Researchers at Check Point have intercepted a targeted cyber-attack by a Chinese APT group on a public sector entity in Mongolia. By leveraging the Coronavirus pandemic, the Chinese APT group sent two documents, both impersonating the Mongolian Ministry of Foreign Affairs in the form of press briefings, to personnel Mongolia’s public sector, luring the recipients into giving the hackers remote network access and an open-door to steal sensitive information. One of the two documents that related to COVID-19, presented a title that translates to “About the Spread of new Coronavirus Infections” and went onto cite the National Health Committee of China.
Check Point researchers were able to trace the cyber attack to the Chinese group by extracting fingerprints left by the hackers on malware code stored on servers of the hackers, which were naked on the internet for a fraction in time. Through the data collected, Check Point researchers were able to uncover the entire infection chain, deducing that the Chinese APT group has been active since 2016 and is in the constant habit of targeting a variety of public sector entities and telcos worldwide: Russia, Ukraine, Belarus and now Mongolia.
Head of Threat Intelligence, Lotem Finkelsteen:
“COVID-19 is presenting not only a physical threat but a cyber threat as well,” says Lotem Finkelsteen, Head of Threat Intelligence at Check Point. “Our intelligence reveals that a Chinese APT group exploited the public interest in Coronavirus for its own agenda through a novel cyber infection chain. The group has been targeting not just Mongolia but other countries world-wide. All public sector entities and telcos everywhere should be extra wary of documents and websites themed around Coronavirus.”
Coronavirus-themed Malware on the Rise
Check Point has determined that Coronavirus related domains are 50% more malicious than the overall rate of malicious domains registered. To date, Check Point has seen over 4,000 Coronavirus related domains registered globally – 3% of which are malicious, and an additional 5% are suspicious. The industry-average of new domains registered that are malicious is 2%.