The DarkHotel group could have been looking for information on tests, vaccines or trial cures.
The World Health Organization (WHO) has attracted the notice of cybercriminals as the worldwide COVID-19 pandemic continues to play out, with a doubling of attacks recently, according to officials there. Problematically, evidence has also now apparently surfaced that the DarkHotel APT group has tried to infiltrate its networks to steal information.
Alexander Urbelis, cybersecurity researcher/attorney at Blackstone Law Group, told Reuters that he personally observed a malicious site being set up on March 13 that mimicked the WHO’s internal email system. Its purpose was to steal passwords from multiple agency staffers, and Urbelis noted that he realized “quite quickly that this was a live attack on the World Health Organization in the midst of a pandemic.”
The attack appeared to be aimed at achieving a foothold at the agency rather than being an end unto itself: “The targeting infrastructure seems to focus on certain types of healthcare and humanitarian organizations that are uncommon for cybercriminals,” Costin Raiu, researcher at Kaspersky, told Threatpost. “This could suggest the actor behind the attacks are more interested in gathering intelligence, rather than being financially motivated.”
As for the “why” of the attack, which was thwarted, Raiu said that information about remediation for coronavirus – such as cures, tests or vaccines – would be invaluable to any nation-state’s intelligence officials.
“So far, we don’t know the motivation behind these attacks, however, at times like this, any information about cures or tests or vaccines relating to coronavirus would be priceless and the priority of any intelligence organization of an affected country,” he told Threatpost.
In line with that, unnamed sources told Reuters that the DarkHotel group, an APT associated with carrying out cyberespionage efforts in China, North Korea, Japan and the United States, could be the culprit behind the attack. No further details were given in the report, and Raiu said that while Kaspersky was investigating the possibility, he couldn’t make an attribution at this point.
DarkHotel was first identified in 2014 by Kaspersky researchers, who said at the time that the group had been active since at least 2007. The APT became known for targeting diplomats and corporate executives via Wi-Fi networks at luxury hotels – but it has widened its targeting over the years, while continuing to leverage zero-day vulnerabilities and exploits. Earlier in 2020, DarkHotel was seen using Office documents for targeted attacks using a zero-day in Internet Explorer.
Meanwhile, cybercriminals are tapping into the fears around coronavirus by launching a slew of cyberattacks using COVID-19 as a lure or theme. WHO CISO Flavio Aggio told Reuters: “There has been a big increase in targeting of the WHO and other cybersecurity incidents…such compromise attempts against us and the use of (WHO) impersonations to target others have more than doubled.”
The WHO recently published an alert warning against these kinds of impersonation attempts. One such campaign is distributing a new variant of the HawkEye keylogging malware using spam that purports to be an “alert” from WHO Director-General Tedros Adhanom Ghebreyesus.
The efforts are quite sophisticated. Most recently, on Tuesday, CrowdStrike shared analysis with Threatpost about a scam impersonating WHO that requested Bitcoin donations to the COVID-19 Solidarity Response Fund—the name of a legitimate fund created by the WHO. The body of one message appears to be copied directly from the official website of the fund. Additionally, the scam emails spoofed WHO email addresses (e.g., using <firstname.lastname@example.org>) but were not sent from valid WHO domains.
“With the pandemic taking over all news cycles at the moment, people are turning to the WHO for advice and guidance during this difficult time,” said Javvad Malik, security awareness advocate at KnowBe4, via email. “It is therefore no surprise to see criminals ramping up their attacks by either masquerading as the WHO, or trying to attack the WHO directly.”
Outside of WHO-related attacks, Urbelis said that he has seen around 2,000 coronavirus-themed sites being set up daily in recent weeks, many of them malicious. And other researchers have found a spate of malicious, botnet-driven emails using the coronavirus as a theme, launching phishing and malware attacks. Other attacks include malicious websites and apps purporting to share coronavirus related information (but that actually access victims’ devices); and fraudulent websites that sell fake coronavirus cures.
“Recent weeks have seen the significant tailoring of various fraud and scam related messages, via email and electronically, to incorporate an element of the Coronavirus or COVID-19 pandemic in efforts to gain traction,” Carl Wearn, head of E-Crime at Mimecast, told Threatpost. “During this time of great uncertainty, cybercriminals, who thrive on chaos and uncertainty, will be doing their utmost to make their messaging relevant and tempting…Please be extra vigilant to the way you are being specifically targeted to take advantage of your fears and the huge appetite for virus-related information that people have at this time. Please seek out information from official sources and their websites and navigate to them using your browser. It is almost certain that the upward trend in this activity will continue and accelerate in the weeks ahead.”