macbook open
Photo by Andras Vas on Unsplash

Computing / Cybersecurity

Chinese hackers and others are exploiting coronavirus fears for cyber espionage

Headline news and global disorder are tools hackers take advantage of to make their next breach.

Mar 12, 2020
macbook open
Photo by Andras Vas on Unsplash

Government-sponsored and criminal hackers from around the world are taking advantage of the ongoing coronavirus pandemic to spy on adversaries, according to multiple cybersecurity threat intelligence companies.

Hacking groups aligned with the Chinese and Russian governments, among others, have been sending out malicious email attachments about  the virus in recent weeks.

You can read all of our coverage of the coronavirus/Covid-19 outbreak for free, and also sign up for our coronavirus newsletter. But please consider subscribing to support our nonprofit journalism.


A coronavirus themed malicious Microsoft Word document used by the Chinese hacking group known as TEMP.Hex

Two hacking groups aligned with the Chinese government targeted Vietnam, the Philippines, Taiwan, and Mongolia, the cybersecurity firms FireEye and Check Point reported today. The hackers are sending email attachments with genuine health information about coronavirus but laced with malware such as Sogu and Cobalt Strike, according to Ben Read, a senior intelligence analyst at FireEye.

“The lures were legitimate statements by political leaders or authentic advice for those worried about the disease, likely taken from public sources,” Read explained.

A Russian group known as TEMP.Armageddon sent spear-phishing emails to Ukrainian targets. Spear-phishing is a tactic hackers use to send specifically crafted malicious links that trick targets into clicking, allowing them to be unknowingly infected.

FireEye analysts also suspect a recent such attack against a South Korean target is the work of North Korean hackers. Like China, South Korea has been hit especially hard by the outbreak. The phishing email had the Korean language title “Coronavirus Correspondence.”

“You expect to get information from government sources, so it’s most likely that you will open and execute documents to see what it says,” said Lotem Finkelstein, head of threat intelligence at Check Point. “It makes it very useful to trigger an attack. The coronavirus outbreak serves threat actors very well, especially those that rely on phishing attacks to ignite attacks.”


In addition to ongoing activity by government-sponsored hackers, cybercriminals are taking advantage of the chaos of current events. Hackers have previously used anxiety surrounding Ebola, Zika, and SARS to make money. 

“We’ve seen financially motivated actors using coronavirus-themed phishing in many campaigns, with dramatic month-over-month volume increases from January through to today,” FireEye said in a statement. “We expect continued use of coronavirus-themed lures by both opportunistic and targeted financially motivated attackers due to the global relevance of the theme.”

Targets “have heightened interest in news and developments related to the virus, potentially making them more susceptible to social engineering that tricks them into clicking on malicious links,” researchers at the cyberintelligence firm RiskIQ assessed.

Although it’s relatively simple, phishing—sending a link or file meant to infect anyone who clicks—is the most common and successful type of attack year after year. Hackers looking to take advantage of the coronavirus have targeted both individuals and businesses with fake emails claiming to be from trusted organizations like the Centers for Disease Control (CDC) and the World Health Organization. 

The phishing emails promise everything from information on cures to medical equipment. In reality, they aim to deliver malware or steal passwords in a bid to cash in on chaos.

Hackers are looking all over the globe for targets, but some have zeroed in on the worst-hit countries. Italy, which has so far seen the worst rash of illnesses outside Asia, has been targeted by a phishing campaign against businesses. Fake emails, which pretend to be from the World Health Organization, promise precautionary measures Italians can take in the form of a Microsoft Word document, but it will download a banking Trojan called Trickbot aimed at stealing vast sums of money.

Although the email sender claims to be with the WHO, the sender’s domain doesn’t match the WHO’s website. 

Japan, another country dealing with a sizeable outbreak, has also seen targeted hacking campaigns pretending to offer coronavirus information from health authorities.

“Attackers are also subverting internal businesses’ credibility in their attacks,” researchers from the cyber firm Proofpoint wrote. “We have seen a campaign that uses a Coronavirus-themed email that is designed to look like an internal email from the company’s president to all employees ... This email is extremely well-crafted and lists the business’ president’s correct name.”

Your best bet

Online dashboards have become the de facto standard for how much of the world is tracking the spread of this illness. Malicious dashboards are circulating that prompt you to download an application in order to spread AZORult malware for Windows that steals personal and financial data, cryptocurrency, and anything else of value from an infected machine. 

It’s not the first time hackers have used headline news and high emotion to try to trick victims, and it won’t be the last.

The best defense is to keep your tech up to date, don’t download software or click links from unknown people, and stick with authoritative sources for news on important topics.