Cyber Incident Victim: Ministry of Emergency Management of China
Date:
Jan 2020
Location:
China
Summary
Vietnamese state-backed hackers targeted Chinese government organizations managing the coronavirus response, deploying spearphishing emails containing METALJACK malware to compromise systems at the Ministry of Emergency Management and Wuhan authorities. The attackers, identified as APT32 (OceanLotus), sought intelligence on China's pandemic handling amid global distrust, using COVID-19-themed lures such as fabricated travel advisories mimicking legitimate news sources. This campaign reflected broader espionage trends during the health crisis, with hackers exploiting pandemic-related uncertainties to enhance phishing effectiveness. The operation aimed to collect nonpublic information about China's containment strategies and medical system capacities, aligning with heightened state-sponsored cyber-espionage activities targeting critical response efforts worldwide.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early January 2020, approximately one week before coronavirus cases were reported outside China, hackers suspected to be operating on behalf of the Vietnamese government initiated a cyber-espionage campaign targeting Chinese entities managing the COVID-19 response. The attackers, identified by FireEye as APT32 (also known as OceanLotus), sent spearphishing emails containing METALJACK malware to employees at China’s Ministry of Emergency Management and the Wuhan municipal government. The malware was designed to load into memory upon execution, though researchers did not recover the full execution chain. Attackers utilized COVID-19-themed lures to increase click-through rates, including a document titled “COVID-19 live updates: China is currently tracking all travelers coming from Hubei Province” that displayed a related New York Times article. Some lures also referenced non-pandemic topics like financial office tasks. FireEye assessed the operation began coinciding with growing international scrutiny of China’s initial pandemic response and aimed to collect nonpublic information about China’s crisis management strategies.
The campaign occurred amid heightened global cyber-espionage activity targeting COVID-19 response efforts, with FireEye describing the scale as rivaling intelligence collection during armed conflicts. Impacts included potential compromise of sensitive data related to China’s pandemic containment measures, travel restrictions, and internal assessments. The targeting aligned with Vietnam’s geopolitical interests as a neighboring country skeptical of China’s transparency, particularly following China’s subsequent revision of its official COVID-19 death toll amid allegations of underreporting. FireEye’s Mandiant Threat Intelligence unit publicly attributed the activity to APT32, noting its connection to broader state-sponsored espionage trends exploiting the pandemic. The FBI separately warned of similar targeting against U.S. coronavirus researchers, though no direct coordination between these incidents was confirmed. APT32’s use of both pandemic-specific and generic lures demonstrated adaptability in social engineering tactics to infiltrate high-value government networks during the crisis.