As we wrote in a previous post, the current pandemic is an excellent source of cyber attacks (as well). However, it is not only profit-making that is behind these operations, but the political, ideological load is at least as crucial as monetization. For groups with a state background (almost infinite availability of financial, material and human resources), another phenomenon has emerged at the global level, affecting most people (in this case everyone). Our hunger for information has risen to new heights (understandably), since we need to look carefully at multiple sources to be able to make responsible choices.
We know for sure
- Sandworm and Fancy Bear: Russia
QiAnXin found Russian hackers, most probably affiliated with the groups Sandworm , Fancy Bear, sending Ukrainian targets phishing emails with malicious document attachments. The emails claimed to come from Ukraine’s Center for Public Health of the Ministry of Health, were part of a larger disinformation campaign to strike fear about the Covid-19 in Ukraine, resulting in riots.
- TwoSail Junk: most probably China
Leveraging vulnerabilities present in iOS 12.1 and 12.2 (affected models are from iPhone 6 to the iPhone X). The campaign uses fake links posted on multiple forums, targeting mostly Hong Kong residents, that claim to lead to various news stories related (amongst others but mainly to) news related to the ongoing COVID-19 pandemic.
The APT group, named “TwoSail Junk” by Kaspersky (who found proof that relation is present with previously reported Spring Dragon – alias Lotus Blossom/Billbug(Thrip) – , known for their Lotus Elise and Evora malware.
- APT36: Pakistan
A spear phishing campaign by a Pakistani government-sponsored Mythic Leopard team (APT36) focusing on Indian defense, foreign missions and government infrastructures. It has been using an active coronavirus health advice document to deliver the Crimson Remote Administration Tool (RAT) to the target machine.
- Babyshark malware: most probably North Korean group(s)
Unit 42 was able to determine a phishing campaign targeting a university in the United States which was to hold a conference about North Korea denuclearization issue, along with a U.S. based research serving as a think tank for national security issues, and where the previously referenced nuclear conference’s expert currently works.
BabyShark’s analysis uncovered connections to other suspected-to-be North Korean hacking campaigns (KimJongRAT, Stolen Pencil) as it is signed with the same stolen code signing certificate used in the the above mentioned campaigns.
North Korean hackers were also spotted targeting South Korea with phishing attacks at the end of February: a malware campaign, with transfer documents namely containing South Korea’s response to the COVID-19 outbreak to deliver BabyShark malware to the target machines of unsuspecting (and irresponsible) victims.
For more information on nation-backed hacker click here