Proofpoint, which works with medical research firms, universities and governments around the world, said it had notified its clients of the threat, which should be picked up by security software.
“Attribution of these campaigns with differing motivations paint a contemporary portrait of the Chinese advanced persistent threat [APT] landscape and the state’s evolving targeting priorities in a post COVID-19 world,” the security company said.
An APT is a sophisticated hacking campaign using unique tactics. They are frequently associated with a nation-state.
Emails purporting to be from the World Health Organisation were sent in March under the heading “country and technical guidance,” outlining various public health scenarios.
In separate attacks in February, the Australian Medical Association logo and a message purporting to be from Australian HealthCare associated with a fake centre for disease control “cdc-australia” email was sent as a coronavirus alert warning, urging users to view safety measures to protect public safety and health. The Australian Medical Association, World Health Organisation and Chinese Foreign Ministry were contacted for comment.
Proofpoint matched the Sepulcher malware to publicly known sender addresses associated with Tibetan dissident campaigns.
“While best known for their campaigns against the Tibetan diaspora, this APT group associated with the Chinese state interest prioritised intelligence collection around Western economies reeling from COVID-19 in March 2020 before resuming more conventional targeting later this year,” Proofpoint said.
DeGrippo said COVID-19 was the first time there had been a truly global event since the invention of email.
“COVID 19 is the first time I have seen world-wide concerns where every human on earth has some sort of worry,” she said in an interview from California on Thursday. “Hackers leverage that sense of fear to get you take the action they want to you take, which is to click or download.”
The malware has seven work modes that can conduct reconnaissance on an infected host including obtaining information about directory statistics, deleting files, creating directories, moving file sources and spawning a shell to execute commands.
“It’s a remote access Trojan,” said DeGrippo. “This is not a particularly sophisticated RAT but it is made by an actor that we believe to be operating on behalf of the Chinese government.”
In a joint statement from the Department of Foreign Affairs, Department of Home Affairs and the Australian Signals Directorate in July, Australia warned Chinese hackers were compromising networks across the world for commercial and personal gain.
“Of particular concern, these individuals also reportedly targeted COVID-19 research as well as political dissidents, religious minorities and human rights advocates,” the Australian government said.
“Australia reiterates our call to all countries to refrain from behaviour which violates their international commitments.”
Eryk Bagshaw is the China correspondent for The Sydney Morning Herald and The Age. Due to travel restrictions, he is currently based in Canberra.