A newly released report said dozens of United Nations servers were compromised by a remote code execution Microsoft SharePoint vulnerability in July of 2019. The offices targeted were located in Geneva and Vienna and suggest an apparent espionage attack.
The attack became known when journalistic non profit organization focused on humanitarian crisis, New Humanitarian, received a leaked UN report and then shared it with the Associated Press who followed up with further investigational reporting.
Offices in three separate locations were targeted, including the UN Office at Vienna, the UN Office at Geneva, and the UN Office of the High Commissioner for Human Rights (OHCHR) headquarters in Geneva.
The AP says 42 servers were compromised, and another 25 servers were suspected to be compromised. Attackers were also able to get access to the Active Directory and the attack persisted undetected for a period of time. A UN official told the AP that the attack looked “sophisticated. “The attackers cleaned up their tracks by deleting logs, which could have possibly helped forensic examiners with more clues. Some security researchers noted that nation-state actors like Russia or China have the skills necessary to modify and edit logs rather than delete them. The motive of espionage seemed more likely as it was targeted at these selected locations. The type of malware and command and control servers were unable to be identified.
“UN IT officials issued an alert to their technology staff disclosing the hacking incident on August 30, 2019. 'We are working under the assumption that the entire domain is compromised. The attacker doesn't show signs of activity so far; we assume they established their position and are dormant.
However, It took almost another month to alert staff and on Sept 26, 2019 employees were told to change their passwords but not alerted about the breach even though "staff records, health insurance, and commercial contract data were compromised.
No All Hands on Deck Alert
The failure to alert all UN employees and partners rather than going "radio silent" is very concerning. Employees and partners should be alerted to the possibility of follow on phishing and social engineering attempts especially after a compromise and remediation attempts. Hopefully this unfortunate attack and public disclosure will motivate the UN leadership to become more transparent and adopt better cybersecurity practices.
Although the UN confirmed the breach to the New Humanitarian and Associated Press, it never disclosed the breach to the public because it was not legally obligated to do so. As a diplomatic agency, it is immune from legal processes and exempt from reporting requirements to the EU or any other regulator. It is also not obliged to answer (FOI) Freedom of Information Requests.
According to the AP, “the attack resulted in a compromise of core infrastructure components,” said UN spokesperson Stéphane Dujarric, who classified it as “serious.” As the exact nature and scope of the incident could not be determined, [the UN offices in Geneva and Vienna] decided not to publicly disclose the breach.”
How much and what data was exfiltrated is not exactly known. New Humanitarian reported that "a senior UN IT official said much more data was stolen than the UN implied. Estimating that some 400 GB of data was downloaded, the official said the UN’s answers downplayed the level of the breach."
The internal report, however, lists ten other “infrastructure components” that were compromised, including printing, antivirus, and the human resources system. It also says a digital “forensics” company and Microsoft have been involved in the clean-up effort.