A hacking group hit the World Health Organization earlier this month to try to steal passwords from agency staffers, Reuters reported on Tuesday. The attempt was but one of many as the organization contends with a surge in cyberattacks even as it fights to contain the coronavirus.

SEE: Special report: A winning strategy for cybersecurity (free PDF) (TechRepublic)

WHO Chief Information Security Officer Flavio Aggio told Reuters that the effort was unsuccessful and that the identity of the hackers was unknown. The attempted hacking was reported to Reuters by Alexander Urbelis, a cybersecurity expert and attorney with Blackstone Law Group, which tracks suspicious internet domain registration activity. Urbelis said he discovered the activity around March 13 when a hacking group that he’d been following turned on a malicious site impersonating the WHO’s internal email system.

Aggio confirmed to Reuters that the site uncovered by Urbelis had been used to try to steal passwords from several agency staffers.

“There has been a big increase in targeting of the WHO and other cybersecurity incidents,” Aggio told Reuters. “There are no hard numbers, but such compromise attempts against us and the use of (WHO) impersonations to target others have more than doubled.”

Neither the WHO nor Urbelis said they knew the identity of the hackers. But two other sources briefed on the matter said they suspected an advanced group of hackers called DarkHotel, which has been involved in cyber-espionage operations since at least 2007.

“Financial gain is a strong motive for bad actors, particularly at a time when defenders are distracted navigating a global crisis,” Casey Ellis, CTO & Founder of cybersecurity provider Bugcrowd, said. “With all hands on deck, health organizations like the WHO lack the resources to defend against the opportunistic cybercriminals at the best of times, let alone during a crisis like COVID-19. Potential victims of identity theft and fraud are likely to be distracted for the same reasons, which decreases the likelihood of attacker detection, and increases the odds of attacker success. While this is a brutally ugly play coming from the bad guys, it’s also a smart one.”

On the positive side, white-hat groups have arisen to help organizations like the WHO fight the battle against cybercriminals.

“Just as the global community has united and worked together to fight COVID, white-hat hacker collectives have sprung up to assist healthcare and social organizations defend against attackers through this crisis,” Ellis said. “Enlisting the help of security researchers and white-hat hackers to monitor and hunt for vulnerabilities ahead of the adversary can aid health organizations, like the WHO, to remediate and take actions to secure data rapidly.”

Last month, the WHO published an alert warning that cybercriminals are impersonating the agency to steal money or access sensitive information. In response, the WHO cautioned people that it would never do the following:

  • Never ask for your username or password to access safety information.
  • Never email attachments you didn’t ask for.
  • Never ask you to visit a link outside of www.who.int.
  • Never charge money to apply for a job, register for a conference, or reserve a hotel.
  • Never conduct lotteries or offer prizes, grants, certificates or funding through email.

In the wake of the coronavirus, cybercriminals have also been ramping up phishing emails that impersonate the WHO and other organizations. As always, the goal behind these is to trick the user into downloading malware and steal login credentials and other sensitive information. To protect yourself against phishing emails pretending to be from the WHO, the agency offers the following tips:

  • Verify the sender by checking their email address. Make sure the sender has an email address such as ‘person@who.int’ If there is anything other than ‘who.int’ after the ‘@’ symbol, this sender is not from WHO. For example, WHO does not send email from addresses ending in ‘@who.com’ , ‘@who.org’ or ‘@who-safety.org’.
  • Check the link before you click. Make sure the link starts with ‘https://www.who.int’. Better still, navigate to the WHO website directly, by typing ‘https://www.who.int’ into your browser.
  • Be careful when providing personal information. Always consider why someone wants your information and if it is appropriate. There is no reason someone would need your username and password to access public information.
  • Do not rush or feel under pressure. Cybercriminals use emergencies such as COVID-19 to get people to make decisions quickly. Always take time to think about a request for your personal information, and whether the request is appropriate.
  • If you gave sensitive information, don’t panic. If you believe you have given data such as your username or passwords to cybercriminals, immediately change your credentials on each site where you have used them.
  • If you see a scam, report it. You can report a scam directly to the WHO.


Image: iStockphoto/peshkov