SITE, based in Bethesda, Md., concluded that whoever posted the credentials last week was hoping to inspire a new wave of intrusions that might reveal information about how the targeted institutions responded to the pandemic. Posting personal information online is called “doxing” and typically is regarded as a form of harassment or a way to incite harassment.
Details about who posted the emails and passwords remain scant, and SITE has not learned the real-world identity of the culprit. Based on comments and links on various social media sites that appear to be from the same person, however, SITE determined that the initial poster probably was an American who espoused conspiracy theories popular on the political right, including that government officials and news organizations are exaggerating covid-19 death counts to manipulate the public.
“In line with these views, the uploader sought to encourage other users to log into the email addresses to uncover these perceived lies and secrets,” said Rita Katz, executive director of SITE. “On multiple platforms, the user framed the email credentials as a sort of gold mine of information and urged users to log on and save as much as they could.”
Most of the targeted institutions have not commented in detail about the incident or, in most cases, even publicly acknowledged it. All said that cybersecurity was an organizational priority.
The WHO, however, issued a news release last week noting a fivefold increase in cyberattacks aimed at its staff and adding, “The leaked credentials did not put WHO systems at risk because the data was not recent. However, the attack did impact an older extranet system, used by current and retired staff as well as partners. WHO is now migrating affected systems to a more secure authentication system.”
The FBI, often the lead agency in investigating cybersecurity incidents affecting U.S. institutions and people, has declined to comment.
The age of the underlying data set strongly suggests many of the passwords probably no longer worked to gain access to computer systems. Many businesses and government agencies, including those part of the U.S. government, are able to limit the damage from the release of credentials by using multi-factor authentication, which requires a temporary code or a physical token to be used in addition to a password when accessing a computer system.
SITE traced the spread of the emails and passwords to the file-sharing site Pastebin on April 19. Links and references to the credentials soon spread to 4chan, 9chan, Discord, Twitter and Telegram, powered in part by neo-Nazi and white supremacist groups. Twitter reported removing links directing users to the files.
Far-right extremists have swapped tips on how to hack into the targeted institutions and urged harassment of their personnel, SITE reported. The extremist groups also have used the posting of credentials as fodder for more conspiracy theories about the spread of covid-19.
One poster on 9chan, popular with political extremists, wrote using an anti-Chinese slur as he described sharing hacked email addresses from the Wuhan Institute of Virology, located in the Chinese city where the virus is thought to have first been passed to human beings. Another poster on 9chan, an anonymous forum, discussed a planned “visit to the Gates Foundation,” which has donated large sums to combating the pandemic and whose co-founder, tech billionaire Bill Gates, has been a leading voice advocating a comprehensive public-health response.
The Gates Foundation did not respond to requests for comment on Wednesday.
Aside from the SITE research, cybersecurity firm Prevailion reported evidence that two of the targeted institutions, the World Bank and WHO, have been subject to long-standing intrusions that could have led to their email and password lists being collected by hackers.
Prevailion, which monitors the systems used by intruders and hackers, said it detected a single command-and-control computer that has been receiving communications — called “beacons” — from malicious software nestled somewhere within the World Bank and WHO. The domain registry for the command-and-control system dates to 2011, and the malicious software being used — Ramnit, first detected in 2010 — suggests a long-standing and relatively unsophisticated breach that neither institution has adequately addressed, said Prevailion chief executive Karim Hijazi.
“We’re dealing with really old malware, really old infrastructure,” said Hijazi. “We think that they’re still actively compromised.”
There is no direct evidence that these beacons are related to the collection of email addresses and passwords from these institutions, he said, but the nature of the systems the hacker used suggests a nation-state probably is behind the intrusions discovered by Prevailion, Hijazi said.
WHO issued a statement in response to Prevailion’s findings, saying, “WHO’s internal investigation into a cyberattack last week, that resulted in 450 WHO e-mail addresses leaked online, is still ongoing but so far, the preliminary findings are that there are no traces nor evidence of Ramnit Trojan in WHO’s control systems.”
The World Bank said in a statement, “Like many large organizations, the World Bank faces cybersecurity challenges and risks, and we generally do not discuss cybersecurity issues.”
Matt Zapotosky contributed to this report.