North Korean state hackers reportedly planning COVID-19 phishing campaign targeting 5M across six nations

Singapore, Japan, and the US are amongst six nations targeted in a COVID-19 themed phishing campaign that is reportedly scheduled for June 21, during which 8,000 businesses in Singapore may receive email messages from a spoofed Ministry of Manpower account.
Written by Eileen Yu, Senior Contributing Editor

Singapore, Japan, and the US are amongst six nations reportedly targeted in a COVID-19 themed phishing campaign that is scheduled to take place June 21. North Korean state hacker group Lazarus are said to be behind the massive attack that will see more than 5 million businesses and individuals receiving phishing email messages from spoofed government accounts. 

This would include 8,000 organisations in Singapore where the business contacts highlighted in an email template were addressed to members of the Singapore Business Federation (SBF), according to a report from cybersecurity vendor Cyfirma. Introduced in 2001 by the Ministry of Trade and Industry, SBF is responsible for promoting Singapore businesses and currently represents 27,200 companies.

The targeted Singapore businesses would reportedly receive phishing email messages -- written in Chinese -- from a spoofed Ministry of Manpower account, supposedly offering additional payouts for employees under the government's COVID-19 support packages. 

The attacks are part of the Lazarus Group's large-scale campaign targeting more than 5 million individuals and businesses, including small and large enterprises, across six countries: Singapore, South Korea, Japan, India, the UK, and the US. The North Korean hacker group is looking to gain financially from the campaign, where targeted email recipients will be asked to visit fraudulent websites and lured into revealing their personal and financial data, according to Cyfirma. 

It noted that governments in the six targeted nations all had announced funding support for enterprises and citizens to help them ride out the global pandemic, including Singapore, which said it would set aside almost SG$100 billion, and Japan, which unveiled 234 trillion yen in stimulus funds. 

Cyfirma's founder and CEO Kumar Ritesh said it had notified, on June 18, government CERTs (Computer Emergency Response Team) in Singapore, Japan, South Korea, India, and the US, as well as the UK National Cyber Security Center. All six agencies had acknowledged the alert and currently were investigating. 

SingCERT confirmed it received "information regarding a potential phishing campaign" and, in response, posted an advisory on its website Friday. It said there were "always" ongoing phishing attempts by various cybercriminals that used different themes and baits and spoofed different entities. This tactic remained a common and effective technique used to gain access to individuals' accounts, deliver malware, or trick victims into revealing confidential data, said SingCERT, which sits under Cyber Security Agency (CSA).

ZDNet asked the government agency several questions including whether there had been a database breach and what tools the Manpower Ministry had adopted to prevent their email accounts from spoofing attacks. 

It did not respond specifically to any of the questions and, instead, issued a response that confirmed CSA had reached out to relevant parties to notify them about the potential phishing campaign. "Opportunistic cybercriminals have been using the COVID-19 situation to conduct malicious cyber activities and with the increasing reliance on the internet during this period, it is important to be vigilant," the agency said, adding that users should be mindful about suspicious links or attachments and safeguard themselves against COVID-19 themed cyberthreats. 

Ritesh told ZDNet that the MOM recipients' email addresses were discussed amongst hackers and hosted on content server, but his researchers did not locate the contact database. "Having tracked the Lazarus Group for a number of years now, we are able to recognise their pattern of behaviour and attack mechanism," he said. "The group would have trolled various forums and marketplaces to secure the 8,000 contacts [in Singapore]."

Asked if MOM's database might have been breached, he said Cyfirma did not detect any claims in the hackers' community regarding the ministry's being penetrated. However, he noted that collecting business contact information from public platforms was easy and the hackers likely executed reconnaissance to collect information on public and social media platforms.

Cyfirma said the phishing campaign was designed to impersonate government agencies and departments as well as trade associations that had been instructed to oversee the distribution of the COVID-19 financial aid. 

The cybersecurity vendor said it first clued in on the possible attack on June 1 and, since then, had been analysing efforts behind the campaign and gathering evidence. All of these revealed the phishing attacks would be carried out in the six nations over a two-day blitz, it said, adding that it identified seven email templates impersonating government agencies and business associations. 

Ritesh said the vendor tapped its artificial intelligence platform to uncover cyberthreats as well as gathered data and observations from the deep and dark web, hackers' forums, restricted communities, and other sources in different languages. It used its algorithms and analytical engines to analyse its data and threats to hackers, connecting the dots to identify motives, campaigns, and methods.

"In the past six months, we have also monitored hacker activities related to the COVID-19 pandemic, especially with regards to hoax, phishing, and scam campaigns," he said. "On  June 1, we picked up an early indicator from a Korean-speaking community discussing the contents of a folder called 'Health-Problem-2020'. Our researchers managed to access this folder and, upon investigation, found seven sub-folders in the package. These included the hackers' project plans as well as details related to the six targeted countries [in this phishing campaign]."

Apart from Singapore's Ministry of Manpower, other government agencies targeted in the email spoof included Japan's Ministry of Finance and England's central bank. Amongst others, Lazarus' hackers claimed to have details of 1.1 million individual email IDs in Japan, another 2 million in India, and 180,000 business contacts in the UK. 

To date, Cyfirma had not been able to view any of the phishing sites detailed in the email templates, but it noted that these would likely be set up soon.

Singapore's Manpower Ministry on Tuesday issued an alert on its website that a fake MOM website was phishing for personal information. It had published similar alerts earlier in March as well as last July, August, and September.


Editorial standards