Fact check: Viral CERT-In advisory of possible phishing attack is TRUE but they are NOT sponsored by Chinese army

By NN Dharmasena

Hyderabad: Twitter and Facebook users are forwarding an alleged office memo of Directorate General (DG) of Central Industrial Security Force (CISF) issued to the ISGs of all sectors and the Director of NISA Hyderabad on June 21, 2020.

Fact Check:

The viral posts about CERT-In advisory of possible phishing attacks are TRUE, but the claim that these are sponsored by the Chinese Army is FALSE.

The alleged memo is an alert to the CISF personnel about a phishing attack. The memo alerted the staff not to fall prey to emails from addresses like ncov2019@gov.in and or with subject lines like Free Covid-19 testing for all residents of Delhi, Mumbai, Hyderabad, Chennai, and Ahmedabad.

The DG CISF warned the staff to not open links or attachments on unsolicited SMS's, emails, or messages on social media and observe spelling errors in email addresses and websites. The memo advised the staff not to provide login or personal and financial details to unknown and unfamiliar websites or links.

As per the memo, the DG CISF office issued the alert based 'on the advisory submitted by the Computer Emergency Response Team- India (CERT-In) regarding a potential cyber offensive attack from the Chinese army.'

It said that the CERT-In informed that "in the guise of a free Covid-19 test, Chinese cyber warriors could be carrying out a massive phishing attack."

The CERT-In said: "The phishing campaign is expected to use malicious emails under the pretext of local authorities in charge of dispensing government-funded Covid-19 support initiatives. Such emails are designed to drive recipients towards fake websites where they are deceived into downloading malicious files or entering personal and financial information."

As a reference to the advisory, the CERT-In gave the reference to stories published on Zeenews.India.com and Cyfirma.com, with a disclaimer that the information provided is on "as is" basis, without warranty of any kind.

The Cyfirma, which Zeenews is also quoted as the source, is a cybersecurity company that has a vision of unraveling cyber risks and threats for a safer society. In its early-warning post on the website, global COVID 19-related phishing campaign by North Korean operatives Lazarus group exposed by cyfirma researchers.

It informed that hacker groups are planning a large-scale phishing campaign targeted at more than 5M individuals and businesses (small, medium, and large enterprises) across six countries and multiple continents.

It also revealed a schedule to launch the phishing attack by Lazarus group, funded by North Korea. The schedule is as follows:

Country Name Campaign Launch Date Target

USA 20 June 2020 Individuals

UK 20 June 2020 Businesses

Japan 20 June 2020 Individuals

India 21 June 2020 Individuals

Singapore 21 June 2020 Businesses

South Korea 21 June 2020 Individuals

The template of the phishing email, shared by Cyfirma is

Alerted by the CERT-In, SBI and Kotak also issued advisories to the customers.

A Facebook user shared an image on his wall, which shows an alleged screenshot of a mail from ncov-19@gov.in with the subject 'free distribution of Covid-19 protective equipment (Ministry of health India) and attachments of .pps and .ppt'.

Social media users liked and started spreading information. The email ID was changed into a website and there are no precautions about opening a phishing link. ncov2019@gmail.com, ncov2019@gov.in, emails are the helpline email IDs operated by the Ministry of Health and Family Welfare, Government of India.

Hence, the viral posts about CERT-In advisory of possible phishing attacks are TRUE, but the claim that these are sponsored by the Chinese Army is FALSE.