The messages began arriving in World Health Organization employees’ inboxes in early April, seemingly innocuous emails about the coronavirus from news organizations and researchers.
But a close examination revealed that they contained malicious links, and some security experts have traced the emails to a hacking group in Iran believed to be sponsored by the government.
The hacking effort, which began on April 3, was an attempt to steal passwords and possibly install malware on WHO computers, according to three people familiar with the matter, who requested anonymity because they aren’t authorized to talk to the news media. The incident was one of several suspected state-sponsored hacks targeting WHO officials in recent weeks, the people said.
Flavio Aggio, the WHO’s chief information security officer, declined to comment on specific instances, but confirmed the organization had been subjected to “very clever attacks” as it works to blunt the coronavirus pandemic. He said the attempted intrusions against the WHO had so far been unsuccessful. “We are dealing with an information war and a cyberwar at the same time,” he said.
Iran’s Foreign Ministry didn’t respond to a request for comment. Iran’s cyber capabilities, once used as a means of internal control and repression, have evolved to more aggressive attacks on foreign targets, including the U.S., according to a January report by U.S. congressional researchers. Reuters has previously reported that hackers tied to the Iranian government have tried to breach the personal email accounts of WHO employees.
Two of the messages sent to the WHO, which were reviewed by Bloomberg News, were designed to look like coronavirus newsletters from the British Broadcasting Corporation. A third message was tailored to look like an interview request from the American Foreign Policy Council, a conservative think tank based in Washington. It encouraged recipients to click on what looked to be a shortened Google link, which diverted to a malicious domain.
European security agencies notified the WHO of the intrusion attempts. One threat alert warned that the phishing emails had been crafted by “highly skilled professionals” who were “possibly state-sponsored” and associated with Iran, according to two of the people familiar with the matter.
Ohad Zaidenberg, lead cyber intelligence researcher at Clearsky Cyber Security, reviewed the messages for Bloomberg News, and said he believed they were sent by a group of state-sponsored Iranian hackers known as “Charming Kitten,” which has been active since 2014 and previously targeted Iranian dissidents, academics, journalists and human rights activists.
The emails, Zaidenberg said, contained enough information for him to conclude with high confidence that they were the work of Charming Kitten. The domains featured in the messages — were hallmarks of the Iranian group and had been used in previous attacks, he said.
Beginning in early April, Charming Kitten began a new campaign of attempted hacks, sending emails about fake coronavirus research to researchers, journalists, and government officials, Zaidenberg said.
In late February, the cybersecurity organization CERTFA, which tracks cyber criminals and state-sponsored hackers in Iran, said it had identified Charming Kitten hackers trying to dupe their targets into clicking a malicious link by posing as journalists seeking an interview.
The hacking group was targeting private and government institutions, think tanks and academic institutions in European countries, the U.S., U.K. and Saudi Arabia, CERTFA said in a blog post. Its method was “stealing email account information of the victims and finding information about their contacts/networks,” it said.
The email sent to the WHO, impersonating the American Foreign Policy Council, purported to be from Ilan Berman, the think tank’s senior vice president. The message had the subject “AFPC Online Interview” and contained a link to what the email claimed were interview questions. But the link diverted to a malicious domain, probably intended to steal passwords and two-factor authentication codes for WHO employee email accounts, according to Zaidenberg.
Berman, a critic of the Iranian government, who has written two books about the country, said he was aware that hackers were trying to impersonate him. On about six separate occasions recently, he said, he had been contacted by people seeking to authenticate emails they had received from a Gmail account in his name, inviting them to attend conferences. The same Gmail account was used to target the WHO officials.
“We’ve been dealing with this for the last six months or so. We’ve been reaching out to people to tell them — don’t click on any links, don’t give them any personal information,” Berman said.
Bernardo Mariano, the WHO’s chief information officer, declined to comment on specific hacking attempts but confirmed that the organization had received several alerts about nation-state attacks. He said it was difficult to confirm the precise origin of the attacks because of methods hackers often use to conceal their locations.
Mariano said the WHO has closed some systems in order to prevent hackers from gaining access to them and recruited new employees for its computer security team. It has also enlisted the help of several security companies.
The organization has also seen a spike in fake accounts impersonating its employees as part of phishing campaigns and is encouraging people to report suspicious messages from people claiming to be associated with the WHO.
“If it continues like this, it is going to take a toll on all of us,” Mariano said in an interview. “We don’t have the capacity to sustain this for very long.”
On Tuesday, cybersecurity agencies in the U.K. and U.S. issued a joint warning that state-sponsored hackers were “actively targeting organizations involved in both national and international covid-19 responses,” including health-care bodies, pharmaceutical companies, academia, medical research organizations and local government.
The hackers “may seek to obtain intelligence on national and international health-care policy or acquire sensitive data on covid-19 related research,” the warning says.