As hackers attack WHO, security experts team up to fight pandemic cybercrime
Amid a global emergency, information is key and criminals are looking to capitalise on the crisis
An international group of nearly 400 volunteers with expertise in cybersecurity formed a new group this week to fight hacking related to the novel coronavirus.
Called the Covid-19 CTI League, for cyber threat intelligence, the group spans more than 40 countries and includes professionals in senior positions at companies including Microsoft and Amazon.
There is particular concern for online security as millions of people around the world turn to online solutions to continue working as governments lockdown entire countries and people try to social distance.
One of four initial managers of the effort, Marc Rogers, said the top priority would be working to combat hacks against medical facilities and other frontline responders to the pandemic. It is already working on hacks of health organizations.
Also key is the defence of communication networks and services that have become essential as more people work from home, said Mr Rogers, head of security at the long-running hacking conference Def Con and a vice president at security company Okta Inc.
The group is also using its web of contacts in internet infrastructure providers to squash garden-variety phishing attacks and another financial crime that is using the fear of Covid-19 or the desire for information on it to trick regular internet users.
"I've never seen this volume of phishing," Mr Rogers said. "I am literally seeing phishing messages in every language known to man."
Phishing messages try to induce recipients to enter passwords or other sensitive information on websites controlled by the attackers, who then use the data to take control of bank, email or other accounts.
Mr Rogers said the group had already dismantled one campaign that used a software vulnerability to spread malicious software. He declined to provide details and said that in general, the group would be reluctant to reveal what it was fighting.
Mr Rogers said law enforcement had been surprisingly welcoming of the collaboration, recognizing the vastness of the threat.
Mr Rogers is a UK citizen based in the San Francisco Bay Area. Two other group coordinators are American, and one is Israeli.
"I have never seen this level of cooperation," Mr Rogers said. "I hope it continues afterwards, because it's a beautiful thing to see."
As well key facilities needing to ensure they are not knocked off-line during the critical time, the move by government bodies, international organisation and private companies to digital communication potentially opens up major security issues.
US Senators admitted this week that they are unlikely to be able to continue meeting amid the global pandemic, opening up a new problem for American governance – how to legislate amid a lockdown.
Washington is far from the only capital facing the same problem and everything from essential government services to how to keep courts working is now being discussed.
In a major warning of the risks the current situation poses, the World Health Organisation – the body currently coordinating the global pandemic response – said this week that it battled a sophisticated attack by a group of elite hackers.
The agency said that there had been a more than two-fold increase in cyberattacks.
WHO Chief Information Security Officer Flavio Aggio said the identity of the hackers was unclear and the effort was unsuccessful. But he warned that hacking attempts against the agency and its partners have soared as they battle to contain the coronavirus, which has killed more than 15,000 worldwide.
The attempted break-in at the WHO was first flagged to the press by Alexander Urbelis, a cybersecurity expert and attorney with the New York-based Blackstone Law Group, which tracks suspicious internet domain registration activity.
Mr Urbelis said he picked up on the activity around March 13, when a group of hackers he'd been following activated a malicious site mimicking the WHO's internal email system.
"I realized quite quickly that this was a live attack on the World Health Organization in the midst of a pandemic," he said.
Mr Urbelis said he didn't know who was responsible, but two other sources briefed on the matter said they suspected an advanced group of hackers known as DarkHotel, which has been conducting cyber-espionage operations since at least 2007.
Messages sent to email addresses maintained by the hackers went unreturned.
The WHO confirmed that the site spotted by Urbelis had been used in an attempt to steal passwords from multiple agency staffers.
"There has been a big increase in targeting of the WHO and other cybersecurity incidents," Mr Aggio said. "There are no hard numbers, but such compromise attempts against us and the use of (WHO) impersonations to target others have more than doubled."
Cybersecurity firms including Romania's Bitdefender and Moscow-based Kaspersky said they have traced many of DarkHotel's operations to East Asia - an area that has been particularly affected by the coronavirus. Specific targets have included government employees and business executives in places such as China, North Korea, Japan, and the United States.
Costin Raiu, head of global research and analysis at Kaspersky, said he’d seen dozens of such attempts.
"At times like this, any information about cures or tests or vaccines relating to coronavirus would be priceless and the priority of any intelligence organization of an affected country," he said.
Officials and cybersecurity experts have warned that hackers of all stripes are seeking to capitalize on international concern over the spread of the coronavirus.
Mr Urbelis said he has tracked thousands of coronavirus-themed web sites being set up daily, many of them obviously malicious.
"It's still around 2,000 a day," he said. "I have never seen anything like this."
Updated: March 26, 2020 02:22 PM