United Nations confirms successful cyberattack
One week after the United Nations called for an investigation into the claims that Jeff Bezos’ smartphone was hacked by Saudi Crown Prince Mohammed bin Salman, a claim that I first reported in March 2019, another investigation has revealed that the UN itself has been hacked.
Leaked report reveals UN cyberattack details for the first time
The leak of an internal UN report to investigators at The New Humanitarian shows that core infrastructure servers were compromised during a successful cyberattack last year. The report, dated September 20, 2019, was from the United Nations Office of Information and Technology. Associated Press, which has also seen the report, said that 42 servers in all were compromised and a further 25 categorized as suspicious. According to The New Humanitarian, at least some of the affected systems were at the UN human rights offices and the UN human resources department, at locations in Geneva and Vienna. The confidential report is said to show that “some administrator accounts” were breached, and staff told to change passwords. “The ‘core infrastructure’ affected included systems for user and password management, system controls, and security firewalls,” The New Humanitarian said.
Although not yet attributed, attack fingerprint suggests sophisticated APT actors
The cyberattack, which is understood to have started in July 2019, first came to light within the UN a month later, according to the reporting so far. An alert sent to UN system administrators, dated August 30, stated, “We are working under the assumption that the entire domain is compromised,” according to The Register. That same alert is quoted as saying the attacker was showing no signs of activity at the time, the assumption being “they established their position and are dormant.” The typical fingerprint of an Advanced Persistent Threat (APT) actor in other words. ATP actors are most commonly associated with nation-state hackers and cyber-espionage campaigns. It must be pointed out, however, that the leaked report did not attribute the attack to any known group or nation-state.
A known, but unpatched by the UN, Microsoft vulnerability exploited by attackers
It’s further understood that the hackers used a known vulnerability (CVE-2019-0604) in an internet-facing Microsoft SharePoint server, a web-based collaborative platform integrated with Microsoft Office. Microsoft had issued fixes for this way back in March 2019. That the vulnerability was long-since disclosed, and the software patch long-since rolled out, does not look good for an organization such as the UN. It’s precisely the kind of vulnerability that can be exploited remotely to bypass logins, which is employed by sophisticated threat actors.
UN spokesperson confirms decision not to disclose was taken
UN spokesperson, Stéphane Dujarric, told reporters from The New Humanitarian that “As the exact nature and scope of the incident could not be determined,” it was decided by the UN offices concerned, “not to publicly disclose the breach.” You might imagine, then, that the UN could be in deep water under the EU General Data Protection Regulation (GDPR) requirements. You would be wrong. The UN has diplomatic status and as such, it enjoys immunity from the legal process and so under no obligation to disclose the breach. The ethical argument for disclosing is, however, a strong one when you consider that the UN is an institute of global governance along with the International Criminal Court and the World Bank, to name some others. By not holding itself accountable to the same professional standards as it holds others, the UN dilutes its reputation. Especially when Dujarric has confirmed “lists of user accounts would have been exposed,” and it was possible for the attackers to “view data on the compromised server.” The leaked report includes antivirus and password management components amongst the compromised resources.
Threat intelligence expert calls failure to disclose a ‘really bad decision’
“When an organization like the UN, which seeks to govern nation-state behavior, calling for openness and transparency, fails to disclose such an incident, it hurts the brand spectacularly,” Ian Thornton-Trump, CISO at threat intelligence company Cyjax, says. Arguing that the UN would know that it would likely be a target of nation-state attackers, Thornton-Trump suggests that vulnerability management had to be a priority. “Given the current political climate, the contrast between public organizations and private corporations when it comes to data breach consequences are pretty stark,” Thornton-Trump says, “critics of the UN now have ample ammunition to ask what else it’s hiding?”
Jake Moore, a Cybersecurity expert at security vendor ESET, said that “I believe no one should be covering up attacks in any way, shape or form. We have learnt that being open and honest about cyberattacks can in fact help the brands and organizations in the wake of these hacks and help build stronger defenses going forward.”
The decision not to publicly disclose a breach should not be an option for any organization, Thornton-Trump says, when the leak happens, and it always does, then critics control the narrative. “This was a really bad decision by the UN,” Thornton-Trump concludes. Indeed, that narrative that Thornton-Trump spoke of is already underway. One senior UN official, talking to The New Humanitarian under the condition of anonymity, estimated that at least 400GB had been downloaded during the attack and that the UN response had “downplayed” the level of seriousness.
I have asked the UN for a statement and will update this article if one is forthcoming.