Cyber Incident Victim: World Health Organization
Date:
Mar 2020
Location:
Iran
Summary
Hackers linked to the Iranian government targeted personal email accounts of World Health Organization staff during the coronavirus pandemic using phishing attempts disguised as Google services to steal passwords. The attacks, part of a broader digital bombardment against entities involved in the global outbreak response, were ongoing but reportedly unsuccessful according to the organization. Forensic data indicated connections to Tehran, with similar malicious infrastructure used against American academics tied to Iran. While motives remained unclear, the incidents aligned with intelligence-gathering efforts during international crises, potentially seeking information on infection rates or response strategies. Iran denied involvement, claiming it was falsely accused amid heightened geopolitical tensions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 2 techniques |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In March 2020, hackers working on behalf of the Iranian government targeted the personal email accounts of World Health Organization staff during the COVID-19 pandemic. The attacks began on March 2 and employed phishing techniques where malicious messages impersonating Google web services were sent to steal passwords. This campaign occurred amid a broader surge in cyberattacks against the WHO, with Reuters reporting in March that intrusion attempts against the agency and its partners had more than doubled since the start of the coronavirus crisis. Forensic analysis of malicious websites and internet traffic patterns by cybersecurity professionals revealed the attackers' infrastructure and methods. The operation specifically focused on personal email accounts rather than official WHO systems, exploiting a common intelligence-gathering tactic of targeting less-secure personal communications. Security researchers from private firms observed these activities while monitoring global cyber threats, with one technology company employee confirming the Iranian state-backed nature of the attacks based on traffic patterns. WHO spokesman Tarik Jasarevic acknowledged the phishing attempts against staff personal accounts but stated no successful breaches occurred, while emphasizing the organization couldn't attribute responsibility. Iran's information technology ministry denied involvement, calling the allegations false accusations designed to pressure the country.
The incident occurred against the backdrop of Iran suffering severe COVID-19 outbreaks that reached its leadership circles, though the hackers' precise motives remained unclear. Cybersecurity experts noted the same malicious infrastructure used against WHO staff was simultaneously deployed to target American academics with Iranian connections, employing impersonation tactics similar to previous Iranian operations that masqueraded as media organizations. The attacks were distinct from separate intrusion attempts by the DarkHotel hacking group active in East Asia that Reuters had reported earlier. A U.S. intelligence source familiar with the campaign characterized such cyber operations as standard during international crises, noting that even unclassified WHO data like infection rate estimates held intelligence value. The WHO maintained its systems were not compromised, though the sustained phishing attempts highlighted persistent threats against global health organizations during the pandemic response. No evidence emerged suggesting stolen data impacted COVID-19 containment efforts or treatment research. Cybersecurity firm Prevailion provided data indicating sophisticated hacking group involvement, though Reuters couldn't independently verify these technical claims. The incident demonstrated how state-aligned actors exploited the global health emergency for potential intelligence collection through conventional cyber espionage tactics.