The messages began arriving in World Health Organization employees’ inboxes in early April, seemingly innocuous emails about the coronavirus from news organizations and researchers.
But a close examination revealed that they contained malicious links, and some security experts have traced the emails to a hacking group in Iran believed to be sponsored by the government.
The hacking effort, which began on April 3, was an attempt to steal passwords and possibly install malware on WHO computers, according to three people familiar with the matter, who requested anonymity because they aren’t authorized to talk to the news media. The incident was one of several suspected state-sponsored hacks targeting WHO officials in recent weeks, the people said.
Two of the messages sent to the WHO, which were reviewed by Bloomberg News, were designed to look like coronavirus newsletters from the British Broadcasting Corporation. A third message was tailored to look like an interview request from the American Foreign Policy Council, a conservative think tank based in Washington. It encouraged recipients to click on what looked to be a shortened Google link, which diverted to a malicious domain.
The email sent to the WHO impersonating the American Foreign Policy Council purported to be from Ilan Berman, the think tank’s senior vice president. The message had the subject “AFPC Online Interview” and contained a link to what the email claimed were interview questions. But the link diverted to a malicious domain, probably intended to steal passwords and two-factor authentication codes for WHO employee email accounts, according to Zaidenberg.
In the past few years, foreign governments and others have been attempting very sophisticated cyber attacks that involve impersonating think tanks and their scholars.