Cyber Incident Victim: Wuhan government
Date:
Jan 2020
Location:
China
Summary
Vietnamese state-backed hackers targeted Chinese government entities managing the coronavirus response, including the Wuhan government, through spearphishing emails containing METALJACK malware designed to infiltrate systems and gather intelligence. The attackers, identified as APT32, sought nonpublic information on China’s pandemic management strategies amid global skepticism about the country’s handling of the crisis, leveraging COVID-19-themed lures such as fabricated travel advisories to increase infection rates. This campaign reflected broader espionage trends during the pandemic, with state actors intensifying cyber operations to acquire sensitive data related to the health emergency.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In early January 2020, approximately one week before coronavirus cases were reported outside China, Vietnamese state-sponsored hackers known as APT32 (also identified as OceanLotus) initiated a cyber-espionage campaign targeting Chinese government entities managing the COVID-19 response. The attackers deployed spearphishing emails containing METALJACK malware to employees at China's Ministry of Emergency Management and the Wuhan municipal government, where the virus originated. The malware was designed to load into system memory upon execution, though researchers from FireEye did not fully reconstruct the entire execution chain. APT32 crafted COVID-19-themed lures to increase click-through rates, including one document titled "COVID-19 live updates: China is currently tracking all travelers coming from Hubei Province" that displayed a New York Times article. The operation coincided with Vietnam's skepticism about China's pandemic management and occurred shortly before China revised its official death toll upward by 50% following international criticism of underreporting.
FireEye's Mandiant Threat Intelligence assessed the campaign as part of a global surge in pandemic-related espionage, driven by governments seeking nonpublic information about containment strategies. APT32's activities aligned with broader patterns of state-sponsored groups exploiting health crisis uncertainties, including malicious COVID-19 tracking apps deployed for surveillance. While the primary lures focused on pandemic themes, some decoy documents referenced unrelated topics like financial office tasks. The FBI concurrently warned of nation-state actors targeting coronavirus researchers in the U.S., though no direct connection to APT32 was cited. FireEye researchers emphasized that such cyber-espionage would likely intensify throughout the crisis due to heightened distrust between nations and the existential stakes of pandemic response efforts. The targeting of Wuhan's government infrastructure specifically aimed to gather intelligence on China's early-stage containment measures and internal assessments of the outbreak's severity.