During the worldwide COVID-19 pandemic we are witnessing not only a rise in cyber operations, but increased targeting of global organisations leading the COVID-19 response.

Background

Soon after COVID-19 broke, allegations were made that hackers purportedly linked to Iran had conducted a phishing campaign against the World Health Organisation (WHO). As Reuters reported, malicious messages mimicking Google web services were sent to multiple staff accounts, apparently to obtain usernames and passwords that would allow access to the WHO’s network. Such phishing campaigns are one of a number of techniques frequently used by cyber criminals.

The campaign was believed to have been launched on 2 March 2020, and was initially exposed by Alexander Urbelis, a cyber security expert and Blackstone Law Group attorney, on 13 March. Using a domain name system (DNS) threat intelligence platform, Urbelis detected multiple suspicious domains that had activated a site imitating the WHO’s login portal.

The campaign’s sophistication implied that specific information was being sought. As Bernardo Mariano, the WHO’s Chief Information Officer explained, specific profiles were seemingly targeted, particularly “key officials involved with the COVID-19 work”. This included Tedros Ghebreyesus, the WHO’s Director General, and Bruce Aylward, a leader in the WHO’s engagement with China. Urbelis further suggested that the perpetrators were able to restrict access to the official WHO portal and subdomains to boost malicious site usage, suggesting high-level cyber capabilities.

A known hacker group, DarkHotel, was initially suspected, given its previous attempts to infiltrate the WHO network. Further investigation identified alleged links to Iran, with a source suggesting “Iranian government-backed attackers”. The campaign had Iranian phishing hallmarks and identical features to another malicious site activated at a similar time targeting US-based academics with interests in Iran.

Tehran has denied these claims, with an IT spokesperson stating they are “sheer lies”, while the WHO says that no sensitive information was obtained. To date, attribution and specific motives remain unclear.

Lessons learnt

Several lessons can be learnt from this case that apply not just to health organisations such as the WHO, but to all organisations that may be vulnerable to hacking.

Lesson 1: A new target and new motives

Major international corporations such as easyJet have always been targets for cyber criminals, as are UN agencies. The UN categorises such activities as a “moderate” threat. However, since the start of the COVID outbreak, operations have increased on organisations not considered traditional cyber espionage targets. Operations targeting the WHO in particular have more than doubled, with further phishing campaigns confirmed against WHO teams in South Korea and the Geneva headquarters. Other health-related organisations have also been targeted, such as the US Department of Health and Human Services and Italy’s Department of Welfare and Social Security.

This trend suggests that acquiring information on COVID-19 is the principle motivation and that such information is potentially “priceless and the priority of any intelligence organisation of an affected country”. Hackers may seek the latest developments in vaccines, tests and tracking activities, with the WHO a primary source of such data. The aim may also be to spread misinformation.

This suggests that the value of information can drastically change as global priorities change. Context matters, and during a health crisis, pandemic-related data can be more valuable than national intelligence such as military secrets. It demonstrates the importance of ensuring information security, particularly during a pandemic, when the release of pre-exposed data or misinformation could cause real-world collateral damage.

Lesson 2: The perfect storm

This is exacerbated by the sudden switch to remote working, resulting in an unparalleled spike in cyber  operations as people work in less secure environments and use less secure networks to communicate sensitive information, carrying out work usually done within a single office and network system. This has created the perfect storm for malicious actors.

Organisations therefore need to strengthen their dispersed network security. The WHO has increased resources, doubling its security team and commissioning five security companies to better protect its systems. Other organisations, not just those in the healthcare sector, should do the same, to ensure that systems used by remote workforces remain secure and to identify any network vulnerabilities. The GCSP’s publication on cyber hygiene provides useful steps to enhance home workers’ network security.

Lesson 3: Cooperation and awareness

Despite the WHO’s efforts to secure its network, various states and organisations continue to recommend caution in cyber security, and there has been a dramatic increase of monthly security alerts from national authorities notifying the WHO of potentially hostile cyber actors.

Many organisations have also released statements warning the wider public of online threats, such as cyber criminals mimicking sites to obtain sensitive information, while governments have warned that thousands of malicious COVID-19-themed sites are created each day.

Both the awareness and cooperation of third parties and staff alertness ultimately prevented the WHO hackers’ success. Clearly, therefore, it is imperative that all members of a workforce are educated on cyber threats, and that governments, the private sector and individuals continue to be aware of the need for cyber security.

For now, the WHO continues to tackle the COVID-19 pandemic, with newly advanced cyber security measures for a dispersed workforce and with lessons learnt that the information it compiles is inherently valuable and could potentially attract state-level covert interests. 

Discover more about Cyber Security at the GCSP.

Disclaimer: The views, information and opinions expressed in the written publications are the authors’ own and do not necessarily reflect those shared by the Geneva Centre for Security Policy or its employees. The GCSP is not responsible for and may not always verify the accuracy of the information contained in the written publications submitted by a writer.