Cyber analysts have linked Iranian hackers to a recent phishing campaign targeting World Health Organisation (WHO) staff.

The campaign has seen the personal email accounts of WHO staff hit with phishing emails from what appeared to be Google platforms that redirected users to malicious websites, according to Reuters.

“We’ve seen some targeting by what looks like Iranian government-backed attackers targeting international health organisations generally via phishing,” said one of the news organisation’s sources.

Earlier this year, Iranian hackers were tipped to become a continuing threat in cyberspace in response to escalating tensions between the Middle Eastern nation and the US which lead to Iran firing missiles at US military bases in neighbouring Iraq.

Iran, however, denied any involvement in the targeting of WHO staff by bad actors.

“These are all sheer lies to put more pressure on Iran,” a spokesperson for Iran’s ICT minister said.

“Iran has been a victim of hacking.”

Spokesperson for the WHO, Tarik Jasarevic, confirmed the phishing campaign but could not attribute them.

“To the best of our knowledge, none of these hacking attempts were successful,” he added.

A person familiar with US intelligence suggested to Reuters that the state-based hackers could be trying to get their hands-on information about how other countries are managing the coronavirus, including response plans, treatments, or infection rates.

Last month, images were revealed showing the expansion of Iranian cemeteries – purportedly as a mass grave site for coronavirus victims.

At the time of writing, Iran has more than 58,000 confirmed cases of COVID-19 and 3,600 deaths from the disease.

Increased activity

The latest phishing campaign follows reports from last month that an advanced persistent threat (APT) group had been targeting the WHO.

Cybersecurity expert, Alexander Urbelis, first picked up on the ongoing attack when he noticed hackers creating a website that impersonated the WHO’s email system.

“I realised quite quickly that this was a live attack on the World Health Organization in the midst of a pandemic,” he told Reuters.

The attack Urbelis spotted was initially attributed to DarkHotel, an APT group which cybersecurity researchers have been tracking for more than a decade.

There is no connection between DarkHotel and Iranian state actors, but WHO CISO, Flavio Aggio there had been “a big increase” in the number of attacks on the health authority.

“There are no hard numbers, but such compromise attempts against us and the use of [WHO] impersonations to target others have more than doubled,” he said.

Exploiting COVID-19

Coronavirus has become a common bait for bad actors who have been looking to exploit heightened interest in the pandemic to deliver malicious payloads or gain login credentials.

Emails appearing as advisory notifications about the coronavirus have previously been linked to APT groups linked to China.

Cyber intelligence analyst, Ben Read, previously told Information Age that malicious actors are preying on our desire for the latest news and information about COVID-19.

“People are interested in this right now, people are nervous about it, so people will open a document that’s promising new information,” Read said.

“And anything that people are likely to open will be used by malicious actors to install malware.”

Hackers have also been mimicking WHO documentation, leading the organisation to recently publish a page on its website warning people how to spot dodgy correspondence.