Google have identified more than a dozen government-backed hacking groups using the COVID-19 pandemic as cover for phishing and malware attempts.

Google’s Threat Analysis Group (TAG), a specialized team of security experts that works to identify, report, and stop government-backed phishing and hacking against Google and the people who use our products, on Wednesday sharied their latest findings and the threats they are seeing in relation to COVID-19.

Hackers frequently look at crises as an opportunity, and COVID-19 is no different. Across Google products, Google is seeing bad actors use COVID-related themes to create urgency so that people respond to phishing attacks and scams. Google's security systems have detected examples ranging from fake solicitations for charities and NGOs, to messages that try to mimic employer communications to employees working from home, to websites posing as official government pages and public health agencies. Recently, Google's systems have detected 18 million malware and phishing Gmail messages per day related to COVID-19, in addition to more than 240 million COVID-related daily spam messages.

TAG says it has specifically identified over a dozen government-backed attacker groups using COVID-19 themes as lure for phishing and malware attempts—trying to get their targets to click malicious links and download files.

One notable campaign attempted to target personal accounts of U.S. government employees with phishing lures using American fast food franchises and COVID-19 messaging. Some messages offered free meals and coupons in response to COVID-19, others suggested recipients visit sites disguised as online ordering and delivery options. Once people clicked on the emails, they were presented with phishing pages designed to trick them into providing their Google account credentials. The vast majority of these messages were sent to spam without any user ever seeing them, and Google was able to preemptively block the domains using Safe Browsing.

Google has also seen attackers try to trick people into downloading malware by impersonating health organizations, including activity that corroborates reporting in Reuters earlier this month and is consistent with the threat actor group often referred to as Charming Kitten. The team has seen similar activity from a South American actor, known externally as Packrat, with emails that linked to a domain spoofing the World Health Organization’s login page.

Generally, Google says it is not seeing an overall rise in phishing attacks by government-backed groups; this is just a change in tactics. In fact, Google saw a slight decrease in overall volumes in March compared to January and February. While it’s not unusual to see some fluctuations in these numbers, it could be that attackers, just like many other organizations, are experiencing productivity lags and issues due to global lockdowns and quarantine efforts.