Google Finds Evidence of State-Sponsored COVID-19 Themed Espionage Operations
For many people around the world, the Coronavirus pandemic has created a new work environment. According to the Brookings Institute, the lockdowns associated with the Coronavirus have led to as many as half of America’s workforce working from home, double the rate in 2017-2018.
This has created an unprecedented opportunity for hacking and state-sponsored espionage, and according to Google's Threat Analysis Group, more than 12 state-sponsored hacking groups currently are using the panic related to COVID-19 as an opportunity to initiate spear phishing campaigns in an attempt to distribute malware.
One scheme in particular targeted government employees via their personal email accounts and delivered phony messages posing as COVID-19 related updates from fast-food restaurants. Google says that many of the emails included fake coupons or offers of free meals offers that purported to be “pandemic specials,” while others included malicious online ordering links.
When targets clicked on the links, they were sent to pages that requested their Gmail credentials. Although Google has marked the majority of these communications as spam, many people have been victimized.
Schemes targeting some of the more notable international health organizations via the use of COVID-19-specific targeting have been reported by The Times of Israel, as hackers thought to be working on behalf of the Iranian government made attempts to break into the personal email accounts of staff members working at the World Health Organization.
The campaign, which began on March 2nd of this year, sends phony messages designed to resemble Google’s Web Services in an effort to steal passwords from WHO staff and is consistent with the tactics employed by the hacking group known as Charming Kitten.
Reuters also reported in March that the United Nations health agency and its partners have suffered hacking attacks at a rate of more than double what they experienced prior to the Coronavirus outbreak.
One of the other groups targeting the WHO is known as PackRat. Employing remote access trojans (RAT) since 2008, the South American outfit is known for their extensive malware, phishing, and disinformation campaigns, as well as its targeting of the political opposition and independent press in the ALBA nations (Bolivarian Alternative for the Americas) including Venezuela, Argentina, Ecuador, and Brazil.
According to reports, as part of their strategy, they create and maintain a web presence for fake political organizations and media outlets, then they use the branding associated with these phony organizations to distribute malware and conduct phishing attacks.
It also seems that hackers are now building their phishing campaigns around phony messages claiming relation to business continuity plans, new payment procedures, and changes to internal business protocols, according to Microsoft researchers.
Earlier this spring, the Microsoft Security Intelligence team used Twitter to post examples of these messages. One of the phishing emails’ subject line read: "Business continuity plan announcement starting May 2020." Another subject line associated with the scheme announced: "E-Payment Bank Transactions," with text explaining that check payments will no longer be accepted by certain vendors during the Coronavirus lockdown period.
These emails are often able to compel recipients to disclose banking information as well as login credentials for a multitude of websites and applications.
Ultimately, the important theme to maintain during these times of panic, confusion and misdirection is one of vigilance. Individuals and business entities need to verify all sources of communication and keep an eye out for bad actors within the current drama we see playing out in real time.
Taking the time to slowly and carefully examine the contents of your email inbox can potentially save you thousands of dollars in additional security services and ransom payments, and dozens, if not hundreds of wasted man hours in putting out unnecessary fires.
Written by Julio Rivera
Edited by Alexander Fleiss, Jason Kauppila, Jack Argiro, Michael Ding & Gihyen Eom
Julio Rivera is a business and political strategist, the Editorial Director for Reactionary Times, and a political commentator and columnist. His writing, which is focused on cybersecurity and politics, has been published by websites including The Hill, Real Clear Politics, Townhall and American Thinker.