Hackers Target WHO, COVID-19 Research Firm with Cyberattacks

March 24, 2020 - Hacking groups are targeting healthcare in full force, with the World Health Organization and Hammersmith Medicines Research (HMR), a UK-based research team on standby for developing a COVID-19 vaccine, reporting they were both hit with cyberattacks in the past month.

Reuters was the first to report the attack on WHO. Hackers unsuccessfully attempted to breach the network of the health organization and its partners beginning on March 13. A researcher detected a hacking group activating a malicious site that impersonated the email system of WHO.

The Office for Civil Rights recently warned healthcare providers that hackers have increasingly impersonated health agencies tasked with the Coronavirus response, as well as the FBI and the Department of Justice.

It’s currently unclear who’s responsible for the attack, but the researcher who discovered the incident, Alexander Urbelis, a cybersecurity expert and attorney with Blackstone Law Group, believes the attack was the work of cyberespionage hackers known as DarkHotel.

WHO confirmed the site found by Urbelis was linked to previous attempts to steal credentials from its employees. Attacks on the agency and attempts impersonating WHO have doubled during the pandemic, while about 2,000 coronavirus-themed websites are being set up each day.

READ MORE: Coronavirus Fraud Schemes Surge, as FBI, HHS OIG Advise Cyber Hygiene

To Russell P. Reeder, CEO of cloud-based data protection vendor, Infrascale, healthcare organizations need to be reviewing and discussing their data protection strategies as more work shifts into the remote environment to ensure they’re protected in the event of a compromise.

“As the public's thirst for information on the topic increases, along with workforces mobilizing to work-from-home to aid in isolating the effects of the pandemic, it appears that these stories will continue to increase,” Reeder said in an emailed statement.

“It is a critical time to make sure all your data is backed up, especially as many of the company assets are moving out of the office,” he added. “If it’s critical to always have your systems running and you could not afford the downtime to rebuild your systems, you need more than just cloud backup and would need to implement a disaster recovery solution to continue your operations with minimal downtime.”

Meanwhile, the cyberattack on HMR was much more successful, as the Maze hacking group posted personal and medical data from thousands of patients after the research firm declined to pay the ransom demand, first reported by Computer Weekly.

The hackers have notoriously been posting the data of its victims for several months.

READ MORE: Best Practice Cybersecurity Methods for Remote Care, Patient Portals

HMR is focused on early clinical drug and vaccine trials, and previously researched and developed an Ebola vaccine and Alzheimer’s disease treatments. Maze hackers attacked HMR on March 14, but the security team quickly detected, stopped, and restored its systems within the same day.

The research firm was able to avoid downtime and restore its functions. However, one week later, the hackers began pressuring HMR to pay the ransom and posted some of the research data it stole from the firm.

According to HMR, the files are between eight- to 20-years-old and contain photocopies of passports, medical questionnaires, driver’s licenses, and national insurance numbers for about 2,300 patients. HealthITSecurity.com was able to view the Maze market listing, which confirms the March 16 cyberattack date and lists several HMR employee names and contacts.

HMR was aware the hackers posted some of the stolen data but has no intention of paying the ransom, as they do not have the funds to do so.

Brett Callow, EmsiSoft threat analyst, told HealthITSecurity.com that it’s imperative to understand the hackers certainly haven’t published all of the data they’ve stolen. Typically, the group will first publish a small amount as “proofs” to name their victim in hopes that they'll pay the demand.

READ MORE: OCR Shares COVID-19 Cyber Scam Advice, as Hackers Impersonate WHO

If those attempts fail, the hacking group will publish more information, often staggered, to increase the pressure, he explained. In the past, they’ve also posted the stolen data on Russian cybercrime forums, telling them to “'use this information in any nefarious ways that you want.'”

“A number of publications recently reported that Maze and one other ransomware group had declared an amnesty and stated that they would not attack medical organizations for the duration of the COVID-19 outbreak,” Callow said. “While the attack on HMR occurred after that amnesty had been declared, it would nonetheless be a mistake to assume that the ransomware groups will keep to their word.”

“These people are criminals, and criminals aren’t noted for their honesty. Every one of their attacks harms businesses, harms the people whose data been exposed and, in some cases, puts lives at risk,” he added. “The Maze group has since removed - albeit temporarily, according to the criminals - the data relating to HMR but, unfortunately, the people affected can take little comfort from that as it’s possible they may decide to republish it at some later data.”

Healthcare organizations should also be warned that other criminals access the data leaked on these sites and use it for their own devices. As a result, data from victims posted in the forum may already be sold, traded, or used to commit identity fraud. Callow added that the Maze criminals may well be using it for the same purposes.

As these attacks continue to dominate the healthcare sector during the pandemic, several security firms are offering free security assistance to providers on the frontlines. EmsiSoft has offered its security assistance to any providers hit with ransomware attacks during the crisis.