A senior agency official at the World Health Organization (WHO) told Reuters today that the UN agency is now facing a more than two-fold increase in cyberattacks following the coronavirus outbreak, including attempts to break into its database by “elite hackers” earlier this month.
WHO chief information security officer Flavio Aggio confirmed the attack to Reuters and reassured that it was unsuccessful. He did, however, say that the hackers’ identities remain unknown.
According to Aggio, the attack’s goal was to steal passwords from agency staffers, potentially for phishing purposes. Last month, the WHO published an alert warning against these phishing attempts, reminding the public that the organization will never ask for username or passwords, would never email unrequested attachments or link a website outside its network or charge or conduct lotteries.
“There has been a big increase in targeting of the WHO and other cybersecurity incidents.” Aggio told Reuters. “There are no hard numbers, but such compromise attempts against us and the use of [WHO] impersonations to target others have more than doubled.”
Alexander Urbelis, a cybersecurity expert and lawyer with the New York-based Blackstone Law Group, was the first to tell Reuters about the attacks from the elite cybercriminals. Blackstone Law Group specializes in tracking suspicious internet domain registration activity, and Urbelis said that he noticed "around" March 13 that a group of hackers had activated a malicious site posing as the WHO’s internal email system.
Urbelis and Blackstone continue to monitor new website domains focused on COVID-19, suspecting a great deal of them are malicious.
“It’s still around 2,000 a day,” Urbelis told the outlet, speaking about the number of new site registrations. “I have never seen anything like it.”
Two anonymous sources told Reuters that they suspect DarkHotel was behind the attack earlier this month. The cyberespionage group has been active since at least 2007 and has been tracked by cybersecurity firms, including Romania’s Bitdefender and Russia’s Kaspersky, to East Asia. Past targets include government employees and business executives in the U.S., China, Japan and North Korea.
“At times like this, any information about cures or tests or vaccines relating to coronavirus would be priceless,” Kaspersky head of global research and analysis Costin Raiu told Reuters.
While he could not confirm that DarkHotel was behind the attack on the WHO, he said the same malicious web infrastructure has also been deployed against other healthcare and humanitarian groups in the past month.