Hackers compromised dozens of United Nations (UN) servers last summer in an attack which the world body kept a secret from its own employees, according to a new report.
The attack began in mid-July 2019 in what one senior UN IT official called a “major meltdown,” affecting servers in UN offices in Vienna and Geneva and the UN Office of the High Commissioner for Human Rights (OHCHR) headquarters in Geneva.
Some 400GB is thought to have been exfiltrated by the hackers, including Active Directory lists of users. Although it’s unclear exactly what other info was taken, the servers in question could have provided access to sensitive details on UN employees, and commercial contract data, according to The New Humanitarian.
The OHCHR in particular handles highly sensitive data on human rights activists which could land subjects in deep trouble with governments back home.
According to an internal report on the incident seen by AP, the hackers exploited a Microsoft SharePoint vulnerability to access the UN network although the type of malware is unknown, as is the location of the C&C servers used to exfiltrate the data. It’s also unclear how the attackers maintained presence on the network once inside.
Most controversially, the UN seems to have used its diplomatic immunity to keep the incident a secret, despite it raising serious questions under the GDPR.
Staff were told only to reset their passwords, but not why, it is claimed.
“As the exact nature and scope of the incident could not be determined, [the UN offices] decided not to publicly disclose the breach,” said UN spokesperson Stéphane Dujarric.
The level of sophistication used and motivation for striking at the heart of the UN’s human rights efforts indicates a nation state actor, according to experts.
Traditional cybersecurity measures may not be successful against nation state hackers, meaning firms must focus on detection and response, according to Exabeam senior security engineer, Joe Lareau.
“One critical step all of these entities can take now is to monitor for tactics, techniques and procedures (TTPs) specific to various state-sponsored groups,” he added.
“Overall, we recommend building and using ‘defense in depth’ — multiple layers of controls that involve staffing, procedures, technical and physical security for all aspects of the security program.”