Security Experts:

Connect with us

Hi, what are you looking for?



Google Says Iran-Linked Hackers Targeted WHO

Google reported on Wednesday that it continues to see attacks launched by the Iran-linked threat group named Charming Kitten against medical and healthcare professionals, including employees of the World Health Organization (WHO).

Google reported on Wednesday that it continues to see attacks launched by the Iran-linked threat group named Charming Kitten against medical and healthcare professionals, including employees of the World Health Organization (WHO).

Charming Kitten, which experts believe is sponsored by the Iranian government, is also tracked as APT35, Ajax Security Team, NewsBeef, Newscaster, and Phosphorus. It has been active since at least 2011, mainly targeting individuals and organizations in the Middle East, United States and United Kingdom.

The latest report from Google’s Threat Analysis Group (TAG) on state-sponsored hacking and disinformation campaigns says the company has seen attacks launched by Charming Kitten against the WHO and others.

The attacks launched by Iranian hackers against WHO staff were first reported by Reuters in early April. The news agency said the attacks started on March 2 and their goal was to help the attackers obtain account passwords.

The international healthcare organization said at the time that, as far as it knew, none of the hacking attempts were successful. Iran denied the accusations.

Google has once again warned that government-backed hackers are exploiting the COVID-19 coronavirus pandemic in their attacks. Last month, the company said its security team had seen more than a dozen groups using COVID-19 lures for their phishing and malware attacks. In a separate report released in April, Google said it had been seeing millions of coronavirus-related malicious emails every day.

Google on Wednesday also reported observing new activity originating from “hack-for-hire” companies — many based in India — that have created Gmail accounts designed to appear as if they belong to the WHO.

The fake accounts targeted business leaders in the consulting, financial services, and healthcare sectors in various countries, including the US, UK, Canada, India, Slovenia, Cyprus and Bahrain.

“The lures themselves encourage individuals to sign up for direct notifications from the WHO to stay informed of COVID-19 related announcements, and link to attacker-hosted websites that bear a strong resemblance to the official WHO website. The sites typically feature fake login pages that prompt potential victims to give up their Google account credentials, and occasionally encourage individuals to give up other personal information, such as their phone numbers,” Google said.

As for disinformation campaigns, the tech giant says it has removed over a thousand YouTube channels since March. The targeted channels appeared to be part of a large, coordinated campaign, and while they mostly pushed spammy, non-political content, some posted political content in Chinese.

Google regularly shares information on state-sponsored hacking operations and it alerts customers who have been targeted in these campaigns. The number of alerts sent out last year — the company sent out nearly 40,000 warnings — decreased by 25% compared to the previous year. Google reported this week that it only sent 1,755 alerts in April.

Related: Google Creates COVID-19 Grant Fund to Boost Bug Hunting

Related: Google ‘Task Force’ Fights Bad COVID-19 Ads

Related: US and UK Warn of Adversaries Targeting COVID-19 Responders

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.


The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Application Security

PayPal is alerting roughly 35,000 individuals that their accounts have been targeted in a credential stuffing campaign.


WASHINGTON - Cyberattacks are the most serious threat facing the United States, even more so than terrorism, according to American defense experts. Almost half...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...