COVID-19 Phishing. PHOTO: Cybercrime Magazine.

Global COVID-19 Phishing Campaign By North Korean Operatives Exposed

Hacking group targets USA, UK, Japan, India, Singapore, and South Korea. Full Report

– From the researchers at CYFIRMA

Singapore – Jun. 18, 2020

Hacker groups are planning a large-scale phishing campaign targeted at more than 5 million individuals and businesses (small, medium, and large enterprises) across six countries and multiple continents.

CYFIRMA researchers have been tracking the Lazarus Group, a known hacker group sponsored by North Korea, for many years. Investigations into the group’s activities have revealed detailed plans indicating an upcoming global phishing campaign.

There is a common thread across six targeted nations in multiple continents — the governments of these countries have announced significant fiscal support to individuals and businesses in their effort to stabilize their pandemic-ravaged economies. The following are some of the government-funded programs:

  • Singapore, a small nation-state in Southeast Asia, has announced almost SGD 100B financial aid in various forms to stem unemployment and keep businesses afloat;
  • Japan has announced stimulus funds of about 234 trillion yen;
  • Korea government has allocated a total of US$200B of emergency relief funds for industries including carmakers, telecoms, airlines, shipbuilders, and small merchants. The relief funds include cash handouts to families with certain provinces extending the support to tax-paying foreigners;
  • Indian government has announced Rs 20 lakh crore (US$307B) of credit, finance and collateral-free loans to micro, small and medium enterprises, as well as welfare packages for citizens;
  • America has set aside trillions of dollars to design Economic Impact Payment or Stimulus Payments as well as Paycheck Protection Program to prop up its economy; and
  • As part of the UK government COVID-19 recovery strategy, a number of support programs have been made available, such as Coronavirus Job Retention Scheme, and Self-Employment Income Support Scheme. The government’s package has also been complemented by further contributions from the Bank of England.

The Lazarus Group’s upcoming phishing campaign is designed to impersonate government agencies, departments, and trade associations who are tasked to oversee the disbursement of the fiscal aid.

The hackers plan to capitalize on these announcements to lure vulnerable individuals and companies into falling for the phishing attacks.

Given the potential victims are likely to be in need of financial assistance, this campaign carries a significant impact on political and social stability.

CYFIRMA researchers first picked up the lead on June 1, 2020, and have been analyzing the planned campaign, decoding the threats, and gathering evidence. Evidence points to hackers planning to launch attacks in six countries across multiple continents over a two-day period. Further research uncovered seven different email templates impersonating government departments and business associations.

As of time of reporting (18 Jun), we have not seen the phishing or impersonated sites defined in the email templates. But our research shows the hackers were planning to set that up in the next 24 hours.

We also observed that hackers are planning to spoof or create fake email IDs impersonating various authorities. These are some of the emails discussed in their phishing campaign plan:

  • covid19notice@usda.gov
  • ccff-applications@bankofengland.co.uk
  • covid-support@mom.gov.sg
  • covid-support@mof.go.jp
  • ncov2019@gov.in
  • fppr@korea.kr

The CYFIRMA full report contains the phishing campaign scheduled launch dates in each of the 6 countries that are being targeted — USA, UK, Japan, India, Singapore, and South Korea. The report also illustrates the hacking theme against each country with screenshots of actual email messages.

Lazarus Group’s well-thought-out sophisticated plan includes personalized email templates designed for each country. The cybercriminals seem to have invested significant effort to ensure each of these emails are relevant to the country’s context. This way they can increase their phishing campaign’s success rate.

CYFIRMA’s assessment is also corroborated by public tools like VirusTotal and AlienVault OTX.

We encourage CISOs, security leaders, and security teams globally to carefully review our full report.

CYFIRMA Archives

– From the researchers at CYFIRMA


About CYFIRMA

Headquartered in Singapore and Tokyo, CYFIRMA is a leading threat discovery and cybersecurity platform company. Its cloud-based AI and ML-powered cyber intelligence analytics platform helps organizations proactively identify potential threats at the planningstage of cyberattacks, offers deep insights into their cyber landscape, and amplifies preparedness by keeping the organization’s cybersecurity posture up-to-date, resilient, and ready against upcoming attacks.

CYFIRMA works with many Fortune 500 companies. The company has offices and teams located in Singapore, Japan and India.



Send this to a friend