Exclusive: Elite hackers target WHO as coronavirus cyberattacks spike

By Raphael Satter, Jack Stubbs and Christopher Bing

WASHINGTON/LONDON (Reuters) – Elite hackers tried to break into the World Health Organization earlier this month, sources told Reuters, part of what a senior agency official said was a more than two-fold increase in cyberattacks.

WHO Chief Information Security Officer Flavio Aggio said the identity of the hackers was unclear, but the effort was unsuccessful. He warned that hacking attempts against the agency and its partners have soared as they battle to contain the coronavirus, which has killed more than 15,000 worldwide.

The attempted break-in at the WHO was first flagged to Reuters by Alexander Urbelis, a cybersecurity expert and attorney with the New York-based Blackstone Law Group, which tracks suspicious internet domain registration activity.

Urbelis said he picked up on the activity around March 13, when a group of hackers he’d been following activated a malicious site mimicking the WHO’s internal email system.

“I realized quite quickly that this was a live attack on the World Health Organization in the midst of a pandemic,” he said.

Urbelis said he didn’t know who was responsible, but two other sources briefed on the matter said they suspected an advanced group of hackers known as DarkHotel, which has been conducting cyber-espionage operations since at least 2007.

Messages sent to email addresses maintained by the hackers went unreturned.

When asked by Reuters about the incident, the WHO’s Aggio confirmed that the site spotted by Urbelis had been used in an attempt to steal passwords from multiple agency staffers.

“There has been a big increase in targeting of the WHO and other cybersecurity incidents,” Aggio said in a telephone interview. “There are no hard numbers, but such compromise attempts against us and the use of (WHO) impersonations to target others have more than doubled.”

The WHO published an alert last month – available here warning that hackers are posing as the agency to steal money and sensitive information from the public.

The motives in the case identified by Reuters aren’t clear. United Nations agencies, the WHO among them, are regularly targeted by digital espionage campaigns and Aggio declined to say who precisely at the organization the hackers had in their sights.

Cybersecurity firms including Romania’s Bitdefender and Moscow-based Kaspersky said they have traced many of DarkHotel’s operations to East Asia – an area that has been particularly affected by the coronavirus. Specific targets have included government employees and business executives in places such as China, North Korea, Japan, and the United States.

Costin Raiu, head of global research and analysis at Kaspersky, could not confirm that DarkHotel was responsible for the WHO attack but said the same malicious web infrastructure had also been used to target other healthcare and humanitarian organizations in recent weeks.

“At times like this, any information about cures or tests or vaccines relating to coronavirus would be priceless and the priority of any intelligence organization of an affected country,” he said.

Officials and cybersecurity experts have warned that hackers of all stripes are seeking to capitalize on international concern over the spread of the coronavirus.

Urbelis said he has tracked thousands of coronavirus-themed web sites being set up daily, many of them obviously malicious.

“It’s still around 2,000 a day,” he said. “I have never seen anything like this.”

(Additional reporting by Hyonhee Shin in Seoul; Editing by Chris Sanders and Edward Tobin)

North Korea took $2 billion in cyber attacks to fund weapons program: U.N. report

FILE PHOTO: A man holds a laptop computer as cyber code is projected on him in this illustration picture taken on May 13, 2017. REUTERS/Kacper Pempel/Illustration/File Photo

By Michelle Nichols

UNITED NATIONS (Reuters) – North Korea has generated an estimated $2 billion for its weapons of mass destruction programs using “widespread and increasingly sophisticated” cyberattacks to steal from banks and cryptocurrency exchanges, according to a confidential U.N. report seen by Reuters on Monday.

Pyongyang also “continued to enhance its nuclear and missile programs although it did not conduct a nuclear test or ICBM (Intercontinental Ballistic Missile) launch,” said the report to the U.N. Security Council North Korea sanctions committee by independent experts monitoring compliance over six months.

The North Korean mission to the United Nations did not respond to a request for comment on the report, which was submitted to the Security Council committee last week.

The experts said North Korea “used cyberspace to launch increasingly sophisticated attacks to steal funds from financial institutions and cryptocurrency exchanges to generate income.” They also used cyberspace to launder the stolen money, the report said.

“Democratic People’s Republic of Korea cyber actors, many operating under the direction of the Reconnaissance General Bureau, raise money for its WMD (weapons of mass destruction) programs, with total proceeds to date estimated at up to two billion US dollars,” the report said.

North Korea is formally known as the Democratic People’s Republic of Korea (DPRK). The Reconnaissance General Bureau is a top North Korean military intelligence agency.

The U.N. experts said North Korea’s attacks against cryptocurrency exchanges allowed it “to generate income in ways that are harder to trace and subject to less government oversight and regulation than the traditional banking sector.”

The Security Council has unanimously imposed sanctions on North Korea since 2006 in a bid to choke off funding for Pyongyang’s nuclear and ballistic missile programs. The Council has banned exports including coal, iron, lead, textiles and seafood, and capped imports of crude oil and refined petroleum products.

U.S. President Donald Trump has met with North Korea leader Kim Jong Un three times, most recently in June when he became the first sitting U.S. president to set foot in North Korea at the Demilitarized Zone (DMZ) between the two Koreas.

They agreed to resume stalled talks aimed at getting Pyongyang to give up its nuclear weapons program. The talks have yet to resume and in July and early August, North Korea carried out three short-range missiles tests in eight days.

The U.N. report was completed before last week’s missile launches by North Korea, but noted that “missile launches in May and July enhanced its overall ballistic missile capabilities.”

The U.N. experts said that despite the diplomatic efforts, their “investigations show continued violations” of U.N. sanctions.

“For example, the DPRK continued to violate sanctions through ongoing illicit ship-to-ship transfers and procurement of WMD-related items and luxury goods,” the U.N. report said.

(Reporting by Michelle Nichols; editing by Grant McCool)

“Anonymous” Hackers Declare War on ISIS

The hacker collective known as “Anonymous” declared war on ISIS in a video posted on YouTube in response to the horrendous attacks that took place in Paris on Friday.

According to NBC News, the video has yet to be verified by officials, but in the video a spokesman wears the group’s signature Guy Fawkes mask and says in French that the group will use their expertise in a “war” against the Islamic terrorist group.

“Expect massive cyber attacks. War is declared. Get prepared,” the announcer says in French.

“Anonymous from all over the world will hunt you down. You should know that we will find you and we will not let you go. We will launch the biggest operation ever against you,” the spokesperson continued, according to translated transcripts of the video.

The spokesman continued to call the members of ISIS “vermin,” and that their actions would not go “unpunished.”

As of Monday at 8:30 a.m. Central Time, the video had accumulated 1.1 million views on YouTube, according to the Jerusalem Post.

The Huffington Post reports that the hacktivist group also posted on Twitter: “Make no mistake: Anonymous is at war with Daesh.” Daesh is another name for ISIS.

Anonymous is a group of international network of activist computer hackers who have claimed responsibility for numerous cyberattacks against corporate, religious, and government websites over the past 12 years. Since the Charlie Hebdo attack in January that led to the death of 17 people, Anonymous has been targeting and shutting down Twitter profiles believed to be used by ISIS and their supporters. The Jerusalem Post reports that the hacktivist group has reported more than 39,000 ISIS accounts to Twitter. Out of those, more than 25,000 have been suspended, but almost 14,000 are still active.

China Still Trying to Hack U.S. Firms, Despite Denials

Despite a recent pact between Chinese President Xi Jinping and President Obama to stop cyber war, security services provider, CrowdStrike, has reported that several Chinese state-backed hackers have been carrying out cyberattacks on several U.S. companies, according to NBC.

CrowdStrike claims that they have blocked every attack that they have come across so far and that the hackers seem to be targeting the networks of U.S. technology and pharmaceutical companies.

Just a few weeks ago, Xi visited the United States, promising leaders of American technology companies that the cyber attacks would stop. He also signed an agreement with President Obama that China and the United States would refrain from continued hacks that were aimed at obtaining company trade secrets for commercial advantage.

But two days after the agreement there were two attacks on technology companies, and more hacking attempts have happened since then.

“Seven of the companies are firms in the technology or pharmaceuticals sectors, where the primary benefit of the intrusions seems clearly aligned to facilitate theft of intellectual property and trade secrets, rather than to conduct traditional national-security related intelligence collection which the Cyber agreement does not prohibit,” CrowdStrike wrote in a blog post Monday.

If the cyberattacks continue it could lead to sanctions being placed against Chinese companies according to the agreement made between Xi and Obama.

The U.S. has also been accused of attempting to hack the networks of Chinese companies. Edward Snowden, former NSA contractor, came forward with information on how the U.S. hacked Chinese company, Huawei last year. Government officials continue to state that the reason for the hack was for national security purposes, not economic advantages.

The Chinese government has not made any comments regarding these attacks at this time.