Hackers Posing as CDC, WHO Using Coronavirus in Phishing Attacks
(Bloomberg) -- As the coronavirus spreads around the globe, hackers are leveraging the panic and confusion to transmit malware and break into computer networks, according to research from several cybersecurity firms.
Hackers have sent phishing messages posing as the U.S. Centers for Disease Control and Prevention, the World Health Organization and health agencies from specific countries, purporting to offer information on the coronavirus disease, according to the firms. In some instances, the phishing emails appear to have been sent by hackers supported by U.S. adversaries.
“It’s not surprising, we call it the lure de jure,” said Adrian Nish, head of threat intelligence at BAE Systems. “I think a lot of these groups have identified coronavirus as something their targets would be desperate for information on.”
In one example, hackers posing as the CDC sent a phishing email on Feb. 24 to a South Korean electronic manufacturing company with the subject line “Re: nCoV: Coronavirus outbreak and safety measures in your city (Urgent),” according to BAE research.
The hackers edited their email to make it appear to be sent from “CDC-Health-INFO,” using the email address of a U.S. diplomat. In reality, the email was sent from a computer at a South Korean food company, so that it could bypass spam filters. It isn’t known if the food company was hacked.
“Please kindly download the updated attachment for your knowledge,” the email read, according to BAE. “Please go through the cases to avoid Potential hazards.”
It isn’t known if the firm downloaded the attachment. If it had, the target computer could have been infected with malware, a “remote access Trojan,” allowing hackers to take control -- and perhaps make their way into the company’s network. BAE hasn’t made a determination of who was behind the fake email.
“Threat actors are savvy in terms of the social engineering side, and this is an opportunity to them,” Nish said. He expects victims in the U.S. to be targeted by fake coronavirus emails as the virus spreads.
In another instance, BAE researchers on Feb. 20 analyzed a fake document purporting to be from WHO and Ukraine’s Ministry of Health. The document, which stated falsely that there were five confirmed cases in Ukraine, contained malware capable of recording a user’s keystrokes, known as a keylogger, according to BAE.
Government-linked hackers in China, Russia and North Korea have taken advantage of the interest in coronavirus information to further their espionage missions, according to Ben Read, who serves as the senior manager of analysis at FireEye Inc. Over at least a month, these hackers have sent information related to the pandemic to lure their espionage targets -- such as companies and ministries of foreign affairs in Southeast and Central Asia, Eastern Europe and South Korea -- into clicking on phishing emails or malicious documents that promise information about the virus.
In addition to hackers taking advantage of the pandemic, fake social media accounts are spreading disinformation about the coronavirus that back the interests of some nations, including China and Russia, according to government officials and cybersecurity experts.
One of those campaigns seeks to laud the handling of the coronavirus outbreak by Chinese government and medical workers, according to Lee Foster, senior manager for information operations intelligence at FireEye.
The firm’s researchers have seen a “concerted campaign” suspected to include thousands of inauthentic social media accounts, spreading narratives aligned with the interests of the Chinese government, he said.
Those same accounts have also criticized the Hong Kong medical workers striking to demand closing the city’s border with China, Foster said. In addition, the accounts have accused Hong Kong citizens of spreading rumors about the coronavirus, and they have called on pro-democracy protesters to drop their protests and instead work to overcome the epidemic, he added.
The campaign, which began in January and has “increased substantially in volume since then,” is ongoing, Foster said. The inauthentic accounts engaged in the campaign appear to be linked to the accounts that spread disinformation to promote China’s interests during the Hong Kong protests in the fall, he said.
Meanwhile, Russia is using its “entire ecosystem” of disinformation -- including proxy websites, official state media, automated bot accounts and “swarms of online false personas” -- to spread disinformation about the coronavirus, according to a testimony by the State Department’s Lea Gabrielle last week.
Gabrielle, who serves as special envoy and coordinator of the State Department’s Global Engagement Center, said that U.S. adversaries are using the crisis “to try to advance their priorities.”
To contact the reporters on this story: William Turton in New York at firstname.lastname@example.org;Alyza Sebenius in Washington at email@example.com
To contact the editor responsible for this story: Andrew Martin at firstname.lastname@example.org
©2020 Bloomberg L.P.