Chinese hackers target emails with WHO, Australian Medical Association campaigns
Chinese state-sponsored hackers have launched a global COVID-19 campaign to collect intelligence, using World Health Organisation branding in emails warning about the effects of the coronavirus.
The hacker group, APT TA413, has shifted its target from the Tibetan diaspora to western economic and political organisations since February.
The tool, dubbed Sepulcher, gives hackers complete control of the targeted computer if users inadvertently install the malware after being prompted by the email.
Proofpoint said Chinese-state based actors were behind the latest campaign. Credit:The Age
“This is not putting a file on or watching keystrokes,” said Proofpoint’s senior director of threat research and detection Sherrod DeGrippo. “This is full access. They can upload and download files.”
Proofpoint, which works with medical research firms, universities and governments around the world, said it had notified its clients of the threat, which should be picked up by security software.
"Attribution of these campaigns with differing motivations paint a contemporary portrait of the Chinese advanced persistent threat [APT] landscape and the state’s evolving targeting priorities in a post COVID-19 world," the security company said.
The campaign used logos from the World Health Organisation. Pictured here, its regional office for the Americas in Washington, DC. Credit:Bloomberg
An APT is a sophisticated hacking campaign using unique tactics. They are frequently associated with a nation-state.
Emails purporting to be from the World Health Organisation were sent in March under the heading "country and technical guidance," outlining various public health scenarios.
In separate attacks in February, the Australian Medical Association logo and an email purporting to be from a fake centre for disease control “cdc-australia” address was sent as a coronavirus alert warning, urging users to view public health safety measures. The Australian Medical Association, World Health Organisation and Chinese Foreign Ministry were contacted for comment.
Proofpoint matched the Sepulcher malware to publicly known sender addresses associated with Tibetan dissident campaigns.
"While best known for their campaigns against the Tibetan diaspora, this APT group associated with the Chinese state interest prioritised intelligence collection around Western economies reeling from COVID-19 in March 2020 before resuming more conventional targeting later this year," Proofpoint said.
DeGrippo said COVID-19 was the first time there had been a truly global event, occurring simultaneously in all places, since the invention of email.
"COVID 19 is the first time I have seen world-wide concerns where every human on earth has some sort of worry," she said in an interview from California on Thursday. "Hackers leverage that sense of fear to get you take the action they want to you take, which is to click or download."
The malware has seven work modes that can conduct reconnaissance on an infected computer.
"It's a remote access Trojan," said DeGrippo. "This is not a particularly sophisticated RAT but it is made by an actor that we believe to be operating on behalf of the Chinese government."
In a joint statement from the Department of Foreign Affairs, Department of Home Affairs and the Australian Signals Directorate in July, Australia warned Chinese hackers were compromising networks across the world for commercial and personal gain.
"Of particular concern, these individuals also reportedly targeted COVID-19 research as well as political dissidents, religious minorities and human rights advocates," the Australian government said.
"Australia reiterates our call to all countries to refrain from behaviour which violates their international commitments."