Vietnam-linked hackers targeted Chinese gov't over coronavirus response, say researchers

Jack Stubbs and Raphael Satter, Reuters

Posted at Apr 22 2020 06:58 PM

An internet user browses through the Vietnamese government's new Facebook page in Hanoi, Vietnam, December 30, 2015. Kham, Reuters/File

LONDON/WASHINGTON - Hackers working in support of the Vietnamese government have attempted to break into Chinese state organizations at the center of Beijing's effort to contain the coronavirus outbreak, US cybersecurity firm FireEye said Wednesday.

FireEye said a hacking group known as APT32 had tried to compromise the personal and professional email accounts of staff at China's Ministry of Emergency Management and the government of Wuhan, the Chinese city at the center of the global coronavirus pandemic.

Investigators at FireEye and other cybersecurity firms have said they believe APT32 operates on behalf of the Vietnamese government. The group's recent activity mirrors attempts by a host of state-backed hackers to compromise governments, businesses and health agencies in search of information about the new disease and attempts to combat it.

"These attacks speak to the virus being an intelligence priority - everyone is throwing everything they've got at it, and APT32 is what Vietnam has," said Ben Read, senior manager for analysis at FireEye's Mandiant threat intelligence unit.

The Vietnamese government did not respond to a request for comment. Messages sent to email addresses used by the hackers went unanswered.

The Cyberspace Administration of China (CAC), the Chinese Ministry of Emergency Management and the Wuhan city government did not immediately respond to faxed requests for comment.

Vietnam was quick to react to first reports of the new coronavirus, sealing off its border with neighboring China and implementing an aggressive program of contact tracing and quarantine measures that have kept cases of infection in the country below 300.

EXISTENTIAL THREAT

Adam Segal, a cybersecurity expert at the Council on Foreign Relations in New York, said the hacking activity suggested Hanoi also took swift action in cyberspace. The earliest hacking attempt identified by FireEye predated the first known international infection by a week, he said.

"It shows both a distrust about Chinese government announcements and a sense that when China sneezes, it is its neighbors that get the flu – in this case literally."

FireEye said APT32 targeted a small group of people with emails that included tracking links to notify the hackers when they were opened. The attackers then planned to send further emails with malicious attachments containing a virus called METALJACK that would give them illicit access to their victims' computers.

Marc-Étienne Léveillé, a researcher at Slovakia-based software security firm ESET, said APT32 had used the same malware in recent months to target other governments and commercial organizations in east Asia, as well as political activists and dissidents in Vietnam.

It is unclear if the intrusion attempts in China were successful but the attacks show that hackers ranging from cyber criminals to state-backed spies have had to quickly reorganize their operations in response to the coronavirus, said John Hultquist, senior director of analysis at Mandiant.

"This is precisely what we would expect. A crisis develops and there's a shortage of information, so intelligence collectors are deployed," he said.

"This crisis is of such an extreme interest to every country on earth that it surpasses the intelligence necessities normally associated with armed conflict. It is absolutely existential."