Earlier this year, cybercriminals gained access to United Nations (UN) networks using stolen credentials. 

According to Bloomberg, the threat actors stole a trove of data that could be used to target agencies within the intergovernmental organization. 

“We can confirm that unknown attackers were able to breach parts of the United Nations infrastructure in April of 2021,” Stéphane Dujarric, spokesman for the UN Secretary-General, said in a statement. “The United Nations is frequently targeted by cyberattacks, including sustained campaigns. We can also confirm that further attacks have been detected and are being responded to that are linked to the earlier breach.”

Cybersecurity firm Resecurity reportedly discovered the breach as early as April 5, 2021, and the attackers were still active on the organization’s networks as of August 7, 2021. Researchers then notified the U.n. of the breach. 

“This attack had been detected before we were notified by the company cited in the Bloomberg article, and corrective actions to mitigate the impact of the breach had already been planned and were being implemented,” Dujarric added. “At that time, we thanked the company for sharing information related to the incident and confirmed the breach to them.”

Bloomberg reports that the credentials used to breach UN’s systems belonged to an account on the UN’s proprietary project management software, called Umoja. Attackers were then able to gain access.  

Saumitra Das, CTO and Cofounder at Blue Hexagon, explains, “Initial access via credentials purchased from the dark web is now becoming standard modus operandi. So much so that we now have Initial Access Brokers (IABs) who specialize in just that and then sell off that access to other entities like ransomware affiliates or state-sponsored groups.”

Das says, “Usually, organizations are too focused on the perimeter, and once the attacker is inside, there is little visibility on-premises and in the cloud. Organizations need to focus on both endpoint and network monitoring with a well-defined approach to detection engineering to deal with these types of stealthy attacks.”

Resecurity Chief Executive Officer Gene Yoo says the actor conducted the intrusion to compromise large numbers of users within the UN network for further long-term intelligence gathering.

Tom Kellermann, Head of Cybersecurity Strategy at VMware and member of the U.S. Secret Service’s Cyber Investigations Advisory Board, says the UN breach is a massive intrusion of global government entities. “[This] is the latest example of the rising threat of island hopping we’re seeing from sophisticated attackers. This method is used to conduct espionage while infiltrating deep into organizations and networks, which could be extremely damaging in the lead up to the annual meeting of heads of state at the UN.”