Spies – as well as cybercriminals – go phishing

Vietnamese cyber-spies are allegedly targeting Chinese government agencies in an attempt to uncover intel on the coronavirus.

As part of an ongoing campaign, which started in January, Vietnamese threat actors APT32 carried out hacking campaigns against Chinese targets in order to collect intelligence on the Covid-19 crisis, according to security researchers at FireEye Mandiant.

Chinese language spear-phishing messages were sent by miscreants to the China’s Ministry of Emergency Management as well as the government of Hubei province, where Covid-19 was first identified.

“APT32 likely used Covid-19-themed malicious attachments against Chinese speaking targets,” FireEye Mandiant explains in a blog post.

“While we have not uncovered the full execution chain, we uncovered a METALJACK loader displaying a Chinese language titled Covid-19 decoy document while launching its payload.”

APT32 – also known as ‘OceanLotus Group’ – has previously been linked to intrusions into private sector companies across multiple industries.


BACKGROUND APT32 unmasked: Researchers shine light on the notorious hacking group


In addition to conducting targeted operations that are aligned to the foreign policy and commercial interests of the Vietnamese state, the group is also said to have targeted foreign governments, dissidents, and journalists.

The latest campaign against China makes use of a control domain phishing campaign likely targeting Southeast Asian countries and also blamed on APT32.

Digital contagion

Vietnam is far from alone in resorting to cyber-espionage in attempts to gain intel from non-public information on the spread of coronavirus and potential treatments for Covid-19.

Last month, threat intel agency Recorded Future warned about increasing use of Covid-19-themed phishing lures and newly registered Covid-19-related domains as part of cyber-attacks.

Covid-19 has been primarily used by cybercriminals as a theme for phishing lures, but nation states are suspected in at least three cases cited by Recorded Future.

The attacks are not especially technically sophisticated. They generally involve email with attachments the purport to contain information about Covid-19, but actually come packed with malware.


INSIGHT A guide to spear-phishing – how to protect against targeted attacks


“Recorded Future observed an extensive list of actors and malware employing these techniques, including Trickbot, Lokibot, and Agent Tesla, targeting a broad set of victims, including those in the US, Italy, Ukraine, and Iran in particular,” Recorded Future reports.

“Threat actors have also endeavored to gain the trust of victims using branding associated with the US Centers for Disease Control and Prevention and the World Health Organization, as well as country-specific health agencies such as the Public Health Center of the Ministry of Health of Ukraine and China’s Ministry of Health, and companies such as FedEx,” it adds.


READ MORE Dozens of malware-ridden mobile apps target Syrians with coronavirus lures