Sophisticated hackers infiltrated United Nations (UN) networks in Geneva and Vienna last year in an apparent espionage operation that UN top officials did not disclose.
According to The Associated Press, the hackers’ identity and the extent of the data they obtained are not known. The documents, obtained by The New Humanitarian (TNH), revealed that dozens of UN servers – including systems at its human rights offices, as well as its human resources department – were compromised and some administrator accounts breached. The breach is one of the largest ever known to have affected the world body, says TNH.
THN reveals that the cyber attack started mid-July. The report, which is dated September 20, 2019, flags vulnerabilities, describes containment efforts and includes a section titled: “Still counting our casualties."
A senior UN IT official familiar with the incident, whos poke to TNH on condition of anonymity, told TNH that the incident was a “major meltdown." The official provided TNH with the August 2019 alert and several other alerts related to the breach.
“The attack resulted in a compromise of core infrastructure components,” said UN spokesperson Stéphane Dujarric, who classified it as “serious.” “As the exact nature and scope of the incident could not be determined, [the UN offices in Geneva and Vienna] decided not to publicly disclose the breach.”
According to TNH, staff were asked to change their passwords, but were not told of the data breach or that some of their personal data may have been compromised. The “core infrastructure” affected included systems for user and password management, system controls and security firewalls, says TNH.
Dr. Richard Gold, head of security engineering at Digital Shadows, says that it is not surprising that the UN is an obvious target for state-backed threat actors "due to the nature of their work and the information that they hold."
According to the report, says Gold, "the UN was breached through an unpatched vulnerability in their Microsoft SharePoint systems. It appears that the actors were successful in compromising the networks beyond the SharePoint system and exfiltrated over 400GB of data from the UN network. Given the fact that they would be so heavily targeted, it is unfortunate that the UN appears to not have the basic security hygiene in place to ward off commodity threats, let alone state-backed actors. Having confidence that you have fully evicted a threat group from a network is hard to come by, especially when the fundamentals of network security are not in place.”
“The news that the United Nations was the victim of an advanced persistent threat (APT), likely state-sponsored, for the purposes of espionage, is not all that surprising," says Rui Lopes, Engineering and Technical Support Director at Panda Security, "What may strike as surprising is the UN’s IT security strategy likely not including a strong endpoint protection posture, including data access monitoring and control as well as Threat Hunting, thus allowing bad actors to exfiltrate untold amounts of data.”
Security professionals agree that the attack was likely state-sponsored, and that they "assume that whomever is behind this is looking to identify key stakeholders and recruit them to increasingly overlook their poor behavior and to learn about sources the U.N. is using to gather information on their human rights abuses inside their countries. Sources that they intend to target, silence, and/or eliminate," says Hank Thomas, Chief Technology Officer & Board Director at SCVX.