Breach, Content

World Health Organization (WHO), NIH, Gates Foundation Email Credentials Posted Online

Unknown hackervists made public some 25,000 email credentials reportedly belonging to staffers at the National Institutes of Health (NIH), the World Health Organization (WHO), the Gates Foundation and others battling the coronavirus (Covid-19) pandemic, according to the SITE Intelligence Group and multiple reports.

Legions of far right Neo-Nazis and white supremacists quickly seized on the information to stoke harassment campaigns and ignite conspiracy theorists preying on fear surrounding the contagion, according to the Bethesda, Maryland-based SITE, an online extremism watchdog that first spotted the data dump. Some of the hacked information has already been used online to spread disinformation such as linking HIV, the virus that causes AIDS, to Covid-19, reports said.

Email addresses and passwords were also posted online from the Centers for Disease Control and Prevention (CDC), the World Bank and Chinese researcher Wuhan Institute of Virology, SITE and other reports said. Nearly 10,000 email records were snipped from the NIH, the highest number among the affected organizations. The CDC, the World Bank and the WHO together had roughly 15,000 affected accounts, with Gates Foundation emails listed among the remainder.

Data Breach: Missing Details

The full extent of the hack is not known nor does anyone appear to have a good bead on who did it. Government agencies typically deploy some form of two-factor authorization that bars entry without a second step confirming the owner's consent. Similarly, the hacked organizations can quickly contain the intrusion by instructing users to immediately change their passwords. For example, email addresses registered in the WHO’s external systems and applications were hacked and made public but passwords have since been reset for the compromised accounts, the public health organization told the U.K.’s Daily Mail.

So far, no mention has been made of likely suspects but early signs point to a nation-state backed operation, perhaps intent upon, as Russia accomplished in the 2016 presidential election, interfering in the upcoming 2020 political sweepstakes.

“Neo-Nazis and white supremacists capitalized on the lists and published them aggressively across their venues,” said Rita Katz, SITE’s executive director told the Washington Post. “Using the data, far-right extremists were calling for a harassment campaign while sharing conspiracy theories about the coronavirus pandemic. The distribution of these alleged email credentials were just another part of a months-long initiative across the far right to weaponize the covid-19 pandemic.”

The user credentials were first posted to Pastebin, a text sharing site, according to the Washington Post. The material then showed up on the 4chan message board known for housing hate speech and political extremism. It subsequently was tagged to Twitter and the Telegram messaging app.

Robert Potter, chief executive of Internet 2.0, an Australian cybersecurity firm, told the Washington Post that he accessed the WHO’s computer system with email credentials already posted on the web. The WHO’s poor password hygiene apparently gained the hackers access to the accounts. “Their password security is appalling,” Potter reportedly said. “Forty-eight people have ‘password’ as their password.” Others were using their own first names or “changeme.” The most recent hack may date to credentials lifted in 2016, he said.

World Health Organization: Popular Target

Hackers have previously targeted the WHO’s email system in two known incidents. Three weeks ago, word surfaced that Iran-backed nation-state hackers have been trying to hijack the personal email accounts of a number of the organization’s personnel including some top executives. The con artists disguised their emails as coming from Google web services to lure unsuspecting victims into keying in their email passwords. And, in a second WHO-related cyber attack, a hacking crew, perhaps the notorious DarkHotel, repeatedly tried to break into the WHO's network looking to lift the passwords of agency personnel.

“The COVID-19 pandemic is reshaping the ways jihadi, far-right, and other terrorist communities seek to carry out attacks,” SITE said in a blog post. “Healthcare facilities, the food industry, and other civilian entities—have now become new targets of large terrorist groups, both domestically and internationally. This crisis has likewise brought forth reports of food contamination by infected individuals, deliberate exposure of law enforcement and healthcare personnel, and attacks against religious and educational institutions in the past few weeks,” SITE wrote.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.