Chinese hackers push COVID-19 cyber infection chain at Mongolian targets
March 2020 by Check Point
Researchers at Check Point have intercepted a targeted cyber-attack by a Chinese advanced persistent threat (APT) group on a public sector organization in Mongolia. By exploiting concerns over the Coronavirus pandemic, the Chinese APT group sent two documents, both impersonating the Mongolian Ministry of Foreign Affairs in the form of press briefings, to personnel in Mongolia’s public sector organizations, luring the recipients into giving the hackers remote network access with the aim of stealing sensitive information.
One of the two documents that related to COVID-19 was titled “About the Spread of new Coronavirus Infections” and went onto cite the National Health Committee of China.
Check Point researchers were able to trace the cyber attack to the Chinese group by extracting fingerprints left by the hackers on malware code stored on servers of the hackers, which were naked on the internet for a fraction in time. Through the data collected, Check Point researchers were able to uncover the entire infection chain, deducing that the Chinese APT group has been active since 2016 and is regularly targeting a variety of public sector entities and telcos worldwide: especially in Russia, Ukraine, Belarus and now Mongolia.
The Cyber Infection Chain
“COVID-19 is presenting not only a physical threat but a cyber threat as well,” says Lotem Finkelsteen, Head of Threat Intelligence at Check Point. “Our intelligence reveals that a Chinese APT group exploited the public interest in Coronavirus for its own agenda through a novel cyber infection chain. The group has been targeting not just Mongolia but other countries world-wide. All public sector entities and telcos everywhere should be extra wary of documents and websites themed around Coronavirus.”
The full intentions and identities of this Chinese APT group are still not known, but they are here to stay; updating their tools and it seems they will do whatever it takes to attract victims to their network to steal data.
Check Point has determined that Coronavirus related domains are 50% more malicious than the overall rate of malicious domains registered. To date, Check Point has seen over 4,000 Coronavirus related domains registered globally – 3% of which are malicious, and an additional 5% are suspicious. The industry-average of new domains registered that are malicious is 2%.
Full details are on Check Point’s blog here: https://research.checkpoint.com/202...