Top officials at the World Health Organization are being targeted by hackers as they work on the global response to the coronavirus pandemic.
The WHO’s security team has seen an increasing number of attempted cyber-attacks on the officials since mid-March, according to the organization’s chief information officer, Bernardo Mariano. WHO itself hasn’t been hacked, but employee passwords have leaked through other websites, he said.
In an interview Tuesday, Mariano said that some of the attacks had been perpetrated by suspected nation-state hackers. The targets have included WHO Director General Tedros Adhanom Ghebreyesus, as well as Bruce Aylward, a senior WHO envoy who led a Covid-19 response team in China.
In addition, there had also been a recent “sustained attempt” to hack into computers operated by a team of four WHO employees in South Korea, as well as an incident last week targeting staff at the organization’s Geneva headquarters, Mariano said.
The hackers “are looking for the highest targets -- the key officials involved with the Covid-19 work,” Mariano said. “The cybersecurity team has never been busier, and we’ve had to increase resources to try to protect ourselves and be vigilant.”
Authorities in Israel, the European Union, the U.K. and Switzerland have issued warnings to the WHO in recent weeks about cyber-attacks on its systems, as have Interpol and Microsoft Corp., based on intelligence they have gathered, Mariano added.
The WHO used to have one security alert a month, but thus far in April the organization has received eight from national cybersecurity authorities “notifying us of nation-state actor attacks that we are facing,” he said.
Many of the attacks have been phishing or spearphishing attempts to lure WHO staff into clicking on a malicious link in an email -- often sent to both work and personal accounts –- that will download malware onto their computers or mobile phones, he said. In some cases, reports the WHO has received from national cybersecurity agencies have identified the origins of the attack and the suspected perpetrator. Mariano declined to name any of the alleged culprits.
On Monday, users of the internet forum 4chan began circulating more than 2,000 passwords they claimed were linked to WHO email accounts. The details soon spread to Twitter and other social media websites, with claims that the WHO had been the victim of a hack.
Mariano’s team concluded that the WHO hadn’t been hacked, but that the passwords of some WHO employees had been obtained from other data breaches. The employees may have used their work email address to register an account for a particular website, and then that website has been hacked, leaking their password.
Some users of 4chan said that they had used the passwords to successfully gain access to a WHO website called “Extranet.” Mariano said that most of the 2,000 email accounts had expired and were no longer active, but that 400 were still used by the organization’s employees.
He said none of the passwords could be used to access sensitive internal systems, such as those for email, because the organization has a two-factor authentication system in place, meaning a password alone is not sufficient to gain access.
Facing increased attacks, the WHO has doubled the size of its security team and is now working with five security companies to bolster its defenses, said Mariano. The team has shut down some WHO systems that were identified as vulnerable to attack and has bolstered the security of internal email, he said.
“This is unprecedented for everyone here,” Mariano said. “We’re doing what we can to mitigate it.”
(Updates with explanation of breach in second paragraph)