Vietnamese cyber-espionage has pivoted to Beijing’s coronavirus response

APT32 looks to be targeting Chinese government organizations in pursuit of information on China's coronavirus response, FireEye researchers said.
vietnam coronavirus
Hackers working on behalf of the Vietnamese government have been targeting Chinese government organizations tasked with managing the country's response to the coronavirus pandemic. (Getty Images)

Hackers working on behalf of the Vietnamese government have been targeting Chinese government organizations tasked with managing the country’s response to the coronavirus pandemic, according to FireEye research published Wednesday.

The attackers specifically sent spearphishing emails laced with METALJACK malware to employees at China’s Ministry of Emergency Management and the government of Wuhan, where the virus is believed to have originated. The malware, which was delivered via phishing emails, eventually gets loaded into memory.

The hackers, which FireEye suspects to be a group called OceanLotus or APT32, are just the latest state-backed hacking operation that has pivoted to targeting the health care sector or coronavirus-related organizations in recent months.

Mandiant Threat Intelligence, a subsidiary of FireEye, consider APT32’s campaign to be “part of a global increase in cyber-espionage related to the crisis, carried out by states desperately seeking solutions and nonpublic information” and is aimed at collecting more information on how China has been handling the global health crisis.


Vietnam, which shares a border with China, was not alone in its skepticism about China’s response to the coronavirus and its overwhelmed medical system. In recent days China increased the country’s death toll by approximately 50 percent after global criticism that the country’s government covered up the true carnage of the virus.

APT32’s interest in gathering more information on China’s coronavirus response began in early January, approximately one week before coronavirus cases were reported in countries outside of China.

“The COVID-19 crisis poses an intense, existential concern to governments, and the current air of distrust is amplifying uncertainties, encouraging intelligence collection on a scale that rivals armed conflict. National, state or provincial, and local governments, as well as non-government organizations and international organizations, are being targeted,” the FireEye researchers write in a blog. “Until this crisis ends, we anticipate related cyber-espionage will continue to intensify globally.”

In the U.S., researchers studying the coronavirus have recently been the target of criminals’ and nation-state hackers’ cyber-espionage missions, according to the FBI. Some state-backed hackers have turned to distributing malicious coronavirus applications to citizens under the guise of spreading information when they are actually intended to bolster state-backed surveillance schemes.

Some of the lures APT32 has sent to victims have contained COVID-19 themes that could entice Chinese targets to click more readily. One such document was labeled “COVID-19 live updates: China is currently tracking all travelers coming from Hubei Province” that displays a related New York Times article.


Other hackers looking to steal information from businesses, individuals, the government, and the health care sector have taken advantage of the uncertainties surrounding the pandemic and used coronavirus-themed lures to boost the spread of the campaigns as well.

Although FireEye has not gained access to the entirety of the execution chain, some of the lures APT32 has used have touched on topics other than coronavirus, such as financial office tasks.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts