Cybersecurity firm FireEye reported on Wednesday that a hacking group called APT32, which it linked to the government of Vietnam, launched attacks on email accounts used by the Chinese Ministry of Emergency Management and the city government of Wuhan, epicenter of the coronavirus pandemic.
According to FireEye, the raid appeared to be an effort to gather intelligence about the coronavirus, rather than a destructive attack launched against the Chinese in retaliation for spreading it.
“These attacks speak to the virus being an intelligence priority – everyone is throwing everything they’ve got at it, and APT32 is what Vietnam has,” FireEye senior manager for analysis Ben Read said.
APT stands for Advanced Persistent Threat, the common term among cybersecurity analysts for the enigmatic hacker groups responsible for so much mischief. Most of these groups acquire nicknames in addition to their APT designations, sometimes advanced by the group’s own members.
APT32 is also known as the “OceanLotus Group.” It appeared in 2012 and was immediately linked to the Vietnamese government since its early targets included Cambodian government websites and Vietnamese dissidents. Most of the group’s hacking campaigns have been directed at political adversaries of the Vietnamese government or corporations that do business in Vietnam.
The earliest known OceanLotus exploits involved “watering holes,” basically websites designed to lure in users and infect their systems with malware. According to FireEye’s analysis, the APT32 assault on Chinese systems involved phishing emails, which are realistic-looking emails coming from ostensibly trusted correspondents that trick the recipient into either revealing sensitive information or installing malware on their computers.
The emails sent by APT32 to the Chinese Ministry of Emergency Management fell into the latter category, as they contained tracking links that would send security information about the target back to the hackers once the emails were opened. Armed with this information, the hackers could send even more aggressive phishing emails containing tailored viruses that would give them full access to the victims’ computers.
The phishing emails sent by APT32 to Chinese targets beginning in January were initially disguised as anodyne bureaucratic communications, such as “Report on the first quarter results of office equipment bids,” but later they began including references to the coronavirus outbreak to increase the odds of the recipient opening them.
FireEye speculated APT32 was trying to crack Chinese email systems to acquire more information about the coronavirus than Beijing has been willing to share with the rest of the world. Other analysts suggested to Reuters on Wednesday that the hackers (or the intelligence agents sponsoring them) knew something ugly was brewing in Wuhan at the beginning of the year and wanted to steal Chinese data so they could prepare a defense.
“This is precisely what we would expect. A crisis develops and there’s a shortage of information, so intelligence collectors are deployed,” said John Hultquist, a senior director at FireEye’s Mandiant threat intelligence unit.
“This crisis is of such an extreme interest to every country on earth that it surpasses the intelligence necessities normally associated with armed conflict. It is absolutely existential,” Hutlquist said.
Reuters reported that both the Vietnamese and Chinese governments declined to comment on the APT32 story.