Hackers working in the interests of the Iranian government attempted to break into personal email accounts of staff at the World Health Organisation (WHO) during the coronavirus outbreak, four people with knowledge of the matter told Reuters.
It is not clear if any accounts were compromised, but the attacks show how the WHO and other organisations at the centre of a global effort to contain the coronavirus have come under a sustained digital bombardment by hackers seeking information about the outbreak.
Reuters reported in March hacking attempts against the UN health agency and its partners more than doubled since the start of the coronavirus crisis, which has now killed more than 40 000 worldwide.
The latest effort has been ongoing since March 2 and attempted to steal passwords from WHO staff sending malicious messages mimicing Google web services to personal email accounts, “phishing,” according to four people briefed on the attacks. Reuters confirmed the findings reviewing by malicious websites and other forensic data.
“We’ve seen targeting by what looks like Iranian government-backed attackers targeting international health organisations generally via phishing,” said one source, who works for a large technology company monitoring internet traffic for malicious cyber activity.
WHO spokesman Tarik Jasarevic confirmed personal email accounts of WHO staff were targeted by phishing attacks, but said the WHO did not know who was responsible. “To the best of our knowledge, none of these hacking attempts were successful,” he said.
Iran’s government denied any involvement. “These are lies to put more pressure on Iran,” said a spokesman at Iran’s information technology ministry. “Iran has been a victim of hacking.”
Karim Hijazi, chief executive of cyber intelligence firm Prevailion, shared recently captured data with Reuters showing a sophisticated hacking group actively targeting the global health organisation. Reuters couldn’t independently confirm his analysis. Hijazi said the identity of the hackers was difficult to determine, although their techniques appeared advanced.
The intrusion attempts are distinct from others reported by Reuters, which sources said were the work of an advanced group of hackers known as DarkHotel previously been active in East Asia – an area particularly affected by the coronavirus.
The hackers motives are not clear, but targeting officials at personal accounts is a longstanding intelligence-gathering technique.
Other details in this phishing attempt point to links with Tehran. For example, Reuters found the same malicious websites used in the WHO break-in attempts were deployed to target American academics with ties to Iran.
The related activity – which saw hackers impersonate a well-known researcher – parallels cases Reuters previously documented where alleged Iranian hackers masqueraded as media figures from organisations such as CNN or The New York Times to trick targets.
Iran suffered major loss of life from the coronavirus and infections have reached the inner circle of the country’s leadership.
A person close to US intelligence said he was aware of the Iranian campaign and attacks are standard during times of international crisis.
While large prizes for intelligence agencies would include coronavirus response plans for various countries or word of effective treatments, more benign data, such as WHO estimates for infection rates, would also be valuable, the person said.