The latest instance of cyber-hackers taking advantage of the global Covid-19 outbreak has been uncovered by Check Point researchers.
The analysts have intercepted a targeted cyber-attack by a Chinese APT group on a public sector entity in Mongolia.
By leveraging the coronavirus pandemic, the Chinese APT group sent two documents, both impersonating the Mongolian Ministry of Foreign Affairs in the form of press briefings, to personnel Mongolia’s public sector, luring the recipients into giving the hackers remote network access and an open-door to steal sensitive information.
One of the two documents that related to Covid-19, presented a title that translates to “About the Spread of new Coronavirus Infections” and went onto cite the National Health Committee of China.
Check Point researchers were able to trace the cyber-attack to the Chinese group by extracting fingerprints left by the hackers on malware code stored on servers of the hackers, which were naked on the internet for a fraction in time.
Through the data collected, Check Point researchers were able to uncover the entire infection chain, deducing that the Chinese APT group has been active since 2016 and is in the constant habit of targeting a variety of public sector entities and telcos worldwide: Russia, Ukraine, Belarus and now Mongolia.
“Covid-19 is presenting not only a physical threat but a cyber threat as well,” says Lotem Finkelsteen, head of threat intelligence at Check Point. “Our intelligence reveals that a Chinese APT group exploited the public interest in Coronavirus for its own agenda through a novel cyber infection chain.
“The group has been targeting not just Mongolia but other countries world-wide. All public sector entities and telcos everywhere should be extra wary of documents and websites themed around coronavirus.”
Check Point has determined that coronavirus related domains are 50% more malicious than the overall rate of malicious domains registered. To date, the company has seen more than 4 000 coronavirus-related domains registered globally – 3% of which are malicious, and an additional 5% are suspicious. The industry-average of new domains registered that are malicious is 2%.