Special Feature
Part of a ZDNet Special Feature: Coronavirus: Business and technology in a pandemic

COVID-19 cyber espionage saw Chinese ministry targeted by Ocean Lotus: FireEye

Spear phishing campaign out of Vietnam went after information related to coronavirus, security firm says.

FireEye has stated it believes hacking group Ocean Lotus, also known as APT32 and linked to the Vietnamese government, was involved in a spear phishing campaign targeting members of the Wuhan government and Chinese Ministry of Emergency Management in search of information related to the coronavirus pandemic that is sweeping the planet.

The security company said it first picked up the campaign on January 6, when a phishing email was sent to the Chinese Ministry of Emergency Management with an embedded link that would report back to the group if the email was opened. Looking at tracking URLs, FireEye said the group also went after the government in Wuhan. 

The domains in the embedded links were the same as those used for command and control purposes in December for a phishing campaign across Southeast Asia dubbed Metaljack.

"APT32 likely used COVID-19-themed malicious attachments against Chinese speaking targets," FireEye said.

"While we have not uncovered the full execution chain, we uncovered a Metaljack loader displaying a Chinese-Language titled COVID-19 decoy document while launching its payload."

The shellcode payload collects system information and appends it to URLs strings, and if successfully called, loads Metaljack into memory.

"The COVID-19 crisis poses an intense, existential concern to governments, and the current air of distrust is amplifying uncertainties, encouraging intelligence collection on a scale that rivals armed conflict," FireEye said.

"Until this crisis ends, we anticipate related cyber espionage will continue to intensify globally."

Ocean Lotus has previously been linked to attacks on Toyota Australia and Toyota Japan.

At the end of 2019, the group was linked to breaches on the networks of BMW and Hyundai.

Elsewhere, Palo Alto Networks said it had seen over 116,000 coronavirus-related domain names registered from the start of the year to March 31, of which, it classified 2,000 as malicious and over 40,000 as high risk.

The company said its malicious label was used on any domains involved in command and control, phishing, and malware distribution; while high-risk domains were scam pages, coin miners, or associated with known malicious hosting.

"People should be highly sceptical of any emails or newly-registered websites with COVID-19 themes, whether they claim to have information, a testing kit, or a cure," the company said.