Authors
Claim
A PDF with the subject line, Cyber Alert: Reg, states that the Computer Emergency Response Team-India(CERT-In) has issued a COVID-19 related advisory about a potential cyber offensive attack from the Chinese army.
The PDF which claims to be from the Central Industrial Security Force (CISF), Ministry of Home Affairs and signed by B S N Reddy, Sr. Commandant details that in the guise of a free COVID-19 test, “Chinese cyber warriors could be carrying out a massive phishing attack.”
We received this PDF on our Whatsapp verification helpline number asking for clarification on the facts included in it. You can read the full document here.
Fact Check
As the PDF claimed to source an advisory from the Computer Emergency Response Team-India(CERT-In), we first searched for any such advisory on their website. We found an advisory issued on 19 June, 2020 titled, COVID-19 related Phishing Attack Campaign by Malicious Actors.
The 19 June CERT-In advisory describes that malicious actors behind the phishing campaign claim to have two million individual/ citizen email IDs and plan to send emails inciting them to provide their personal information. The phishing campaign which was expected to start on 21 June planned to create fake email IDs such as ncov2019@gov.in impersonating various authorities. CERT-In’s advisory states that the phishing email may look as follows:
You can read the detailed advisory in the ‘Advisories’ section on their website. CERT-In also posted about the same on their Twitter profile on 20 June.
News organisations reported on CERT-In’s COVID-19 related phishing attack campaign advisory as well.
However, CERT-In did not mention in their advisory who was behind the planned phishing attacks. A reference link to CYFIRMA, a threat discovery and cyber-intelligence company, backed by Goldman Sachs, at the bottom of the advisory led us to knowing that a North Korean hacker group called Lazarus Group is behind this COVID-19 related phishing campaign. A 18 June report by CYFIRMA says that phishing attacks in India are part of a global campaign by Lazarus that has targeted five other countries apart from India for financial gains. You can read the entire report here.
We wrote to CYFIRMA seeking a confirmation on North Korean operatives, Lazarus Group, being behind the COVID-19 related phishing campaign. In their response they confirmed it and said that observations about the global phishing campaign came from research obtained from their platform and monitoring of the dark web. They further explained:
“For Global Phishing campaign, the 6 nations’ CERT (Computer Emergency Response Team) authorities have reverted and confirmed the analysis and threat. Pls see IN CERT website for their advisory.”
They also informed us of another piece of research they released on “cyberattacks on Indian assets due to ongoing China-India border crisis.” CERT-In has been alerted of the same, they said. You can read more about it in livemint’s story here.
Coming back to the PDF we received on our Whatsapp number for verification, the key points detailed match the information included in CERT-In’s COVID-19 advisory. But contrary to what’s mentioned in the PDF, the advisory does not state that the potential cyber attacks are from the Chinese Army. Nor did we find any other advisory on their website which mention the Chinese army being behind potential cyber attacks.
We’ve reached out to B S N Reddy, the CISF personnel whose alleged digital signature is on the PDF, for confirmation on this document.
We also contacted CERT-In asking if they’ve released any advisory which states a “potential cyber offensive attack from the Chinese Army.”
We’re awaiting confirmation from the above sources. This story will be updated if or when we hear from either of them.
Conclusion
The PDF we received stating that CERT-In issued an advisory regarding a COVID-19 related potential offensive cyber attack from the Chinese army is misleading. Our research showed that the 19 June CERT-In advisory titled, “COVID 19-related Phishing Attack Campaign by Malicious Actors,” did not mention who was behind the potential cyber attacks.
Tools Used
- Google Advanced Search
Result: Misleading
If you would like us to fact check a claim, give feedback or lodge a complaint, WhatsApp us at 9999499044. You can also visit the Contact Us page and fill the form.
