The well-publicized publishing of 25,000+ emails and passwords allegedly associated with the World Health Organization, the Gates Foundation and the National Institutes of Health has captured the attention of both infosec practitioner and the layman. Attribution for the discovery is credited to SITE Intelligence Group, which noted that the credentials were released April 19 and 20 and “immediately used to foment attempts at hacking and harassment by far-right extremists,” according to the Washington Post.
All three organizations are up to their eyeballs in efforts to address the COVID-19 pandemic that has enveloped the world.
Indeed, the work of western entities focused on COVID-19 has been the focus of attacks, which have been attributed to nation-states and criminals alike. These attacks have been the subject of FBI warnings to the COVID research world.
New Attack or Harvesting Previously Compromised Data?
Are these efforts related to the previously known attempts to harvest the intellectual property of others, or are we observing the efforts of an enterprising individual to provide the means for others to harass and attempt to compromise the identified entities?
Mainstream media (Washington Post, NBC News and others) describe the purported stolen login credentials as belonging to “medical researchers and non-profit employees.”
NBC News sorted the presented information thusly: “The documents constitute 277 email addresses from the Bill and Melinda Gates Foundation, 20 from the Wuhan Institute of Virology (WIV) and nearly 7,000 from the World Health Organization.”
And while the aggregated data that was let loose to the world showed a current date, deeper inspection showed some of the user ID/password combinations previously had been harvested and shared on the Dark Web, which is often associated with the criminal entities and individuals of the world.
Josh Lefkowitz, CEO of Flashpoint, in a public LinkedIn post, shared his company’s analysis of what transpired. He agreed with the aggregation theory of previously compromised emails/credentials.
The corpus consisted of 2,700 unique email accounts, he wrote, of which 96% had been seen 32,000 times in the company’s “compromised credentials dataset.” He then provided a point of origin for the aggregated emails with his assertion that 93% of the emails were included in the Dec. 5, 2017, discovery by @4I@ of 1,400,553,869 credentials (usernames/cleartext password pairs) as having been shared within the Dark Web.
An Attempt to Enter Various Emails
Neither the identity of those who posted the data nor those who made attempts to enter the email systems using previously compromised combinations have been determined. Those user ID/password combinations compromised in 2017 should have been long ago changed. Lefkowitz concluded that whoever conducted the attempt to access the various email accounts had searched through the 2017 data using gross search metrics and not finite ones.
Those who opted not to change their credentials in 2017 may have been surprised to learn their email account had visitors during the week of April 19.