Officials at the United Nations reportedly discovered last August that hackers had compromised its IT systems in Geneva and Vienna last summer, but the cyber espionage attack remained undisclosed until it was revealed on Wednesday in an exposé by The New Humanitarian (TNH).
TNH, which once operated under the auspices of the UN Office for the Coordination of Humanitarian Affairs, learned of the incident after obtaining an internal UN alert, dated Sept. 20, 2019, which shared certain details of the hack. A copy of the alert, which was prepared by the UN Office at Geneva, was subsequently shared with the Associated Press.
The sophisticated attack reportedly affected multiple servers in the main UN offices in Geneva and Vienna, plus the UN Office of the High Commissioner for Human Rights headquarters in Geneva. Stéphane Dujarric, UN spokesperson for the secretary-general, reportedly acknowledged to TNH that the hack affected "core infrastructure components." These components reportedly included human resources, printing, antivirus, user and password management, system controls and security firewalls.
The intrusion took place in mid-July and was subsequently discovered on Aug. 30, but most staff members in the affected facilities -- roughly 4,000 staffers in total -- were not informed that their data may have been compromised. The only ones who were told were internal IT teams and the chiefs of the main Geneva and Vienna offices.
The UN is not subject to global privacy regulations such as GDPR, meaning the body can act with impunity when choosing not to disclose a breach, TNH said, citing legal experts.
The AP reported that 42 servers were confirmed as compromised, with another 25 possibly affected. It has not been confirmed precisely what data was taken or how much, although one anonymous senior UN IT official, who complained about his organization's "cover-up culture," reportedly told TNH that an estimated 400 GB of data was downloaded.
The UN's alert suggests that that internal documents, databases, emails, commercial information and personal data may have been exfiltrated, TNH reported. The attackers reportedly breached admin accounts and stole at least one Active Directory, which the UN report says likely lists out user data, human resources and health insurance systems, additional databases and network resources. Such a wealth of information could potentially be used to facilitate future targeted attacks against affected UN staffers, including as phishing emails.
In a press briefing today, Dujarric downplayed the impact of the breach. Asked why the UN didn't publicly disclose an attack on computers carrying sensitive data on humanitarian and human rights, partner organizations and aid agencies, , the spokesperson responded, "The server in Geneva that you are referring to was part of a development environment and contained non-sensitive test data from two development servers used for web application. People who needed to be notified were notified."
Earlier, TNH said that Dujarric told the publication that the UN offices opted not to disclose the breach, “as the exact nature and scope of the incident could not be determined."
"...The UN is no different from any organization or individuals. The threat of future attacks continues, and the UN… our colleagues at the Secretariat detect and respond to multiple attacks at various level of sophistication on a daily basis," Dujarric said during the press briefing. "This particular attack... is not a landmark event, he continued, noting that "attempts to attack the UN IT infrastructure happen often."
In a statement, the Office of Human Rights in Geneva acknowledged that its Active Directory was stolen, but said sensitive data wasn't affected because the hackers broke into development servers not connected to its regular systems.
"Although hackers accessed a self-contained part of our system in July 2019, the development servers they accessed did not hold any sensitive data or confidential information," the statement read. "The hackers did manage to access our Active User Directory, which contains the user IDs for our staff and devices. However, they did not succeed in accessing passwords. Nor did they gain access to other parts of the system."
"Once we became aware of the attack, we took action to shut down the affected development servers," the statement continued.
The attacker remains unknown, but Dujarric did note in his briefing that the incident was, "from all accounts, a well-resourced attack."
"The news that the United Nations was the victim of an advanced persistent threat (APT), likely state-sponsored, for the purposes of espionage, is not all that surprising," said Rui Lopes, engineering and technical support director at Panda Security. :The UN maintains critical data at a global scale that multiple states and organizations would like to have their hands on, and this level of sophistication is indicative of that purpose. What may strike as surprising is the UN's IT security strategy likely not including a strong endpoint protection posture, including data access monitoring and control as well as threat hunting, thus allowing bad actors to exfiltrate untold amounts of data."
Hank Thomas, CTO and board director at SCVX, speculated on the attacker's motive: "Both Vienna and the UN are well-known for being frequent stomping grounds for the worlds intelligence and security services. The target... suggests the perpetrator is an autocratic regime looking to see what sort of report card they are getting from the UN, with eyes on how to change their poor grades moving forward," said Thomas to SC Media. "I assume that whomever is behind this is looking to identify key stakeholders and recruit them to increasingly overlook their poor behavior and to learn about sources the UN is using to gather information on their human rights abuses inside their countries."
According to the AP, the UN report said the attackers exploited a flaw in Microsoft's SharePoint software to deliver an unknown malware. "For years, these app vulnerability attacks have successfully disrupted operations and leaked sensitive information," said Craig Hinkley, CEO at WhiteHat Security, in emailed comments.
Security researcher Matt Suiche, founder of Comae Technologies, reportedly reviewed the report and told the AP the attackers may have gotten in via an anti-corruption tracker at the U.N. Office of Drugs and Crime.
Dujarric reportedly told TNH that the UN in December 2019 agreed upon a "comprehensive containment, mitigation and recovery plan" that would require rebuilding the IT infrastructure, replacing keys and credentials and adding more technical and procedural controls.