Researcher Says Spear-Phishing Incident Has Hallmarks of Nation-State Attack
WHO logo (Photo: United States Mission Geneva via Flickr/CC)
A hacking group targeted the World Health Organization earlier this month with an apparently unsuccessful spear-phishing campaign designed to harvest credentials as the United Nations organization was grappling with the global COVID-19 pandemic, Reuters reports.
The security researcher who first flagged the hacking and reported it to WHO says that this incident bears the hallmarks of a sophisticated nation-state attack
Alexander Urbelis, the researcher who’s an attorney at the New York-based Blackstone Law Group, tells Information Security Media Group that he believes that the hacking of WHO started March 13. Using his firm’s DNS threat intelligence platform, Urbelis has been tracking a series of suspicious domain names that have been targeting intergovernmental organizations over the course of several years, including WHO as well as the U.N., Urbelis says.
The WHO hackers relied on a long series of sub-domains that seek to take advantage of WHO’s Active Directory Federated Service, a single sign-on tool created by Microsoft, Urbelis tells ISMG. It appears that spear-phishing techniques were used to start this hacking campaign, Urbelis notes.
“It was obvious by the structure of the URL that [this attack] was targeting the log-in portal for the WHO,” Urbelis saus. “So the targeting itself was included in the URL, and we were able to identify specifically that this was a brand new targeting of the WHO.”
Flavio Aggio, WHO’s CISO, tells Reuters that the hackers’ attack was not successful in harvesting data. WHO’s investigation of the incident continues.
A WHO spokesperson tells ISMG that the organization has been tracking “multiple ways attackers are exploiting the current Covid-19 situation via multiple impersonation approaches: Vishing [voice phishing], email phishing, WhatsApp phishing, social media” (see: COVID-19 Phishing Schemes Escalate; FBI Issues Warning).
Urbelis tells ISMG that he believes that one of the hackers’ goals was to harvest credentials by targeting the WHO log-in portal.
“This was a credential harvester that was replicating the portal of the WHO external log-in,” Urbelis says. “It was very highly targeted, so maybe they were looking for some specific information or some kind of advantage on coronavirus responses, data [or] tracking activities.”
Urbelis adds that the hackers also seemed to limit access to the portal and its sub-domains during this campaign to WHO members in an effort to target specific credentials.
“They would not allow just any web user to resolve the credentials harvesting portal,” Urbelis says. “It appears to have been limited to the specific IP subnet of the WHO, so I could see there was a live attack configured, but I couldn’t resolve that live attack because they were limiting access to attack.”
Sources told Reuters that the advanced persistent threat group suspected of this attack is an organization called DarkHotel, which security researchers, including analysts with Kasperksy, have been tracking since at least 2007. The group appears to have ties to South Korea.
Over the years, DarkHotel has focused its attention mostly on targets in China, Russia, Japan and other parts of East Asia, according to various security reports. The group’s name is derived from its technique of following targets from hotel to hotel as they travel around the world, and its hackers have been known to use spear-phishing attacks (see: Microsoft Warns of Zero-Day Internet Explorer Exploits).
In a November 2019 report, Kaspersky noted that DarkHotel had recently started taking advantage of a zero-day exploit in Google’s Chrome browser to plant malware that connected with a command-and-control server.
A Kaspersky spokesperson declined to comment on the specifics of the Reuters report and the alleged connections to the DarkHotel group. Urbelis tells ISMG he cannot say for sure what hacking group is responsible. But he notes that this recent campaign against WHO matches some other patterns that he’s tracked from APT groups dating back to at least 2018.
WHO Phishing Mails
WHO has also been victimized by cybercriminals who have begun spoofing the organization’s name and images as part of ongoing phishing campaigns looking to take advantage of the COVID-19 pandemic.
Earlier this month, researchers at IBM X-Force found phishing emails spoofing WHO and claiming to come directly from Dr. Tedros Adhanom Ghebreyesus, the director-general of the organization. Through these lures, cybercriminals were attempting to spread HawkEye malware, a type of keylogger.
Since February, WHO and other organizations, such as the U.S. Centers for Disease Control and Prevention, have been warning about an increase in phishing emails that spoof these organizations’ logos and names during this healthcare crisis (see: More Phishing Campaigns Tied to Coronavirus Fears).