Skip to content
  • Insurance Journal
  • Insurance Journal TV
  • Academy of Insurance
  • MyNewMarkets.com
  • Carrier Management
Claims Journal - Insurance news and resources for claims adjusters

Featured Stories

  • Pa. Supreme: Death Claim Filed Too Late for Malpractice...
  • Nevada Supreme Rejects Subrogation Bid by Excess Insurer...
  • Mobile Claim Center Lawyer Agrees to ‘Interim Probation’
  • N.Y. Appellate Court: Insurer Liable For COVID Shutdown of...
  • Front Page
  • Most Popular
  • Jobs
  • Events
  • Research
  • Videos/Podcasts
  • Newsletters

Hackers Target WHO by Posing as Think Tank, Broadcaster

By Ryan Gallagher | May 7, 2020
Email This Subscribe to Newsletter
Email to a friend Facebook Tweet LinkedIn Print Article
  • Article
  • 0 Comments

The messages began arriving in World Health Organization employees’ inboxes in early April, seemingly innocuous emails about the coronavirus from news organizations and researchers.

But a close examination revealed that they contained malicious links, and some security experts have traced the emails to a hacking group in Iran believed to be sponsored by the government.

The hacking effort, which began on April 3, was an attempt to steal passwords and possibly install malware on WHO computers, according to three people familiar with the matter, who requested anonymity because they aren’t authorized to talk to the news media. The incident was one of several suspected state-sponsored hacks targeting WHO officials in recent weeks, the people said.

Flavio Aggio, the WHO’s chief information security officer, declined to comment on specific instances, but confirmed the organization had been subjected to “very clever attacks” as it works to blunt the coronavirus pandemic. He said the attempted intrusions against the WHO had so far been unsuccessful. “We are dealing with an information war and a cyberwar at the same time,” he said.

Iran’s Foreign Ministry didn’t respond to a request for comment. Iran’s cyber capabilities, once used as a means of internal control and repression, have evolved to more aggressive attacks on foreign targets, including the U.S., according to a January report by U.S. congressional researchers. Reuters has previously reported that hackers tied to the Iranian government have tried to breach the personal email accounts of WHO employees.

Two of the messages sent to the WHO, which were reviewed by Bloomberg News, were designed to look like coronavirus newsletters from the British Broadcasting Corporation. A third message was tailored to look like an interview request from the American Foreign Policy Council, a conservative think tank based in Washington. It encouraged recipients to click on what looked to be a shortened Google link, which diverted to a malicious domain.

European security agencies notified the WHO of the intrusion attempts. One threat alert warned that the phishing emails had been crafted by “highly skilled professionals” who were “possibly state-sponsored” and associated with Iran, according to two of the people familiar with the matter.

Ohad Zaidenberg, lead cyber intelligence researcher at Clearsky Cyber Security, reviewed the messages for Bloomberg News, and said he believed they were sent by a group of state-sponsored Iranian hackers known as “Charming Kitten,” which has been active since 2014 and previously targeted Iranian dissidents, academics, journalists and human rights activists.

The emails, Zaidenberg said, contained enough information for him to conclude with high confidence that they were the work of Charming Kitten. The domains featured in the messages — including mobiles.identifier-services-session.site, sgnldp.live, and an obscure link shortening service, bitli.pro — were hallmarks of the Iranian group and had been used in previous attacks, he said.

Beginning in early April, Charming Kitten began a new campaign of attempted hacks, sending emails about fake coronavirus research to researchers, journalists, and government officials, Zaidenberg said.

In late February, the cybersecurity organization CERTFA, which tracks cyber criminals and state-sponsored hackers in Iran, said it had identified Charming Kitten hackers trying to dupe their targets into clicking a malicious link by posing as journalists seeking an interview.

The hacking group was targeting private and government institutions, think tanks and academic institutions in European countries, the U.S., U.K. and Saudi Arabia, CERTFA said in a blog post. Its method was “stealing email account information of the victims and finding information about their contacts/networks,” it said.

The email sent to the WHO impersonating the American Foreign Policy Council purported to be from Ilan Berman, the think tank’s senior vice president. The message had the subject “AFPC Online Interview” and contained a link to what the email claimed were interview questions. But the link diverted to a malicious domain, probably intended to steal passwords and two-factor authentication codes for WHO employee email accounts, according to Zaidenberg.

Berman, a critic of the Iranian government who has written two books about the country, said he was aware that hackers were trying to impersonate him. On about six separate occasions recently, he said, he had been contacted by people seeking to authenticate emails they had received from a Gmail account in his name, inviting them to attend conferences. The same Gmail account was used to target the WHO officials.

“We’ve been dealing with this for the last six months or so. We’ve been reaching out to people to tell them — don’t click on any links, don’t give them any personal information,” Berman said.

Bernardo Mariano, the WHO’s chief information officer, declined to comment on specific hacking attempts but confirmed that the organization had received several alerts about nation-state attacks. He said it was difficult to confirm the precise origin of the attacks because of methods hackers often use to conceal their locations.

Mariano said the WHO has closed some systems in order to prevent hackers from gaining access to them, recruited new employees for its computer security team and enlisted the help of several security companies.

In addition to reporting a surge in cyber-attacks targeting the WHO and its officials, the organization has seen a spike in fake accounts impersonating its employees as part of phishing campaigns and is encouraging people to report suspicious messages from people claiming to be associated with the WHO.

“If it continues like this it is going to take a toll on all of us,” Mariano said in an interview. “We don’t have the capacity to sustain this for very long.”

On Tuesday, cybersecurity agencies in the U.K. and U.S. issued a joint warning that state-sponsored hackers were “actively targeting organizations involved in both national and international Covid-19 responses,” including health-care bodies, pharmaceutical companies, academia, medical research organizations and local government.

The hackers “may seek to obtain intelligence on national and international health-care policy or acquire sensitive data on Covid-19 related research,” the warning says.

Copyright 2023 Bloomberg.

Was this article valuable?

Thank you! Please tell us what we can do to improve this article.

Thank you! % of people found this article valuable. Please tell us what you liked about it.

Here are more articles you may enjoy.

Few Florida Insurers Compel Arbitration, but Attorneys Say that Will Change
A Class-Action Wave Is Coming for ESG Claims
Wisc. Supreme: Homicide Conviction Doesn’t Mean Baby’s Death Wasn’t an Accident
Report Says Social Inflation Adds Up to 11% to Physician Malpractice Claims
newsletter

Want to stay up to date?

Get the latest insurance news
sent straight to your inbox.

Email This Subscribe to Newsletter
Email to a friend Facebook Tweet LinkedIn Print Article
  • Categories: International NewsTopics: Clearsky Cyber Security, coronavirus newsletters, hackers, intrusion attempts, malicious links, personal email accounts, phishing emails, World Health Organization
  • Have a news tip? Email us at newsdesk@claimsjournal.com

Add a CommentSee All Comments (0)Add a Comment Cancel reply

Your email address will not be published. Required fields are marked *

*

*

More News
U.S. Seeks Tesla Driver-Assist Documents; Company Hikes Capex Forecast
3rd Circuit Rejects J&J Bankruptcy Strategy for Thousands of Talc Lawsuits
Tropical Storm Leaves 30 Dead, 20 Missing in Madagascar
Kansas Supreme Court Reverses $3.4M Bad Faith Judgment Against Insurer
More News Features

Read This Next

  • Hackers Target WHO by Posing as Think Tank, Broadcaster
  • Few Florida Insurers Compel Arbitration, but Attorneys Say that Will Change
  • Conn. Supreme Court Upholds Insurers in COVID Business Loss Appeals
  • US Infiltrates Big Ransomware Gang: 'We Hacked the Hackers'
  • Attorney for Insurer Says Law Firm Working with Contractors to Find New Hurricane Claimants

Claims News

  • Latest news
  • Most Popular News
  • News by Topic
  • Yesterday

Site Search

Features

  • Claims Jobs
  • Industry Events
  • Newswire
  • Blogs

Connect with us

  • Email Newsletters
  • For Your Website
  • RSS Feeds
  • Twitter
  • Facebook
  • LinkedIn
  • Do Not Sell My Info

Claims Journal

  • Submit News
  • Advertise
  • Subscribe
  • Contact Us
  • Link to Us

Wells Media Group Network

  • Insurance Journal
  • MyNewMarkets.com
  • Insurance Journal TV
  • Academy of Insurance
  • Carrier Management
© 2023 by Wells Media Group, Inc. Privacy Policy | Terms & Conditions | Site Map

We have updated our privacy policy to be more clear and meet the new requirements of the GDPR. By continuing to use our site, you accept our revised Privacy Policy.