Listen Now

Cybersecurity Lawyer Who Flagged The WHO Hack Warns Of 'Massive' Remote Work Risks

Mar 30, 2020
Originally published on March 30, 2020 7:14 am

Large numbers of companies are rolling out mandatory work-from-home policies to help limit the risks posed by the coronavirus outbreak. But cybersecurity experts warn that those remote setups invite new hacking risks.

The Federal Bureau of Investigation recently issued warnings of an uptick in fraudulent crimes tied to the coronavirus, particularly by scammers posing as official health agencies.

This month, a hacking group tried to break into the World Health Organization. The breach was discovered by Alexander Urbelis, a hacker-turned-information-security lawyer who founded the New York-based Blackstone Law Group.

Although Urbelis can't be certain about the identity of the hackers, he says the group replicated a portal used by remote WHO employees that he describes as "very, very convincing."

Urbelis spoke with NPR's Steve Inskeep about the designs of such attacks and some best cybersecurity practices people should use to defend themselves against hackers.

On how he spotted the cyberattack targeting WHO

The group that targeted the WHO, we have been watching for quite a while. And that group has in fact targeted several of our other clients [Editor's note: WHO is not one of Blackstone's clients.] And we have been monitoring the Internet for indications that the group has reawakened or reactivated some of its infrastructure. And that's what we detected with respect to a live attack against the World Health Organization.

On the "sophisticated" group that targeted WHO

It's very difficult to say with any near certainty exactly who this is. There are some indications that a group by the name of DarkHotel — which is known for targeting executives, checking into hotels and hotel Wi-Fi and things like that — may be responsible for this particular type of attack.

What we do know, though, is that the group that we've been watching is very sophisticated. Their attacks are very sleek. They're very well researched. The attackers perform a significant amount of reconnaissance on the configurations and the systems of [who they attack]. And they painstakingly create portals that look exactly like the victims' portals.

And that's what we saw with the WHO on the 13th of March. We saw a URL – a Web address — being created and put together that exactly mirrored the doorway to World Health Organization's internal file systems. So it was the external link to the internal file systems — that portal that remote employees would use to access the WHO, let's say if they were working from home – that's what this group had replicated.

We have seen this group not only replicate the portals of the WHO, but major research universities and many other intergovernmental organizations like the WHO. In fact, the same day that the WHO was targeted by this particular group, they also targeted the U.N.; certain components of the United Nations.

They have all the hallmarks of being a state-sponsored or state-affiliate group. And that means that they could be considered what's known as an APT, or in information security terms that stands for advanced persistent threat — essentially a force to be reckoned with.

On how the "very, very convincing" WHO attack demonstrates the security issues with working from home

People are very used to seeing these portals that are asking for their usernames and passwords. And if you look at the Web address or the URL that's associated with this particular type of attack, it was very, very convincing.

I was glad to hear, on the back end of this though, from what we know from the WHO, that the attack was unsuccessful.

On why the hacking group would want to target WHO

Well, I think it's for the obvious reason anybody would want to target the World Health Organization right now. It would be for intelligence-gathering purposes and gaining an advantage.

I mean, right now any advance information about preventive measures, cures, vaccines — even country-by-country infections and statistics is going to be extraordinarily valuable. That can be valuable to a country's private industry, especially if they are trying to get a leg up with respect to, let's say, palliative care or the distribution of testing kits, and even the creation of a vaccine.

I suppose it would also be very helpful to somebody who's working the stock market.

Absolutely. It would most certainly be valuable because what we're dealing with right now is a different class of information that is moving markets. Data from the World Health Organization certainly moves the market one way or the other.

On "the massive amount of security issues surrounding working from home."

This means that more personal devices, more off-premises endpoints, so to speak, being used to handle and process business data, including highly sensitive data like trade secrets and business plans.

Because of this, all of our [client] companies have had to dedicate a massive amount of IT resources to support all of these remote working arrangements, including the deployment of best cyber hygiene practices — things that are known as MFA [multifactor authentication] or 2FA [two-factor authentication], in particular ... using something other than just a password to access company resources is critical these days. Because the bad guys know that people reuse passwords or they have variations on a theme of passwords.

There have been so many data breaches with all of our passwords for so many years now that there's always a password that you can associate with an individual. And so what the bad guys, the threat actors, will try is password spraying — just taking your username with your password and variations on a theme of your password and trying to brute force their way into your office systems.

Copyright 2020 NPR. To see more, visit https://www.npr.org.

RACHEL MARTIN, HOST:

A lot of the global workforce is working remotely right now. And according to cybersecurity experts, that shift is a hacker's paradise. Steve Inskeep talked with Alexander Urbelis. He's a former hacker-turned-information security lawyer. And he explained how he discovered an attack on the World Health Organization. He told Steve that a group of hackers created a website in an attempt to steal passwords from health officials.

ALEXANDER URBELIS: The manner in which we picked up this particular attack is that the group that targeted the WHO, we have been watching for quite a while. And then - we have been monitoring the Internet for indications that the group has re-awoken. And that's what we detected on 13 March with respect to a live attack against the World Health Organization.

STEVE INSKEEP, BYLINE: To the best of your knowledge, who is this group?

URBELIS: There are some indications that a group by the name of DarkHotel - which is known for targeting executives, checking into hotels and hotel Wi-Fi and things like that - may be responsible for this particular type of attack. This group that we have been watching is very sophisticated. Their attacks are very sleek. The attackers perform a significant amount of reconnaissance, and they painstakingly create portals that look exactly like the victims' portals.

INSKEEP: What does that mean - create a portal that looks exactly like? That means I'm here at home trying to log into my company's server. I have to effectively go through the door of the company, in Internet terms, and they create a fake door and trick my computer into going through that door? Is that what you mean?

URBELIS: That's almost exactly right, Steve. Yes. And that's what we saw happening with the WHO on the 13 of March.

INSKEEP: I suppose this is an especially dangerous attack at a moment when everybody is being told to work from home and log in from home?

URBELIS: Oh, no doubt. Absolutely. People are very used to seeing these portals that are asking for their usernames and passwords. And if you look at the Web address or the URL that's associated with this particular type of attack, it was very, very convincing.

I'll tell you, there is a massive amount of security issues surrounding working from home. For most organizations, this is really a problem of degree. Our entire workforce has gone from maybe 5% to 10% of off-premises work to 100% off-premises work. So this means that we have more personal devices, more off-premises endpoints, so to speak, being used to handle and process business data, including highly sensitive data like trade secrets and business plans.

INSKEEP: One of the things with so many people working from home - and I would presume in many cases, working a lot more on computers even than they normally would be - we're all washing our hands for proper hygiene to secure ourselves. Is there a computer equivalent of washing your hands that you would recommend to people to avoid hacking?

URBELIS: (Laughter) Yes. I mean, where to start? We can't underestimate the importance of multifactor authentication. Small businesses may want to implement this really quickly. They can do so by using services like Google and Duo. Even personal accounts should be upgraded with multifactor authentication.

Another thing - absolutely - training is key here - understanding what scams are going to look like, understand that the psychological trigger points during a health crisis like this are things like vaccines, treatments, money rebates, anything that has to do with this $1,200 that's going to be coming back to persons and people in need, workplace-related guidance - these are all things that are going to be phishing lures. And phishing is the biggest problem that an organization is going to face right now. But phishing scams are just old wine in a new bottle.

Good cyber-hygiene, together with a skeptical and rigorous mind, are the best defenses. And honestly, no technological defense is going to be 100% effective. The gray matter in between our ears and our instincts are going to be what matters most.

INSKEEP: Alexander Urbelis, thanks so much for the time - really appreciate it.

URBELIS: Absolutely. It's my pleasure, Steve. And I wish you the best of luck and best of health. Transcript provided by NPR, Copyright NPR.