Advanced Persistent Threats (APTs) Targeting the Chinese Government to Steal COVID-19 Secrets

APT32 targets China

• APT32, also called OceanLotus Group, is known for its sophisticated attacks on private companies, foreign governments, journalists, and activists alike.
• APT32 tried to hack into the personal and professional email accounts of staff at China’s Ministry of Emergency Management and the government of Wuhan.
• The campaign started on January 6, 2020, when APT32 sent an email with an embedded tracking link, infecting the victims with the METALJACK loader. This malware, if successfully deployed, could provide illicit access to victims’ computers.

The China-Vietnam Conflict

• China and Vietnam are already known to be having a contentious relationship for the past several years.
• In July 2016, Chinese groups hacked into Vietnam’s airports and leaked Vietnam Airlines’ database of frequent flyers, in order to counter Vietnam’s claims to the disputed South China Sea.
• In 2017, Vietnam started strengthening its cyber warfare capabilities, with the formation of APT32, which targeted ASEAN’s website during the 2017 annual summit,  as well as targeting websites of ministries or government agencies in Cambodia, Lao PDR and the Philippines.
• As of now, China has been a vigilant target of Vietnam’s cyber-espionage operations.

What could APT32 be looking for now

• One of the most prominent lures for hackers could be China's medical technology and virus-control measures, which they used to contain the spread of coronavirus, as well as the actual number for corona-infected people in China.
• Also, since Vietnam is a neighboring country to China, the epidemic could be easily expected to be impacting them. So it could be an attempt to find out what exactly is going inside China about this epidemic.

They are not the only ones

• In March 2020, state-sponsored hacker DarkHotel had launched a massive hacking operation aimed at Chinese government agencies and their employees.
• In February 2020, an Advanced Persistent Threat (APT) from India was allegedly found attempting to attack the Chinese medical organizations through a phishing scheme sent via email.

Who was targeted

• The attack timing coincides with the duration when Chinese governments and corporations had asked their employees (including government officials) to work from home to prevent the spread of the novel coronavirus.
• The cybercriminal group targeted domestic Chinese agencies, as well as diplomatic missions in countries including Italy, the UK, North Korea, and Thailand.
• More than 200 VPN servers were compromised, and Chinese institutions and agencies in Beijing and Shanghai were under attack