The DarkHotel group could have been looking for information on tests, vaccines or trial cures.
The World Health Organization (WHO) has attracted the notice of cybercriminals as the worldwide COVID-19 pandemic continues to play out, with a doubling of attacks recently, according to officials there. Problematically, evidence has also now apparently surfaced that the DarkHotel APT group has tried to infiltrate its networks to steal information.
Alexander Urbelis, cybersecurity researcher/attorney at Blackstone Law Group, told Reuters that he personally observed a malicious site being set up on March 13 that mimicked the WHO’s internal email system. Its purpose was to steal passwords from multiple agency staffers, and Urbelis noted that he realized “quite quickly that this was a live attack on the World Health Organization in the midst of a pandemic.”
The attack appeared to be aimed at achieving a foothold at the agency rather than being an end unto itself: “The targeting infrastructure seems to focus on certain types of healthcare and humanitarian organizations that are uncommon for cybercriminals,” Costin Raiu, researcher at Kaspersky, told Threatpost. “This could suggest the actor behind the attacks are more interested in gathering intelligence, rather than being financially motivated.”
As for the “why” of the attack, which was thwarted, Raiu said that information about remediation for coronavirus – such as cures, tests or vaccines – would be invaluable to any nation-state’s intelligence officials.