Hackers are using coronavirus-themed phishing lures to go after DOD networks

Hackers are targeting defense industrial base companies and their networks in order to move into DOD systems.
WESTERLY, RI/USA - MARCH 31, 2020. RI Military Police directs a driver with none-state plate at a checkpoint on US 1 in Westerly. Drivers must provide contact information and self-quarantine.

Cybercriminals have been targeting U.S. military organizations with coronavirus-related spearphishing schemes, the Department of Defense Cyber Crime Center (DC3) said Monday in a blog.

“Even though many supplies, services and leisure activities have slowed down or come to a screeching halt, the one thing that has remained the same — or even gained momentum — is cyber-espionage,” the DC3 said in the blog.

According to DC3’s assessment, those behind the campaign aren’t just targeting defense industrial base companies and their networks — the goal is to break into systems run by the DOD.

While cybercriminals and nation-state hackers have been targeting businesses and individuals around the world for months with coronavirus-themed spearphishing and spyware operations, it’s the first time the Pentagon has publicly said its own networks are coming under fire from hackers seeking to exploit the fears surrounding the pandemic.


The blog comes via DC3’s information sharing outreach, which offers threat intelligence and other assistance to the defense industrial base, according to Krystal Covey, the director of the DOD-DIB Collaborative Information Sharing Environment (DCISE).

“This crowd-sourced threat-sharing allows for near real-time collaboration, enabling members of the partnership and U.S. government agencies to potentially detect, deter and remediate before an incident occurs or escalates,” Covey said in a statement. “The public-private partnership that exists between the DIB partner companies and the DOD is built upon a foundation of trust, which is vital to critical cyberthreat information sharing.”

One company reported to the Pentagon that they had received an email that appeared to come from the Centers for Disease Control and Prevention, but actually directed targets to a credential-harvesting website. Another DIB organization found a “U.S. government Central Authentication Service login service was using a web service as an open redirect.”

That service in particular was taken offline in late March so that the malicious activity could be investigated, according to DCISE.

It was not clear if any of the hackers’ targeting operations had been successful or if any data from a company or DOD networks themselves had been exfiltrated.

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts