There is apparently no quarter or mercy granted in the world of cyber espionage, even in a plague year. The world’s elite hackers will seize any opportunity that presents itself, to include trying to hack the World Health Organization (WHO) as it attempts to provide life-saving research and medical interventions.
WHO Chief Information Security Officer Flavio Aggio has told Reuters that the organization is experiencing more than double the usual number of cyber attacks, and that a team of advanced hackers had attempted to set up a fraudulent site to compromise the internal email system. Additionally, hackers linked to the Iranian government have been accused of attempting to phish WHO employees.
The WHO under assault during a crisis
Cyber espionage activity against the WHO has picked up since at least early March, around when large-scale lockdowns and “stay at home” measures started to appear outside of China.
A site meant to look similar to that of the WHO was registered and went active in mid-March.
Cybersecurity expert Alexander Urbelis of Blackstone Law Group caught wind of the cyber espionage attempt early, believing it to be the work of a group called DarkHotel that he regularly monitors. Urbelis “realized quite quickly” that the group was actively targeting the WHO. The site appeared to be focused on tricking WHO staff into entering login credentials, and similar infrastructure has been used recently in attacks on health care organizations.
DarkHotel is an advanced persistent threat (APT) group that has been active since 2007. The group of hackers is thought to be based in South Korea, but it is unclear if it is affiliated with any government agencies. It is primarily a cybercrime-for-profit group that has previously tended to focus on countries in Asia, and got its name due to a penchant for hacking upscale hotel WiFi networks to steal confidential business information and commit cyber espionage targeting select guests. The group is known to run highly targeted spearphishing campaigns against VIP targets and has long experience with these types of attacks.
Reuters is reporting that a more recent phishing attempt on WHO employees is linked to state-sponsored Iranian hackers. The connection is based on the use of malicious websites that were also used by Iranian hackers in attacks on American academics in recent months.
Cyber espionage against the WHO?
The WHO is not necessarily the first organization one thinks of when the subject of cyber espionage comes up, but criminals and even nation-states might have some compelling reasons for targeting it. Inside information that is not available to the public regarding treatment drugs or vaccines in development could be valuable, as well as unfiltered information about the progress of the pandemic in various countries that WHO staff might be privy to. Erich Kron, Security Awareness Advocate for KnowBe4, offered some insider insight: “Early in the pandemic, we saw attackers sending phishing emails disguised to look like official information from the WHO, which was being used to steal credentials. These were fairly easy to spot, however, if a legitimate account really was compromised and used to send phishing emails, the impact would be much greater. In addition, if attackers were able to take over any of the official social media accounts for the WHO and use them to spread misinformation, we could see impacts to already struggling economies across the globe. We should look at when the Associated Press had their Twitter account hacked in 2013 to see the impact social media could have on the stock markets.”
Attackers might also be looking to sow chaos via privileged access to WHO communications. The entire world is looking to the organization for its guidance based on the current progress of the disease, updated information on treatments, and coordination of joint direct actions in developing countries. The WHO’s media channels are currently a very powerful global platform.
The WHO is regularly targeted by hackers in more normal circumstances, but usually does not draw this level of special attention or cyber espionage. Prior to the pandemic the organization considered cyber security to be only a “moderate” threat as compared to other issues. The only prior major incident with the organization was a successful SQL injection attack that compromised some of its databases in 2012, during a rash of such attacks around the world.
The wave of corona cyber crime
Though the direct cyber espionage attempts on the WHO are relatively new, the organization has found its name caught up in a more general wave of cyber crime related to the ongoing pandemic.
Phishers and scammers are commonly posing as the WHO to either solicit donations or attempt to redirect targets to malware sites, to such a degree that the organization has published a public warning about compromise attempts. The COVID-19 Solidarity Response Fund is the only legitimate pandemic-focused charity that the WHO has solicited for at present, but some scammers are going so far as to register lookalike sites that use the charity name. One hallmark of these scams is that they usually ask for donations to be sent to a random Bitcoin wallet; the WHO has a dedicated donation portal for the relief fund set up at who.int that accepts more standard forms of online payment.
General cyber crime is running wild in the midst of a pandemic. Blackstone’s Alexander Urbelis is tracking thousands of malicious sites with some sort of coronavirus theme, and is seeing around two thousand new sites of this sort pop up each day. Most of these sites are either looking to capture sensitive information or are simply posing as fake charities.
Other scam attempts center on offers of fake treatments, vaccines and home test kits. Some scams also offer low prices on high-demand items that are currently sold out or unusually expensive, such as N95 masks. There are numerous fraudulent charities soliciting donations, along with hackers and phishers posing as all sorts of health and government organizations. Work-at-home scams are also seeing a massive surge in popularity as people who were recently laid off are targeted.