Connect with us

Hi, what are you looking for?



Google Says Iran-Linked Hackers Targeted WHO

Google reported on Wednesday that it continues to see attacks launched by the Iran-linked threat group named Charming Kitten against medical and healthcare professionals, including employees of the World Health Organization (WHO).

Google reported on Wednesday that it continues to see attacks launched by the Iran-linked threat group named Charming Kitten against medical and healthcare professionals, including employees of the World Health Organization (WHO).

Charming Kitten, which experts believe is sponsored by the Iranian government, is also tracked as APT35, Ajax Security Team, NewsBeef, Newscaster, and Phosphorus. It has been active since at least 2011, mainly targeting individuals and organizations in the Middle East, United States and United Kingdom.

The latest report from Google’s Threat Analysis Group (TAG) on state-sponsored hacking and disinformation campaigns says the company has seen attacks launched by Charming Kitten against the WHO and others.

The attacks launched by Iranian hackers against WHO staff were first reported by Reuters in early April. The news agency said the attacks started on March 2 and their goal was to help the attackers obtain account passwords.

The international healthcare organization said at the time that, as far as it knew, none of the hacking attempts were successful. Iran denied the accusations.

Google has once again warned that government-backed hackers are exploiting the COVID-19 coronavirus pandemic in their attacks. Last month, the company said its security team had seen more than a dozen groups using COVID-19 lures for their phishing and malware attacks. In a separate report released in April, Google said it had been seeing millions of coronavirus-related malicious emails every day.

Google on Wednesday also reported observing new activity originating from “hack-for-hire” companies — many based in India — that have created Gmail accounts designed to appear as if they belong to the WHO.

The fake accounts targeted business leaders in the consulting, financial services, and healthcare sectors in various countries, including the US, UK, Canada, India, Slovenia, Cyprus and Bahrain.

Advertisement. Scroll to continue reading.

“The lures themselves encourage individuals to sign up for direct notifications from the WHO to stay informed of COVID-19 related announcements, and link to attacker-hosted websites that bear a strong resemblance to the official WHO website. The sites typically feature fake login pages that prompt potential victims to give up their Google account credentials, and occasionally encourage individuals to give up other personal information, such as their phone numbers,” Google said.

As for disinformation campaigns, the tech giant says it has removed over a thousand YouTube channels since March. The targeted channels appeared to be part of a large, coordinated campaign, and while they mostly pushed spammy, non-political content, some posted political content in Chinese.

Google regularly shares information on state-sponsored hacking operations and it alerts customers who have been targeted in these campaigns. The number of alerts sent out last year — the company sent out nearly 40,000 warnings — decreased by 25% compared to the previous year. Google reported this week that it only sent 1,755 alerts in April.

Related: Google Creates COVID-19 Grant Fund to Boost Bug Hunting

Related: Google ‘Task Force’ Fights Bad COVID-19 Ads

Related: US and UK Warn of Adversaries Targeting COVID-19 Responders

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.


People on the Move

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

More People On The Move

Expert Insights