By Joseph Menn, Christopher Bing, Raphael Satter, Jack Stubbs
SAN FRANCISCO/WASHINGTON/LONDON (Reuters) – Hackers working in the interests of the Iranian government have attempted to break into the personal email accounts of staff at the World Health Organization during the coronavirus outbreak, four people with knowledge of the matter told Reuters.
It is not clear if any accounts were compromised, but the attacks show how the WHO and other organizations at the center of a global effort to contain the coronavirus have come under a sustained digital bombardment by hackers seeking information about the outbreak.
Reuters reported in March that hacking attempts against the United Nations health agency and its partners had more than doubled since the beginning of the coronavirus crisis, which has now killed more than 40,000 worldwide.
The latest effort has been ongoing since March 2 and attempted to steal passwords from WHO staff by sending malicious messages designed to mimic Google web services to their personal email accounts, a common hacking technique known as “phishing,” according to four people briefed on the attacks. Reuters confirmed their findings by reviewing a string of malicious websites and other forensic data.
“We’ve seen some targeting by what looks like Iranian government-backed attackers targeting international health organizations generally via phishing,” said one of the sources, who works for a large technology company that monitors internet traffic for malicious cyber activity.
WHO spokesman Tarik Jasarevic confirmed that personal email accounts of WHO staff were being targeted by phishing attacks, but said the WHO did not know who was responsible. “To the best of our knowledge, none of these hacking attempts were successful,” he said.
Iran’s government denied any involvement. “These are all sheer lies to put more pressure on Iran,” said a spokesman at Iran’s information technology ministry.
Karim Hijazi, chief executive of cyber intelligence firm Prevailion, shared his recently captured data with Reuters that shows a sophisticated hacking group was actively targeting the global health organization.
Reuters couldn’t independently confirm his analysis. Hijazi said the identity of the hackers was difficult to determine, although their techniques appeared advanced.
The intrusion attempts are distinct from others reported by Reuters last week, which sources said were thought to be the work of an advanced group of hackers known as DarkHotel that has previously been active in East Asia – an area that has been particularly affected by the coronavirus.
The motives of the hackers was not clear, but targeting officials at their personal accounts is a longstanding intelligence-gathering technique.
Other details in this phishing attempt point to links with Tehran. For example, Reuters found that the same malicious websites used in the WHO break-in attempts were deployed around the same time to target American academics with ties to Iran.
The related activity – which saw the hackers impersonate a well-known researcher – parallels cases Reuters previously documented where alleged Iranian hackers masqueraded as media figures from organizations such as CNN or The New York Times to trick their targets.
Iran has suffered an enormous loss of life from the coronavirus, and infections have reached the inner circle of the country’s leadership.
A person close to U.S intelligence said he was aware of the Iranian campaign and that such attacks are standard fare during times of international crisis.
While large prizes for intelligence agencies would include coronavirus response plans for various countries or word of effective treatments, more benign data, such as WHO estimates for infection rates, would also be valuable, the person said.
(Reporting by Joseph Menn, Christopher Bing, Jack Stubbs and Raphael Satter. Additional reporting by Stephanie Ulmer-Nebehay in GENEVA and Parisa Hafezi in ANKARA; editing by Chris Sanders and Edward Tobin)
Our Privacy Commitment
TV5 Network Inc. values and respects your right to privacy. We are committed to safeguarding your personal data in compliance with Republic Act No. 10173 or the Data Privacy Act of 2012 and its Implementing Rules and Regulations.
Why do we collect your personal information (as applicable)?
We collect and maintain basic information about you as users of TV5 sites for the following purposes:
Where do we get your personal information?
There are several ways we collect your personal information.
Information that you personally provided.
Most of the personal information we have are those that you have provided us when you:
Information we collect during your engagement with us
We also collect information as you use our products and services, like:
Information we collect from other sources
We also collect your personal information through other activities such as our market research initiatives, when you visit and use our websites and mobile apps, and from our subsidiaries, affiliates, and third-party business partners to whom you have given consent to share your information to us.
When do we disclose personal information?
There are circumstances when we are required to share some of the information you have provided us. In these cases, we ensure that your personal information will be disclosed on a confidential manner, through secure channels that is in compliance with the Data Privacy Act and other privacy laws.
In some instances, we may be required to disclose your personal information to our agents, subsidiaries, affiliates, business partners and other third-party agencies and service providers as part of our regular business operations and for the provision of our programs and services. This means we might share your information with:
How we protect your personal information
We also put in effect the following safeguards:
TV5 will not collect, use, or disclose your personal information for any purpose other than those identified in this Commitment, your Service Agreement or our Terms of Service, and any other purpose that you may have given your consent for.
For greater clarity, unless you provide specific consent, we shall not:
What are your choices?
You are given certain rights in relation to your personal data under the Data Privacy Act. We would like to ensure that we have your consent to continue to collect, use, and disclose your personal information for the purposes that we have identified. We want you to know that you do have choices and can object or withdraw your consent and/or edit your consent preferences at any time.
If you wish to have access to your personal information in our records; or you think that such personal information we have of you is incomplete, not up-to-date, or otherwise inaccurate, you may get in touch with our Data Privacy Officer through the contact details provided below. In some instances, we may request for supporting documents or proof before we effect any requested changes to your personal information.
Data Protection Officer
TV5 Network Inc.
Reliance corner Sheridan Streets
What happens when there are changes in our Policy?
You will always be provided notice if these changes are significant and, if we are required by law, we will ensure to obtain your updated consent.