North Korean state hackers reportedly planning COVID-19 phishing campaign targeting 5M across six nations

North Korean state hackers reportedly planning COVID-19 phishing campaign targeting 5M across six nations 1

Singapore, Japan, and the US are amongst six nations reportedly targeted in a COVID-19 themed phishing campaign that is scheduled to take place June 21. North Korean state hacker group Lazarus are said to be behind the massive attack that will see more than 5 million businesses and individuals receiving phishing email messages from spoofed government accounts. 

This would include 8,000 organisations in Singapore where the business contacts highlighted in an email template were addressed to members of the Singapore Business Federation (SBF), according to a report from cybersecurity vendor Cyfirma. Introduced in 2001 by the Ministry of Trade and Industry, SBF is responsible for promoting Singapore businesses and currently represents 27,200 companies.

The targeted Singapore businesses would reportedly receive phishing email messages — written in Chinese — from a spoofed Ministry of Manpower account, supposedly offering additional payouts for employees under the government’s COVID-19 support packages. 

The attacks are part of the Lazarus Group’s large-scale campaign targeting more than 5 million individuals and businesses, including small and large enterprises, across six countries: Singapore, South Korea, Japan, India, the UK, and the US. The North Korean hacker group is looking to gain financially from the campaign, where targeted email recipients will be asked to visit fraudulent websites and lured into revealing their personal and financial data, according to Cyfirma. 

It noted that governments in the six targeted nations all had announced funding support for enterprises and citizens to help them ride out the global pandemic, including Singapore, which said it would set aside almost SG$100 billion, and Japan, which unveiled 234 trillion yen in stimulus funds. 

Cyfirma’s founder and CEO Kumar Ritesh said it had notified, on June 18, government CERTs (Computer Emergency Response Team) in Singapore, Japan, South Korea, India, and the US, as well as the UK National Cyber Security Center. All six agencies had acknowledged the alert and currently were investigating. 

Ritesh told ZDNet that recipients’ email addresses were discussed amongst hackers and hosted on content server, but his researchers did not locate the contact database. “Having tracked the Lazarus Group for a number of years now, we are able to recognise their pattern of behaviour and attack mechanism,” he said. “The group would have trolled various forums and marketplaces to secure the 8,000 contacts [in Singapore].”

Asked if MOM’s database might have been breached, he said Cyfirma did not detect any claims in the hackers’ community regarding the ministry’s being penetrated. However, he noted that collecting business contact information from public platforms was easy and the hackers likely executed reconnaissance to collect information on public and social media platforms.

Cyfirma said the phishing campaign was designed to impersonate government agencies and departments as well as trade associations that had been instructed to oversee the distribution of the COVID-19 financial aid. 

The cybersecurity vendor said it first clued in on the possible attack on June 1 and, since then, had been analysing efforts behind the campaign and gathering evidence. All of these revealed the phishing attacks would be carried out in the six nations over a two-day blitz, it said, adding that it identified seven email templates impersonating government agencies and business associations. 

Ritesh said the vendor tapped its artificial intelligence platform to uncover cyberthreats as well as gathered data and observations from the deep and dark web, hackers’ forums, restricted communities, and other sources in different languages. It used its algorithms and analytical engines to analyse its data and threats to hackers, connecting the dots to identify motives, campaigns, and methods.

“In the past six months, we have also monitored hacker activities related to the COVID-19 pandemic, especially with regards to hoax, phishing, and scam campaigns,” he said. “On  June 1, we picked up an early indicator from a Korean-speaking community discussing the contents of a folder called ‘Health-Problem-2020′. Our researchers managed to access this folder and, upon investigation, found seven sub-folders in the package. These included the hackers’ project plans as well as details related to the six targeted countries [in this phishing campaign].”

Apart from Singapore’s Ministry of Manpower, other government agencies targeted in the email spoof included Japan’s Ministry of Finance and England’s central bank. Amongst others, Lazarus’ hackers claimed to have details of 1.1 million individual email IDs in Japan, another 2 million in India, and 180,000 business contacts in the UK. 

To date, Cyfirma had not been able to view any of the phishing sites detailed in the email templates, but it noted that these would likely be set up soon.

Singapore’s Manpower Ministry on Tuesday issued an alert on its website that a fake MOM website was phishing for personal information. It had published similar alerts earlier in March as well as last July, August, and September.


About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews

Crypto Scams

Beanstalk Farms Loses $80M In A Massive DeFi Governance Flash-Loan Hack
Beanstalk Farms Loses $80M In A Massive DeFi Governance Flash-Loan Hack
April 23, 2022
Joon Pak Head of Crypto at Prove talks to Us about Crypto Fraud And More
April 11, 2022
Mintable CEO Zach Burks Talks to Us about the Opensea Stolen NFTs and Their Recovery
March 21, 2022
Crypto Crime
Crypto Crime Surges To Record Highs As Thieves Follow Market Buzz – Chainalysis 2022 Report
February 24, 2022
Bots Circumvent 2FA Login At Coinbase And Other Crypto Exchanges In 2022
Bots Have Circumvented 2FA Logins At Coinbase And Other Crypto Exchanges In 2022
February 17, 2022

Automated trading with HaasBot Crypto Trading Bots

Blockchain/Cryptocurrency Questions and Answers

Roundtable Interview-What is the Effect of The Russia-Ukraine War on Cryptocurrency Prices?
March 4, 2022
How Does Bitcoin Casino Work + 2021 Beginner’s Guide
November 8, 2021
How to Buy and Sell Cryptocurrency
November 8, 2021
What Are Bitcoin Futures And How Will They Work In 2022?
November 4, 2021
The Unconventional Guide to Ethereum
October 28, 2021

CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin29,619 0.67 % 0.26 % 2.94 %
Ethereum1,887.3 1.32 % 3.34 % 1.46 %
Tether1.002 0.19 % 0.12 % 0.14 %
USD Coin0.9989 0.16 % 0.08 % 0.04 %
BNB314.95 0.57 % 3.19 % 9.26 %
XRP0.3989 0.91 % 1.04 % 1.86 %
Binance USD1.000 0.34 % 0.02 % 0.14 %
Cardano0.9566 0.22 % 0.68 % 6.96 %
Solana45.81 1.69 % 4.61 % 7.94 %
Dogecoin0.07997 0.37 % 4.37 % 4.78 %

Bitcoin (BTC) $ 29,446.00
Ethereum (ETH) $ 1,868.98
Tether (USDT) $ 1.00
USD Coin (USDC) $ 1.00
BNB (BNB) $ 313.38
XRP (XRP) $ 0.395979
Binance USD (BUSD) $ 1.00
Cardano (ADA) $ 0.494487
Solana (SOL) $ 45.33
Dogecoin (DOGE) $ 0.079714