wordpress blog stats
Connect with us

Hi, what are you looking for?

CERT-In warns of phishing campaign against Indian citizens, businesses; North Korean group may be behind the campaign

cyber crime, phishing

Malicious actors were expected to launch a large-scale phishing campaign against Indian citizens and businesses under the pretext of dispensing government funds for COVID-19 related initiatives on June 21, the Indian Computer Emergency Response Team (CERT-In) warned in an advisory (archived here) on June 19. Although CERT-In has not attributed this campaign to any organisation or country, it has given two references that contend that the North Korean, state-sponsored Lazarus Group is behind this attack (more on that below), one of which is a report by Singapore-based cybersecurity firm Cyfirma, while the other is a Zee News article based on the Cyfirma report.

Modus operandi

  • The malicious actors will impersonate government agencies, departments, and trade associations that are responsible for overseeing the disbursement of COVID-19 related financial aid. They will spoof or create email addresses that look like ncov2019[@]gov.in.
  • Emails with the subject “Free COVID-19 testing for all residents of Delhi, Mumbai, Hyderabad, Chennai and Ahmedabad” will be sent to two million individual/citizen email addresses that the malicious actors have.
  • Clicking on links in these emails will take recipients to fake websites where they could be deceived into downloading malicious files or entering personal and financial information.

According to the advisory, the email may look like the following:

What the email may look like. Source: CERT-In

Is North Korea’s Lazarus Group behind the attack?

Singapore-based Cyfirma, which also has offices in Bangalore and Tokyo, reported that the Lazarus Group is planning this phishing campaign that will target more than five million individuals and businesses across six countries (USA, UK, India, Japan, Singapore, South Korea). All these six countries have announced “significant” fiscal support to individuals and businesses to counteract the economic effects of the COVID-19 pandemic. Although the CERT-In advisory has said that both individuals and businesses will be targeted, as per Cyfirma, in India, only individuals are expected to be targeted.

Since this campaign got reported before its probable launch, it is not clear if the hackers have launched the campaign or changed the date. We have reached out to Cyfirma for more information.

This is not Lazarus Group’s first Indian rodeo

This is not the first time that Lazarus Group has tried to target Indians and/or Indian infrastructure. As per a Kaspersky report from September 2019, the group had created a spyware called Dtrack that Kaspersky had discovered in Indian ATMs in 2018 and was used to steal customer data. Researchers had then found 180 other new malware samples with code similarities to ATMDtrack, but those were aimed at other financial institutions and research centres. This group of malware, called Dtrack, can give threat actors “complete control over infected devices”.

The malware that infected Kudankulam Nuclear Power Plant’s external network in September 2019 had similar strains to Dtrack. Dtrack also had similarities with another campaign — DarkSeoul — in 2013 that targeted three television stations and bank in South Korea along with ATMs and mobile payments in the country.

COVID-19: A boon for cybercriminals?

This is not the first time that CERT-In has had to issue an advisory or notice about how cybercriminals are using the pandemic to target people. On May 15, CERT had released an advisory warning people that malicious actors were using fake video conferencing app domains (Zoom, Google Meet, Microsoft Teams) to lure victims. Threat actors were also using Aarogya Setu to deploy phishing campaigns and impersonating the World Health Organisation (WHO) to send phishing emails with malicious files and links. Similarly, phishing domains specially focussed around the pandemic, such as “corona vaccine”, “corona testing kit”, etc. have also seen a spike. Phishing messages have been sent via email, SMS (smishing) and WhatsApp (whishing).

Advertisement. Scroll to continue reading.

India’s National Cyber Security Coordinator Lt Gen. (Dr) Rajesh Pant had also warned about cybercriminals using the pandemic to exploit people. Since people are looking for advisories, maps where COVID-19 has spread, and numerous apps have “suddenly sprung up”, this has created “the perfect storm for fraudsters” as cybercriminals are always on the lookout for big events such as Olympics, World Cup, etc., Pant said. “You are aware of happened in the PM CARES Fund, you are aware of the WHO site being cloned, all of us have heard that more than 130,000 sites have been registered in the name of Corona or COVID out of which five to six thousand have proven to be frauds,” he said. For a fraud of this kind to be successful, the perpetrator needs a success rate of 4%. “The average success rate of these clickbaiting lures is supposed to be 4%,” Pant said. And once they gain access, depending on the vector, the fraudsters can use it to get data, practise social engineering, or “if you are part of an enterprise, they want to do a lateral spread, come onto the admin server, escalate the privileges, then sit on it, and then maybe resort to ransomware”, he explained.

Written By

Send me tips at aditi@medianama.com. Email for Signal/WhatsApp.

MediaNama’s mission is to help build a digital ecosystem which is open, fair, global and competitive.



Due to the scale of regulatory and technical challenges, transparency reporting under the IT Rules has gotten off to a rocky start.


Here are possible reasons why Indians are not generating significant IAP revenues despite our download share crossing 30%.


This article addresses the legal and practical ambiguities in understanding the complex crypto ecosystem in India.


It is widely argued that the PDP Bill report seeks to discard the intermediary status of social media platforms but that may not be...


Looking at the definition of health data, it is difficult to verify whether health IDs are covered by the Bill.

You May Also Like


Google has released a Google Travel Trends Report which states that branded budget hotel search queries grew 179% year over year (YOY) in India, in...


135 job openings in over 60 companies are listed at our free Digital and Mobile Job Board: If you’re looking for a job, or...


Rajesh Kumar* doesn’t have many enemies in life. But, Uber, for which he drives a cab everyday, is starting to look like one, he...


By Aroon Deep and Aditya Chunduru You’re reading it here first: Twitter has complied with government requests to censor 52 tweets that mostly criticised...

MediaNama is the premier source of information and analysis on Technology Policy in India. More about MediaNama, and contact information, here.

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ

Subscribe to our daily newsletter
Your email address:*
Please enter all required fields Click to hide
Correct invalid entries Click to hide

© 2008-2021 Mixed Bag Media Pvt. Ltd. Developed By PixelVJ