New espionage attempts target WHO, trying to steal data

New espionage attempts target WHO (The World Health Organization) in order to steal information about the possible cures, tests or vaccines for COVID-19.

As the worldwide COVID-19 pandemic continues, the number of attacks doubled, according to officials. Most recently, the DarkHotel APT group has tried to infiltrate WHO’s networks to steal information.

Cybersecurity researchers observed on March 13 a malicious site that mimicked the WHO’s internal email system. Thus, the attackers tried to steal passwords from multiple agency staffers. Alexander Urbelis, cybersecurity researcher at Blackstone Law Group, said he realized “quite quickly that this was a live attack on the World Health Organization in the midst of a pandemic.”

So, according to Costin Raiu, Kaspersky researcher, mentioned that the information about remediation for coronavirus is invaluable for any intelligence agency.

Some researchers consider that the DarkHotel, an andvanced persistent threat (APT) group associated with cyberespionage in China, North Korea, Japan and US, might be behind this attack.

DarkHotel was firstly identified in 2014 by Karspesky researchers. At that time, they mentioned that the group had been active since at least 2007. The APT became known for targeting diplomats and corporate executives via Wi-Fi networks at luxury hotels. Then, it has widened its targeting, while continuing to leverage zero-day vulnerabilities and exploits. Only two days ago, Nikolay Pankov, from Kaspersky, mentioned in an article that “Health-care facilities are struggling with the current coronavirus epidemic”. So, there is no surprise that espionage attempts target WHO. The solution Pankiv came with was that to help these facilities with cyberprotection. So, Kaspersky decided to offer free six-month licenses for these.

Fears fuel the cybercriminals

Meanwhile, cybercriminals are tapping into the fears around coronavirus. They launch many cyberattacks using COVID-19 as a lure or theme. Flavio Aggio, WHO Chief Information Security Officer (CISO), told Reuters: “There has been a big increase in targeting of the WHO and other cybersecurity incidents… such compromise attempts against us and the use of (WHO) impersonations to target others have more than doubled.” The WHO also published an alert warning against these attempts.

On Tuesday, CrowdStrike mentioned a scam impersonating WHO that requested Bitcoin donations to the COVID-19 Solidarity Response Fund. Firstly, the attackers copied one of the messages directly from the official website of the fund. Also, the scam emails spoofed WHO email addresses (e.g., using <donate@who.int>) but came from other domains than WHO’s.

Still, these attacks are not a surprise, as people are turning to the official WHO website for advice and guidance. Also, many other malicious emails using coronavirus as a theme are spreading phishing and malware. Other attacks include malicious websites and apps that pretend to share coronavirus related information. In fact, they access victim’s devices. At the same time, some fraudulent websites pretend to sell coronavirus cures.

But, cybercriminals try to target the fear and uncertainty of the users. They work to make their messaging very tempting. So, users should be very vigilant and seek for information from official sources and their websites. In order to get rid of the possibly fake ads, you can use Ad Guardian Plus, for free.