Who Tried to Hack the WHO and the HHS? An Investigation
As COVID-19 continues its tears across the globe, disrupting BAU and raising fear levels to epic proportions, hackers have (predictably) been on a full offensive.
A few weeks ago, two separate hack attempts – one on the World Health Organization (WHO) and the other on the US Health and Human Services Department (HHS) – made the world news. Fortunately, it seems that both of the attacks ultimately failed – at least this time.
So who has been targeting these massive organizations and why? Let’s take a look at what we know so far and how the lessons learned from these hack attempts can help companies organize their own cybersecurity response plans.
Fake WHO Portal has Fingerprints of DarkHotel APT
One thing we know for certain about the hack attempt on the World Health Organization is that it was derailed by a hacker-turned-InfoSec lawyer, Alexander Urbelis.
Like many companies across the globe, WHO provides a portal through which remote workers can access company systems. The attackers took advantage of this remote access portal by creating a dummy portal with the intent to steal passwords from remote users who logged in. Unlike similar hatchet jobs (I’m sure you know the ones we mean), this was a very convincing replica, the end result of painstaking research and specialist knowledge on the hackers’ part.
Although the identity of the hackers is still not known for sure, Urbelis suspects the South Korean DarkHotel group. Usually known for their penchant of targeting business executives staying at luxury hotels, the WHO attack demonstrates how cybercriminals can easily change tactics and targets whenever they sense an opportunity.
This case highlights the massive risks that remote working can expose companies to. That’s why implementing a Zero Trust architecture is as important as ever, now that millions of users are remotely accessing company applications and resources from endpoints all over the world.
Uncertainty Still Reigns Over HHS ‘Attack’
Another type of threat companies need to be aware of is the classic distributed denial-of-service or DDoS attack. This is where vast numbers of connection requests are made to a destination server, effectively taking it offline.
The Health and Human Services Department may have been the target of a failed DDoS attack, with some cybersecurity experts pointing the finger at Iran. However, others have dismissed the event as a simple uptick in traffic from concerned citizens.
While the HHS had put in mitigating technologies ahead of time to thwart the ‘attack’, smaller companies are likely to be much more vulnerable. Could a DDoS attack focused on your VPN portal lock out your remote workforce (including your IT support team)? It certainly could, and the effect it would have on your business could be devastating.
High Profile Attacks are the Tip of the Iceberg
The COVID-19 pandemic has effectively created one of the most fertile battlegrounds for cybercriminals in recent memory.
Many of our partners, who are leading experts in monitoring advanced persistent threats, have explained to us how hacker groups have adjusted their tactics to weaponize the virus for their own means.
For example, APT36, a group from Pakistan, have been using the disguise of a health advisory document to persuade recipients to open up an infected file and install a remote admin tool (RAT) on their device. Similar groups from China (Vicious Panda, Mustang Panda), Russia (Hades) and North Korea (Kimsuky) are also mobilizing with new, COVID-related phishing campaigns.
But that doesn’t mean business leaders are helpless in the constant fight against cybercriminals. There are many things you can do, from ditching that easily-hackable VPN in favor of a more secure, software-defined remote access tool like AppGate SDP (which takes the traffic off your firewall, creates easily-implemented granular controls and individual perimeters around every user), to securing your endpoints with a MITRE ATT&CK Index leader like CrowdStrike Falcon for proactive protection.
With the right tools in place, you can ensure that both your users and your network are fully protected from prying eyes.
How Shamrock can help you fight the other ‘invisible enemy’
The WHO attack in particular should ring alarm bells for any company currently deploying remote workers (so, like, every company in the world).
For instance, are you confident that every member of you WFH crew could distinguish your VPN portal from a carefully crafted replica? One way to check would be to carry out a social engineering test, which is something that Shamrock and our partners can work with you on.
Every good IT leader has concerns about cybersecurity, every single day. And those concerns have been exacerbated to the nth degree thanks to COVID-19. But with a few carefully crafted steps such as an initial security assessment, you’ll be able to sleep a bit easier at night.
Shamrock partners with the top providers in the security space to help you protect your users, your network and your company’s reputation, and the majority of our services are free!
Don’t delay when it comes to network security. Talk to one of our experts and we’ll help you get these vital protections in place with same-day installations and the guaranteed best rates.