It sounds like a movie plot dreamed up in Hollywood.
However, during the opening credits, you see these words on your screen: based on a true story. Then the movie creators reveal the true-to-life plot.
World Health Organization and NGO login credentials published online
The World Health Organization is in the middle of responding to a global pandemic, caused by a never seen before virus. It is COVID-19 chaos. Lives are at stake.
Suddenly, out of nowhere, hackers publish more than 2,000 usernames and passwords for those who are part of the World Health Organization. This gives anyone with these credentials access to WHO servers and employee email inboxes.
And then here comes a plot twist you didn't see coming: white supremacist and extremist groups are sharing the login credentials with glee, encouraging their members to use them to uncover "the truth" about the coronavirus.
And we're not done. Subplots appear.
Extremists are also sharing what are believed to be usernames and passwords from other organizations.
This plot is reality according to SITE Intelligence Group, which is an American Non-Governmental Organization (NGO) that tracks the online activity of far-right, far-left, and jihadist organizations.
Here are the numbers involved:
- U.S. National Institute of Health (NIH): 9,938 login credentials posted
- The U.S. Centers for Disease Control and Prevention (CDC): 6,857 login credentials posted
- The World Bank: 5,120 login credentials posted
- The World Health Organization (WHO): 2,732 login credentials posted
- The Gates Foundation and the Wuhan Institute of Virology: small numbers of alleged login credentials posted online
WHO login credentials dumped, verified
The Washington Post broke the story and it spoke with Australian cybersecurity expert Robert Potter, who verified the WHO credentials.
Potter, chief executive of Australian company Internet 2.0, said he was able to gain access into WHO computer systems using email addresses and passwords posted on the Internet.
And here's a bombshell that should never be said of your organization.
"Their password security is appalling," Potter said of the WHO. "Forty-eight people have 'password' as their password." Others, he said, had used their own first names or "changeme."
The WHO admitted the following on Thursday:
"The affected systems are used by current and retired staff as well as partners."
However, it also claims there is no threat to its network because most of the credentials were for an older extranet system which WHO is phasing out.
And the CIO of the World Health Organization, Bernardo Mariano, issued this statement:
“Ensuring the security of health information for Member States and the privacy of users interacting with us a priority for WHO at all times, but also particularly during the COVID-19 pandemic. We are grateful for the alerts we receive from Member States and the private sector. We are all in this fight together,” said Bernardo Mariano, WHO’s Chief Information Officer.
WHO is working with the private sector to establish more robust internal systems and to strengthen security measures and is educating staff on cybersecurity risks."
We're still waiting to hear about the verification of the usernames and passwords for the other organizations.
Weaponizing the COVID-19 pandemic in cyberspace
Regardless of other confirmations, we do know where extremist groups found the information and why they are sharing it:
The lists, whose origins are unclear, first appear to have been posted to 4chan, a message board notorious for its hateful and extreme political commentary, and later to Pastebin, a text storage site, Twitter and to far-right extremist channels on Telegram, a messaging app.
"Neo-Nazis and white supremacists capitalized on the lists and published them aggressively across their venues," said Rita Katz, SITE's executive director. "Using the data, far-right extremists were calling for a harassment campaign while sharing conspiracy theories about the coronavirus pandemic. The distribution of these alleged email credentials were just another part of a months-long initiative across the far right to weaponize the Covid-19 pandemic," she told the Washington Post.
Recent cyberattack on the WHO
During a recent SecureWorld podcast episode, I interviewed cyber attorney Alex Urbelis, who had just uncovered a cyberattack against the World Health Organization.
"My understanding is that it was highly targeted spear-phishing, that involved only a handful of employees at the World Health Organization. So this was a very low noise attack. It was very much under the radar.
It was using a URL on a domain that had been dormant for a long time. We were waiting for this to become active. And when it did it, it sprung up and it wound up being an incredibly significant and sophisticated cyber attack against I think one of the most important intergovernmental organizations on the planet right now."
It turns out the attack was about credential harvesting, driving those who clicked the link in a phishing email to a site that mimicked or spoofed a WHO login page. It told employees to enter their usernames and passwords into the site to login, but the site was a fake hackers created.
There is no way to know whether that attack led to the login credential postings we're tracking right now. But Urbelis listed out what could be at stake here when you target the WHO with a cyberattack at this critical point in history:
"The timing, obviously, is in the midst of the coronavirus or COVID-19, with world hysteria starting around March 13, 2020. Any nation that could acquire, or any company that could acquire, an advanced preview of the World Health Organization statistics with respect to the pandemic itself and its proliferation in other countries or information or intelligence with respect to palliative care vaccines underway—and all of this information could give a country or private industry or even I daresay investors, a massive leg up in terms of competitive business as well as nation-state level intelligence."
Our podcast interview with Urbelis is fascinating; you really should give it a listen here, on Apple Podcasts, or on your favorite platform:
He emphasized to SecureWorld that he was tracking other NGOs also being targeted by the nation-state hackers believed to be attacking the WHO.
COVID-19 cyberattacks prominent on the Dark Web
Unfortunately, the coronavirus is a hot topic, and a hot sales tool for hackers and cybercriminals who buy, sell and trade information on the dark web.
"This Dark Web world is just like your organization and my organization, right? They're very structured, they know what's happening in the real world. So as a result, they're really able to be agile, just like our organizations. In the case of COVID-19, sadly, is the fact that this is really an opportunity for them," says Myla Pilao, Director of Threat Research Marketing at Trend Micro.
She says there are three significant areas of interest that Trend Micro has tracked so far in the criminal underground:
"Number one is that they are trading, sharing, and collaborating on typical exploit kits, malware, whatever that they wanted to use to optimize COVID-19.
The second one, interestingly, is that they also have a marketplace for tangible materials. You can buy N-95 masks, you can buy hand sanitizer, it's quite interesting.
The third area is they are heavily discussing, like what we're doing today, what attacks are coming around COVID-19, what's the next level of attack, what they will do, how will Bitcoin and cryptomining be used here? How would ransomware be changed? All of the conversations that they're having also exist in the real world."
The SecureWorld podcast interview with Myla Pilao of Trend Micro is a fascinating look at the coronavirus cyber threats that every organization should be tracking. Listen here:
And now back to where we started this story.
It sounds like a made-up Hollywood movie plot, doesn't it?
But this one is based on a true story involving a world pandemic, cybercriminals, and extremists—something most of us never would have believed until just a few weeks ago.