WHO, CDC and Bill and Melinda Gates Foundation Victims of Credential Dump, Report

Hackers have used credentials allegedly stolen from the WHO, CDC and other notable groups to spread coronavirus misinformation online.

Unknown threat actors have allegedly dumped nearly 25,000 email addresses and passwords from notable organizations involved in the fight against the COVID-19 pandemic, including credentials from prominent health organizations.

Hackers have been using information belonging to groups such as World Health Organization (WHO), the U.S. Centers for Disease Control and Prevention (CDC), the World Bank, the U.S. National Institutes of Health, the Bill and Melinda Gates Foundation and the Wuhan Institute of Virology online in various ways, according to a report by the Washington Post, citing research by the SITE Intelligence Group.

SITE is a watchdog group aimed at combating online terrorism and extremism. According to the group, hackers and extremists have been using the leaked information to spread conspiracy theories and other misinformation about the coronavirus, including theories that link it to HIV and other disinformation campaigns.

SITE provided a list of the number and source of the email/password combinations to the news outlet. According to their research, about 9,938 email and password combos came from the National Institutes of Health, 6,857 came from the Centers for Disease Control and Prevention, 5,120 came from the World Bank, 2,732 came from the WHO and 269 came from the Gates Foundation.

The WHO so far is the only organization that confirmed the incident, citing a higher number of exposed credentials, 6,835, than had been reported by SITE, according to the report. However, the organization said none of the credentials were compromised and that only 457 of those credentials were still active and valid. The organization also reset the passwords, according to the report.

Other organizations allegedly involved in the data dump have not yet confirmed that their credentials were stolen or exposed. The Gates Foundation—which has raised its profile during the pandemic due to Bill Gates’ outspoken interest in finding and promoting a coronavirus vaccine—said in a statement that it is monitoring the situation, although officials there are not aware of any data breach.

The incident highlights a persistent problem with basic password security, especially among organizations with employees that don’t necessarily have security concerns top of mind. One security researcher who viewed the password lists and talked to the Post said he found password security particularly at the WHO “appalling.”

“Forty-eight people have ‘password’ as their password,” cybersecurity expert Robert Potter said, according to the report. “Others used their first names or ‘changeme.'” Potter, chief executive of Australian company Internet 2.0, said he gained access to the WHO’s system using the credentials posted online.

Indeed, password security and credential-stealing is a persistent and common security threat, and people’s stolen credentials are often sold on hacker forums so threat actors can use them for financial gain. In this case, however, the it seems those who had access to the credentials had more interest in using them to spread misinformation, according to SITE.

Neo-Nazis and white supremacists have published the lists “aggressively” on their platforms to promote harassment of the groups as well as to spread information supporting their own skewed agendas and opinions to “weaponize” the pandemic, SITE’s executive director Rita Katz said, according to the report.

The lists of user credentials were first been posted to the text storage site Pastebin, and then  to 4chan, a message board known for politically motivated hate speech, she said. The credentials later appeared on Twitter and on far-right extremist channels on the messaging app Telegram, according to the report.

COVID-19 and the resulting global restrictions and economic crisis has certainly inspired threat actors to launch myriad new campaigns to capitalize on the disruption that’s been caused. A raft of new web- and email-based attacks have emerged during the crisis, and experts said they are likely to continue as long as the crisis exists, which is expected for some time.

Credential-stealing attacks—including those that exploit the names of prominent organizations in the fight against the pandemic–indeed have been among some of those new threats. One campaign, for instance, employed a spearphishing email designed to spread the LokiBot credential-stealing trojan using the WHO trademark as a lure for potential victims.

The WHO itself also has been a target during the pandemic, with evidence surfacing that the DarkHotel APT group has tried to infiltrate its networks to steal information, including staffers’ passwords. It’s not clear if the password dump has anything to do with this attack, however.

Other health organizations also have come under fire from hackers during this time. Researchers recently uncovered two separate malware campaigns, one targeting a Canadian government healthcare organization and a Canadian medical research university, and the other hitting medical organizations and medical research facilities worldwide.

Worried about your cloud security in the work-from-home era? On April 23 at 2 p.m. ET, join DivvyCloud and Threatpost for a FREE webinar, A Practical Guide to Securing the Cloud in the Face of Crisis. Get exclusive research insights and critical, advanced takeaways on how to avoid cloud disruption and chaos in the face of COVID-19 – and during all times of crisis. Please register here for this sponsored webinar.

Suggested articles