Hackers breached the United Nations network in July by exploiting a Microsoft SharePoint vulnerability, according to reports. The breach, which appears to be an espionage operation, reportedly gave the hackers access to an estimated 400 GB of sensitive data.
The breach was swept under the rug by the U.N. until this week, when an internal document outlining the hack was leaked by The New Humanitarian, a global news agency focusing on human rights stories. According to the confidential document, at least 42 U.N. servers were compromised in Geneva and Vienna, potentially exposing staff personnel data and sensitive documents for other organizations collaborating with the U.N.
“Although it is unclear what documents and data the hackers obtained in the 2019 incident, the report… implies that internal documents, databases, emails, commercial information and personal data may have been available to the intruders – sensitive data that could have far-reaching repercussions for staff, individuals and organisations communicating with and doing business with the U.N.,” Ben Parker, with The New Humanitarian, said on Wednesday.
According to the Associated Press, which also viewed the internal document, the breach stemmed from an exploit of a flaw in Microsoft’s SharePoint software. This remote code-execution vulnerability (CVE-2019-0604) was patched in March — however, the U.N. reportedly did not update its systems.
The Hack
Servers in three separate locations were compromised: the U.N. office at Vienna; the U.N. office at Geneva; and the U.N. Office of the High Commissioner for Human Rights (OHCHR) headquarters, also in Geneva.
While the specific data that was compromised is unclear, the document implies that staff records, health insurance and commercial contract data were compromised. The hack also impacted the U.N. human rights office, which collects data that’s used for exposing human rights abuses. The document also reportedly suggests the hack most seriously affected the U.N.’s office in Geneva, which includes 1,600 staff working in a range of political and development units, including those focused on Syrian peace talks, the humanitarian coordination office (OCHA) and the Economic Commission for Europe.
In a statement sent to Threatpost, the U.N. said that no sensitive data was accessed in the data breach. It said that once it became aware of the attack, it took action to shut down the affected development servers.
“Although hackers accessed a self-contained part of our system in July 2019, the development servers they accessed did not hold any sensitive data or confidential information,” according to the U.N.’s statement. “The hackers did manage to access our Active User Directory, which contains the user IDs for our staff and devices. However, they did not succeed in accessing passwords. Nor did they gain access to other parts of the system.”
The type of malware utilized, and the command and control (C2) servers used to exfiltrate data, is unknown. The identity of the hackers, as well as the extent of the data collected, is also unknown. However, the security experts that Threatpost talked to said that the attack was likely launched by a sophisticated threat actor.
“Given the fact that it would be so heavily targeted, it is unfortunate that the U.N. appears to not have the basic security hygiene in place to ward off commodity threats, let alone state-backed actors,” said Richard Gold, head of security engineering at Digital Shadows. “Having confidence that you have fully evicted a threat group from a network is hard to come by, especially when the fundamentals of network security are not in place.”
Lack of Alert
Senior U.N. officials did not notify anyone – even their own staff – about the breach. U.N. staff members were only asked to change their passwords.
While most organizations are held to regulatory standards that require them to disclose data breaches, like the GDPR, the UN has diplomatic immunity, meaning that it is not obliged to divulge what was obtained by the hackers or notify those affected.
However, security experts like Kevin Beaumont are decrying the agency’s secrecy around the data breach.
“I don’t know what the culture is at the U.N., but they probably need to pivot to more transparency for cybersecurity, this would have been a non-story and benefit to all if they had been open about the issue,” said Beaumont on Twitter.
I don’t know what the culture is at the UN but they probably need to pivot to more transparency for cybersecurity, this would have been a nonstory and benefit to all if they had been open about the issue.
— Kevin Beaumont (@GossiTheDog) January 30, 2020
The New Humanitarian said that the decision not to notify impacted parties – even its own staff personnel – marks a “breach of trust” for all involved.
“No matter what exactly was exposed, the decision not to notify all the people or organizations whose data may have been compromised – including U.N. staff – risks damaging trust in the U.N. as an institution, and so its effectiveness, according to human rights and privacy analysts.”
The U.N. is constantly being targeted by cybercriminals. For instance, in October, researchers said that a mobile-focused phishing campaign was targeting the body. And earlier this month, researchers said that the operators behind Emotet had taken aim at U.N. personnel in a targeted attack.
“The news that the United Nations was the victim of an advanced persistent threat (APT), likely state-sponsored, for the purposes of espionage, is not all that surprising,” Rui Lopes, engineering and technical support director at Panda Security, told Threatpost. “The U.N. maintains critical data at a global scale that multiple states and organizations would like to have their hands on, and this level of sophistication is indicative of that purpose.”