North Korean state hackers reportedly planning COVID-19 phishing campaign targeting 5M across six nations

North Korean state hackers reportedly planning COVID-19 phishing campaign targeting 5M across six nations 1

Singapore, Japan, and the US are amongst six nations reportedly targeted in a COVID-19 themed phishing campaign that is scheduled to take place June 21. North Korean state hacker group Lazarus are said to be behind the massive attack that will see more than 5 million businesses and individuals receiving phishing email messages from spoofed government accounts. 

This would include 8,000 organisations in Singapore where the business contacts highlighted in an email template were addressed to members of the Singapore Business Federation (SBF), according to a report from cybersecurity vendor Cyfirma. Introduced in 2001 by the Ministry of Trade and Industry, SBF is responsible for promoting Singapore businesses and currently represents 27,200 companies.

The targeted Singapore businesses would reportedly receive phishing email messages — written in Chinese — from a spoofed Ministry of Manpower account, supposedly offering additional payouts for employees under the government’s COVID-19 support packages. 

The attacks are part of the Lazarus Group’s large-scale campaign targeting more than 5 million individuals and businesses, including small and large enterprises, across six countries: Singapore, South Korea, Japan, India, the UK, and the US. The North Korean hacker group is looking to gain financially from the campaign, where targeted email recipients will be asked to visit fraudulent websites and lured into revealing their personal and financial data, according to Cyfirma. 

It noted that governments in the six targeted nations all had announced funding support for enterprises and citizens to help them ride out the global pandemic, including Singapore, which said it would set aside almost SG$100 billion, and Japan, which unveiled 234 trillion yen in stimulus funds. 

Cyfirma’s founder and CEO Kumar Ritesh said it had notified, on June 18, government CERTs (Computer Emergency Response Team) in Singapore, Japan, South Korea, India, and the US, as well as the UK National Cyber Security Center. All six agencies had acknowledged the alert and currently were investigating. 

Ritesh told ZDNet that recipients’ email addresses were discussed amongst hackers and hosted on content server, but his researchers did not locate the contact database. “Having tracked the Lazarus Group for a number of years now, we are able to recognise their pattern of behaviour and attack mechanism,” he said. “The group would have trolled various forums and marketplaces to secure the 8,000 contacts [in Singapore].”

Asked if MOM’s database might have been breached, he said Cyfirma did not detect any claims in the hackers’ community regarding the ministry’s being penetrated. However, he noted that collecting business contact information from public platforms was easy and the hackers likely executed reconnaissance to collect information on public and social media platforms.

Cyfirma said the phishing campaign was designed to impersonate government agencies and departments as well as trade associations that had been instructed to oversee the distribution of the COVID-19 financial aid. 

The cybersecurity vendor said it first clued in on the possible attack on June 1 and, since then, had been analysing efforts behind the campaign and gathering evidence. All of these revealed the phishing attacks would be carried out in the six nations over a two-day blitz, it said, adding that it identified seven email templates impersonating government agencies and business associations. 

Ritesh said the vendor tapped its artificial intelligence platform to uncover cyberthreats as well as gathered data and observations from the deep and dark web, hackers’ forums, restricted communities, and other sources in different languages. It used its algorithms and analytical engines to analyse its data and threats to hackers, connecting the dots to identify motives, campaigns, and methods.

“In the past six months, we have also monitored hacker activities related to the COVID-19 pandemic, especially with regards to hoax, phishing, and scam campaigns,” he said. “On  June 1, we picked up an early indicator from a Korean-speaking community discussing the contents of a folder called ‘Health-Problem-2020′. Our researchers managed to access this folder and, upon investigation, found seven sub-folders in the package. These included the hackers’ project plans as well as details related to the six targeted countries [in this phishing campaign].”

Apart from Singapore’s Ministry of Manpower, other government agencies targeted in the email spoof included Japan’s Ministry of Finance and England’s central bank. Amongst others, Lazarus’ hackers claimed to have details of 1.1 million individual email IDs in Japan, another 2 million in India, and 180,000 business contacts in the UK. 

To date, Cyfirma had not been able to view any of the phishing sites detailed in the email templates, but it noted that these would likely be set up soon.

Singapore’s Manpower Ministry on Tuesday issued an alert on its website that a fake MOM website was phishing for personal information. It had published similar alerts earlier in March as well as last July, August, and September.


About the author

E-Crypto News was developed to assist all cryptocurrency investors in developing profitable cryptocurrency portfolios through the provision of timely and much-needed information. Investments in cryptocurrency require a level of detail, sensitivity, and accuracy that isn’t required in any other market and as such, we’ve developed our databases to help fill in information gaps.

Related Posts

E-Crypto News Executive Interviews

Automated trading with HaasBot Crypto Trading Bots

Crypto Scams

Millions in Cryptocurrency Stolen by Scammers in the Last Month According to Tenable Research
November 24, 2021
Behind The Scenes: How this Crypto Community Responded to + $50m Hack
October 18, 2021
Crypto Scams
Crypto Scams Still Persistent In 2021, SEC Warns About Red Flags To Watch
September 9, 2021
Poly Network
Here’s How Hackers Stole Over $600 million in the Poly Network Attack
August 12, 2021
The World’s Most Infamous Crypto Hacks and Scams
July 31, 2021

Blockchain/Cryptocurrency Questions and Answers

Crypto casinos
How Does Bitcoin Casino Work + 2021 Beginner’s Guide
November 8, 2021
How to Buy and Sell Cryptocurrency
November 8, 2021
What Are Bitcoin Futures And How Will They Work In 2022?
November 4, 2021
The Unconventional Guide to Ethereum
October 28, 2021
ICo Presale
The Science Behind ICO Presales…
October 14, 2021

CryptoCurrencyUSDChange 1hChange 24hChange 7d
Bitcoin57,764 0.35 % 0.61 % 2.44 %
Ethereum4,442.5 0.13 % 3.11 % 8.33 %
Binance Coin624.09 0.44 % 1.95 % 11.45 %
Tether0.9986 0.03 % 0.08 % 0.23 %
Solana204.68 0.16 % 1.90 % 5.41 %
Cardano1.610 0.18 % 0.34 % 9.68 %
XRP0.9937 0.09 % 2.41 % 4.15 %
Polkadot30.87 2.19 % 17.29 % 10.73 %
USD Coin1.000 0.14 % 0.20 % 0.17 %
Dogecoin0.2215 0.68 % 1.42 % 7.23 %

Bitcoin (BTC) $ 57,878.00
Ethereum (ETH) $ 4,445.82
Binance Coin (BNB) $ 623.82
Tether (USDT) $ 0.999511
Solana (SOL) $ 204.56
Cardano (ADA) $ 1.61
XRP (XRP) $ 0.991542
Polkadot (DOT) $ 37.23
USD Coin (USDC) $ 0.998458
Dogecoin (DOGE) $ 0.215241