Cybersecurity firm FireEye on Wednesday reported that Vietnamese government-linked hackers are allegedly targeting Chinese government agencies in order to collect intelligence on the COVID-19 crisis.
According to FireEye, a hacking group “APT32” also known as “Ocean Lotus” believed to be operating on behalf of the Vietnamese government, was involved in a spear-phishing campaign targeting members of China’s Ministry of Emergency Management and the Wuhan government, epicenter of the coronavirus pandemic.
“These attacks speak to the virus being an intelligence priority – everyone is throwing everything they’ve got at it, and APT32 is what Vietnam has,” FireEye said in a blog post.
FireEye researchers believe that APT32 carried out intrusion campaigns against Chinese targets from at least January to April 2020.
The security company first took notice of this campaign on January 6, 2020, when APT32 sent an email with an embedded tracking link to China’s Ministry of Emergency Management. The embedded link contained the victim’s email address and code to report back to the actors if the email was opened.
FireEye also uncovered additional tracking URLs that revealed targets in China’s Wuhan government and an email account also associated with the Ministry of Emergency Management.
The domains in the embedded links were the same as the one used in December as a command and control domain for a METALJACK phishing campaign likely targeting Southeast Asian countries.
“APT32 likely used Covid-19-themed malicious attachments against Chinese speaking targets. While we have not uncovered the full execution chain, we uncovered a METALJACK loader displaying a Chinese language titled Covid-19 decoy document while launching its payload,” the blog post added.
The shellcode performs a system survey to collect the victim’s computer name and username and then appends those values to a URL string. It then attempts to call out to the URL. If the callout is successful, the malware loads the METALJACK payload into memory.
“The COVID-19 crisis poses an intense, existential concern to governments, and the current air of distrust is amplifying uncertainties, encouraging intelligence collection on a scale that rivals armed conflict. National, state or provincial, and local governments, as well as non-government organizations and international organizations, are being targeted. Medical research has been targeted as well,” FireEye said.
“Until this crisis ends, we anticipate related cyber espionage will continue to intensify globally.”
However, on Thursday, Vietnam’s foreign ministry reacted to FireEye’s report of backing government-linked hackers to target Chinese agencies as “baseless”.
“The accusation is baseless,” Foreign Ministry spokesman Ngo Toan Thang told reporters. “Vietnam forbids all cyberattacks, which should be denounced and strictly dealt with by law.”
Thang also added that Vietnam is ready to cooperate with international partners to fight cyberattacks.
