Elite hackers tried to break into the World Health Organisation earlier this month, sources told Reuters, part of what a senior agency official said was a more than two-fold increase in cyberattacks.
WHO Chief Information Security Officer Flavio Aggio said the hacker’s identity was unclear and their effort unsuccessful. He warned hacking attempts against the agency and its partners soared as they battle to contain the coronavirus, which has killed more than 15 000 worldwide.
The attempted break-in at the WHO was first flagged to Reuters by Alexander Urbelis, a cybersecurity expert and attorney with the New York-based Blackstone Law Group, which tracks suspicious internet domain registration activity.
Urbelis picked up on the activity around March 13, when a group of hackers he’d been following activated a malicious site mimicking the WHO internal email system.
“I realised quickly this was a live attack on the WHO in the midst of a pandemic,” he said.
Urbelis didn’t know who was responsible, but other sources briefed suspected an advanced group of hackers known as DarkHotel, conducting cyber-espionage operations since at least 2007.
Messages sent to email addresses maintained by the hackers went unreturned.
Asked by Reuters about the incident, Aggio confirmed the site spotted by Urbelis was used in an attempt to steal passwords from multiple agency staffers.
“There is an increase targeting the WHO and other cybersecurity incidents,” Aggio said. “There are no hard numbers, but compromise attempts against us and the use of WHO impersonations to target others more than doubled.”
The WHO published an alert last month warning hackers are posing as the agency to steal money and sensitive information.
Government officials in the US, Britain and elsewhere issued cybersecurity warnings about the dangers of a newly remote workforce as people stay home to work and study because of the coronavirus pandemic.
The motives in the case identified by Reuters aren’t clear. UN agencies, the WHO included, are regularly targeted by digital espionage campaigns and Aggio did not know who precisely at the organisation the hackers had in their sights.
Cybersecurity firms including Romania’s Bitdefender and Moscow-based Kaspersky traced many DarkHotel operations to East Asia – an area particularly affected by the coronavirus. Specific targets included government employees and business executives in China, North Korea, Japan and the US.
Costin Raiu, head of global research and analysis at Kaspersky, could not confirm DarkHotel was responsible for the WHO attack but said the same malicious web infrastructure was used to target other healthcare and humanitarian organisations recently.
“At times like this, any information about cures or tests or vaccines relating to coronavirus would be priceless and the priority of any intelligence organisation of an affected country,” he said.
Officials and cybersecurity experts warned hackers of all stripes seek to capitalise on international concern over the spread of the coronavirus.
Urbelis tracked thousands of coronavirus-themed web sites set up daily, many obviously malicious.
“It’s still around 2 000 a day,” he said. “I have never seen anything like this.”