Advanced Persistent Threats (APTs) Targeting the Chinese Government to Steal COVID-19 Secrets

Recently, the Vietnam-linked hacker group, APT32 was seen targeting China-based organizations in an attempt to search for the confidential data around the new disease and ways to combat it. And this is not the first APT group to do so. Several other cybercriminal groups, including state-sponsored APTs, have been trying to get all possible details from China, that allows no sensitive information to flow outside its so-called Great-Firewall.

APT32 targets China

  • APT32, also called OceanLotus Group, is known for its sophisticated attacks on private companies, foreign governments, journalists, and activists alike.
  • APT32 tried to hack into the personal and professional email accounts of staff at China’s Ministry of Emergency Management and the government of Wuhan.
  • The campaign started on January 6, 2020, when APT32 sent an email with an embedded tracking link, infecting the victims with the METALJACK loader. This malware, if successfully deployed, could provide illicit access to victims’ computers.

The China-Vietnam Conflict

  • China and Vietnam are already known to be having a contentious relationship for the past several years.
  • In July 2016, Chinese groups hacked into Vietnam’s airports and leaked Vietnam Airlines’ database of frequent flyers, in order to counter Vietnam’s claims to the disputed South China Sea.
  • In 2017, Vietnam started strengthening its cyber warfare capabilities, with the formation of APT32, which targeted ASEAN’s website during the 2017 annual summit,  as well as targeting websites of ministries or government agencies in Cambodia, Lao PDR and the Philippines.
  • As of now, China has been a vigilant target of Vietnam’s cyber-espionage operations.

What could APT32 be looking for now

There are different articulations made for the reason for these attacks:
  • One of the most prominent lures for hackers could be China's medical technology and virus-control measures, which they used to contain the spread of coronavirus, as well as the actual number for corona-infected people in China.
  • Also, since Vietnam is a neighboring country to China, the epidemic could be easily expected to be impacting them. So it could be an attempt to find out what exactly is going inside China about this epidemic.

They are not the only ones

Several other cybercriminals have also been observed targeting Chinese organizations within the past few months.
  • In March 2020, state-sponsored hacker DarkHotel had launched a massive hacking operation aimed at Chinese government agencies and their employees.
  • In February 2020, an Advanced Persistent Threat (APT) from India was allegedly found attempting to attack the Chinese medical organizations through a phishing scheme sent via email.

Who was targeted

  • The attack timing coincides with the duration when Chinese governments and corporations had asked their employees (including government officials) to work from home to prevent the spread of the novel coronavirus.
  • The cybercriminal group targeted domestic Chinese agencies, as well as diplomatic missions in countries including Italy, the UK, North Korea, and Thailand.
  • More than 200 VPN servers were compromised, and Chinese institutions and agencies in Beijing and Shanghai were under attack