Security Experts:

Google Says Iran-Linked Hackers Targeted WHO

Google reported on Wednesday that it continues to see attacks launched by the Iran-linked threat group named Charming Kitten against medical and healthcare professionals, including employees of the World Health Organization (WHO).

Charming Kitten, which experts believe is sponsored by the Iranian government, is also tracked as APT35, Ajax Security Team, NewsBeef, Newscaster, and Phosphorus. It has been active since at least 2011, mainly targeting individuals and organizations in the Middle East, United States and United Kingdom.

The latest report from Google’s Threat Analysis Group (TAG) on state-sponsored hacking and disinformation campaigns says the company has seen attacks launched by Charming Kitten against the WHO and others.

The attacks launched by Iranian hackers against WHO staff were first reported by Reuters in early April. The news agency said the attacks started on March 2 and their goal was to help the attackers obtain account passwords.

The international healthcare organization said at the time that, as far as it knew, none of the hacking attempts were successful. Iran denied the accusations.

Google has once again warned that government-backed hackers are exploiting the COVID-19 coronavirus pandemic in their attacks. Last month, the company said its security team had seen more than a dozen groups using COVID-19 lures for their phishing and malware attacks. In a separate report released in April, Google said it had been seeing millions of coronavirus-related malicious emails every day.

Google on Wednesday also reported observing new activity originating from “hack-for-hire” companies — many based in India — that have created Gmail accounts designed to appear as if they belong to the WHO.

The fake accounts targeted business leaders in the consulting, financial services, and healthcare sectors in various countries, including the US, UK, Canada, India, Slovenia, Cyprus and Bahrain.

“The lures themselves encourage individuals to sign up for direct notifications from the WHO to stay informed of COVID-19 related announcements, and link to attacker-hosted websites that bear a strong resemblance to the official WHO website. The sites typically feature fake login pages that prompt potential victims to give up their Google account credentials, and occasionally encourage individuals to give up other personal information, such as their phone numbers,” Google said.

As for disinformation campaigns, the tech giant says it has removed over a thousand YouTube channels since March. The targeted channels appeared to be part of a large, coordinated campaign, and while they mostly pushed spammy, non-political content, some posted political content in Chinese.

Google regularly shares information on state-sponsored hacking operations and it alerts customers who have been targeted in these campaigns. The number of alerts sent out last year — the company sent out nearly 40,000 warnings — decreased by 25% compared to the previous year. Google reported this week that it only sent 1,755 alerts in April.

Related: Google Creates COVID-19 Grant Fund to Boost Bug Hunting

Related: Google 'Task Force' Fights Bad COVID-19 Ads

Related: US and UK Warn of Adversaries Targeting COVID-19 Responders

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.