Cyber Incident Victim: World Food Programme
Date:
Oct 2021
Location:
United States of America
Summary
A phishing campaign targeted officials from humanitarian organizations, including the World Food Programme, aiming to compromise Okta and Microsoft credentials for potential intelligence gathering or financial theft. Attackers employed mobile-friendly phishing sites that logged passwords in real-time, even if users abandoned the login process, enhancing credential capture efficiency. The infrastructure remained active for months, with phishing domains evading detection in major security services like Google Safe Browsing. While attribution remains unclear, potential actors include nation-state groups seeking operational intelligence or cybercriminals pursuing financial gain through compromised accounts. The campaign demonstrated advanced tactics uncommon in typical phishing operations, including persistent infrastructure and sophisticated credential harvesting techniques.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The phishing campaign targeting humanitarian organizations, including the United Nations and UNICEF, was discovered by cybersecurity firm Lookout in October 2019. Attack infrastructure had been operational since March of that year, with phishing sites remaining active through the time of discovery. These sites employed sophisticated techniques uncommon in typical phishing operations, including mobile-responsive design ensuring functionality across smartphones and tablets. The pages featured real-time credential logging that captured passwords as users typed them rather than waiting for form submission, increasing the likelihood of successful data theft even if victims abandoned the login process. This approach demonstrated technical adaptation to maximize compromise success rates.
The attackers focused on harvesting Okta and Microsoft account credentials, potentially enabling unauthorized access to organizational systems for follow-on activities ranging from espionage to financial fraud. Security researchers confirmed the phishing domains were not listed in Google's Safe Browsing database during the campaign's six-month active period, allowing unimpeded access for unsuspecting victims. The expired SSL certificates on some sites indicated prolonged undetected operation. While Lookout documented the infrastructure and provided indicators of compromise, attribution remained unconfirmed with possibilities including nation-state actors seeking intelligence on investigations or whistleblowers, as well as financially motivated groups targeting transaction systems. The campaign's infrastructure remained online at the time of public disclosure, with no confirmed mitigation actions detailed in available reporting.