U.S., U.K. Issue Alert on Growing Use of Covid-themed Hacks

By Alyza Sebenius and Kartikay Mehrotra | April 9, 2020

Coronavirus-themed phishing attacks have become so pervasive that the governments of the U.S. and U.K. issued a joint warning Wednesday about their growing use.

Advanced hacking groups seek to further “long-standing priorities” including espionage and “hack and leak” campaigns while criminals are “deploying a variety of ransomware and other malware,” the warning says.

“The surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), amplifying the threat to individuals and organization,” according to the warning, from the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency and the U.K.’s National Cyber Security Centre.

The warning comes after the number of attempted phishing emails more than quadrupled over the course of March, a month when state-linked hackers and criminals seized on the pandemic to fuel operations, according to data from the cybersecurity firm FireEye Inc.

Hackers believed to be backed by the governments of North Korea, Russia and China used the pandemic as lures in cyber-attacks that appeared designed to be part of long-term espionage campaigns, according to FireEye. Criminal hackers’ motives was more straightforward: money, the firm said.

A popular tactic for both groups involved sending phishing emails that purport to offer information related to the coronavirus to convince users to click on a link or attachment containing malware, according to FireEye, based on its detections of hackers’ activities.

FireEye said it discovered phishing emails that sought to leverage the U.S. government’s distribution of the recent $2 trillion stimulus package, which was passed at the end of March. For example, the subject “COVID-19 Payment” has become popular among hackers, according to detections by FireEye.

Other frequently used phishing lures detected by FireEye include “COVID-19 AWARENESS AND IMPLEMENTATION FROM THE WORLD HEALTH ORGANIZATION,” “Protection from Corona Virus with Immunity Oil,” and “Why Corona is ONLY the 1st Stage of the Crash.”

While the landscape of attempted phishing attacks is enormous — and the vast majority don’t concern coronavirus — the increase is indicative of common tactic used by hackers: taking advantage of world events to trick people into clicking on malware. Some cybersecurity experts say the coronavirus has produced an unprecedented volume of attempted cyber-attacks.

“Coronavirus-themed phishing lures, malware infections, network intrusions, scams and disinformation campaigns have become rampant across the clear, deep, and dark web,” the threat intelligence firm IntSights Cyber Intelligence Ltd. wrote in a Tuesday report, which described malicious mobile apps, websites and emails that purported to offer information about the virus.

It’s not just American users who are being duped out of public dollars. Users in Russia received an email offering instructions for obtaining 158,591 rubles (about $2,100) in “social compensation” for the virus, according to Malware Hunter Team, a ransomware identification service. Users in Canada received similar messages promising “Canada Emergency Response Benefit” in English and French, according to the group.

Hacker groups have been trying coronavirus-related tactics since at least late January, according to the cybersecurity firm CrowdStrike Holdings Inc. One of the first known coronavirus-themed attacks targeted Japan, where a group dubbed Mummy Spider used Japanese-language spam on Jan. 29 to distribute malware known globally as Emotet.

The hacking group — which is based in Russia and Eastern Europe — sent emails spoofing a Kyoto public health center to trick victims into clicking on the malicious link. Since then, Mummy Spider has targeted other countries as citizens become infected and also industries including health-care entities fighting the epidemic, according to CrowdStrike.

A Chinese hacking group called Pirate Panda changed tactics as the coronavirus spread. Pirate Panda had been using the Jan. 3 assassination of Iranian Major General Qassem Soleimani to lure users in India and Pakistan into executing their malware. As the coronavirus spread between February and March, the group began sending documents purporting to be from the World Health Organization containing confirmed data on coronavirus cases inside and outside of China, according to CrowdStrike.

“Bad guys are motivated by fear and greed, and this case the entire world is scared, and so malicious actors are pouncing,” said Adam Meyers, CrowdStrike’s vice president of intelligence. “It shouldn’t come as a surprise that a criminal is going to use whatever tools work best. Right now, what’s best is leveraging fear in the coronavirus. And it’s working.”

Was this article valuable?

Here are more articles you may enjoy.