind a coronavirus-themed malware campaign in the Ukraine in mid-February, according to security group QiAnXin.

A North Korean group also used the coronavirus scare to spread malware in South Korea in late February, according to South Korea’s IssueMakersLab.

Those campaigns are in addition to numerous scams that have used the coronavirus outbreak and Covid-19 to carry out phishing attacks against individuals.