Cybersecurity Lawyer Who Flagged The WHO Hack Warns Of 'Massive' Remote Work Risks
Large numbers of companies are rolling out mandatory work-from-home policies to help limit the risks posed by the coronavirus outbreak. But cybersecurity experts warn that those remote setups invite new hacking risks.
The Federal Bureau of Investigation recently issued warnings of an uptick in fraudulent crimes tied to the coronavirus, particularly by scammers posing as official health agencies.
This month, a hacking group tried to break into the World Health Organization. The breach was discovered by Alexander Urbelis, a hacker-turned-information-security lawyer who founded the New York-based Blackstone Law Group.
Although Urbelis can't be certain about the identity of the hackers, he says the group replicated a portal used by remote WHO employees that he describes as "very, very convincing."
Urbelis spoke with NPR's Steve Inskeep about the designs of such attacks and some best cybersecurity practices people should use to defend themselves against hackers.
On how he spotted the cyberattack targeting WHO
The group that targeted the WHO, we have been watching for quite a while. And that group has in fact targeted several of our other clients [Editor's note: WHO is not one of Blackstone's clients.] And we have been monitoring the Internet for indications that the group has reawakened or reactivated some of its infrastructure. And that's what we detected with respect to a live attack against the World Health Organization.
On the "sophisticated" group that targeted WHO
It's very difficult to say with any near certainty exactly who this is. There are some indications that a group by the name of DarkHotel — which is known for targeting executives, checking into hotels and hotel Wi-Fi and things like that — may be responsible for this particular type of attack.
What we do know, though, is that the group that we've been watching is very sophisticated. Their attacks are very sleek. They're very well researched. The attackers perform a significant amount of reconnaissance on the configurations and the systems of [who they attack]. And they painstakingly create portals that look exactly like the victims' portals.
And that's what we saw with the WHO on the 13th of March. We saw a URL – a Web address — being created and put together that exactly mirrored the doorway to World Health Organization's internal file systems. So it was the external link to the internal file systems — that portal that remote employees would use to access the WHO, let's say if they were working from home – that's what this group had replicated.
We have seen this group not only replicate the portals of the WHO, but major research universities and many other intergovernmental organizations like the WHO. In fact, the same day that the WHO was targeted by this particular group, they also targeted the U.N.; certain components of the United Nations.
They have all the hallmarks of being a state-sponsored or state-affiliate group. And that means that they could be considered what's known as an APT, or in information security terms that stands for advanced persistent threat — essentially a force to be reckoned with.
On how the "very, very convincing" WHO attack demonstrates the security issues with working from home
People are very used to seeing these portals that are asking for their usernames and passwords. And if you look at the Web address or the URL that's associated with this particular type of attack, it was very, very convincing.
I was glad to hear, on the back end of this though, from what we know from the WHO, that the attack was unsuccessful.
On why the hacking group would want to target WHO
Well, I think it's for the obvious reason anybody would want to target the World Health Organization right now. It would be for intelligence-gathering purposes and gaining an advantage.
I mean, right now any advance information about preventive measures, cures, vaccines — even country-by-country infections and statistics is going to be extraordinarily valuable. That can be valuable to a country's private industry, especially if they are trying to get a leg up with respect to, let's say, palliative care or the distribution of testing kits, and even the creation of a vaccine.
I suppose it would also be very helpful to somebody who's working the stock market.
Absolutely. It would most certainly be valuable because what we're dealing with right now is a different class of information that is moving markets. Data from the World Health Organization certainly moves the market one way or the other.
On "the massive amount of security issues surrounding working from home."
This means that more personal devices, more off-premises endpoints, so to speak, being used to handle and process business data, including highly sensitive data like trade secrets and business plans.
Because of this, all of our [client] companies have had to dedicate a massive amount of IT resources to support all of these remote working arrangements, including the deployment of best cyber hygiene practices — things that are known as MFA [multifactor authentication] or 2FA [two-factor authentication], in particular ... using something other than just a password to access company resources is critical these days. Because the bad guys know that people reuse passwords or they have variations on a theme of passwords.
There have been so many data breaches with all of our passwords for so many years now that there's always a password that you can associate with an individual. And so what the bad guys, the threat actors, will try is password spraying — just taking your username with your password and variations on a theme of your password and trying to brute force their way into your office systems.
Copyright 2020 NPR. To see more, visit https://www.npr.org.