A United Nations spokesperson confirmed that the organization was violated by hackers in early 2021 and that attacks related to that violation against various branches of the UN were ongoing. The data breach appears to stem from an employee login that was sold on the dark web. The attackers used this entry point to dig deeper into UN networks and carried out reconnaissance between April and August. The information gleaned from this activity appears to have been used in other attacks, with attempts made on at least 53 accounts.
UN data breach creates long-term havoc for the organization
The UN hack began with the acquisition of an employee username and password on a dark web forum, most likely as part of another data breach. This allowed attackers to enter and immediately begin exploring the network and attempting to increase privileges, with the first incident occurring in April. A number of security researchers have reported seeing UN employee accounts listed among large packs of usernames and passwords sold on underground forums, in this case as part of a package costing only $ 1000.
The original account that was compromised was for proprietary project management software that the UN uses called “Umoja”. The hackers have since been observed by an outside security company as having carried out reconnaissance and attempted new attacks, with the latest attempt on August 7. However, the UN reports that the attackers have not caused any damage yet.
The data breach was detected and reported to the UN by outside firm Resecurity, and there is debate between the two as to what exactly was stolen. The UN says the attackers only took screenshots of the internal network. Resecurity, which was rejected by the UN after offering to help, says it has evidence that information was leaked during the data breach. Resecurity also claims that at least 53 UN accounts have been the target of additional attacks since the start of the data breach. CNN reports that “several” other security companies detected the data breach and attempted to alert the UN, but the UN says it had already detected the breach and was taking steps to mitigate it before it did so. be contacted by third parties.
Multi-factor authentication was not enabled on the initially compromised Umoja account; Umoja’s website says the service added this option when it moved to Microsoft Azure in July, a bit too late to help the UN.
The United Nations has a unique need for advanced cybersecurity as it is one of the main global targets of hackers and regularly responds to attacks by advanced operators. Many of them are unregistered, but the organization has withstood high-profile attacks in recent years. In 2018, Russian hackers believed to be state-backed attacked the Organization for the Prohibition of Chemical Weapons in retaliation for its investigation into the use of a nerve agent for a political assassination attempt. against a former spy living in Salisbury. An attack in 2019 exploited a known vulnerability in the Microsoft SharePoint platform to violate the UN’s core network infrastructure, and only became public knowledge when confidential reports were leaked to the New Humanitarian early on. of 2020. After the publication, the UN confirmed that the attack compromised its offices in Geneva and Vienna. And in early 2021, researchers at the Sakura Samurai Company discovered a data breach at the United Nations Environment Program (UNEP) that exposed around 100,000 private employee records through exposed Git directories.
Lessons from the UN data breach
Trevor Morgan, product manager with data security specialists comforte AG, notes this case as another illustration of the need for advanced cybersecurity that doesn’t necessarily lead to implementation with the urgency it should: “The tactically simple but successful cyberattack on United Nations computer networks, now reported as an ongoing breach with activity occurring for months, highlights two very clear points. First, if the impression of hackers is usually that of technical geniuses using brilliant attack methods and sophisticated tools to circumvent defensive measures, the reality is far from it. The majority of incidents are due to preventable human error or simple attack methods such as credential theft. Second, that cybersecurity is not just a personal issue that affects our personal personal information and sensitive financial information (although these are also key concerns). It is a matter of national security and it potentially affects all of us with the repercussions of attacks on national entities. “
We can highlight a number of standard measures that would have provided layers of preventive security in this case: standard use of multi-factor authentication, implementation of automated tools, promotion of security culture, tokenization, encryption, etc. But if the UN is not already aware of the importance of defending against nation-state hackers and is already doing a good faith effort to keep pace, what could we tell them to make a difference?
Neil Jones, cybersecurity evangelist for Egnyte, notes that the fact that organizations so often lag behind the threat landscape is a direct factor contributing to the cybercrime boom of recent years: “Unfortunately, all too often, methods and tools are used that do not meet the security and control needs of an organization, especially a large non-governmental organization like the UN. Security should be seen as more than a checklist… The reality is that all content and communications are vulnerable without good data governance, and it is imperative that organizations protect the data themselves. This type of security incident occurs regularly, especially in decentralized environments like the United Nations and the critical systems it uses to communicate with hundreds of nation-states around the world on a daily basis. If secure file collaboration tools with questionable connection capabilities are implemented correctly, they can render cybercriminal attacks ineffective. Used in a case like this where adversaries were able to infiltrate the network and shut down operations, the systems themselves would have been inaccessible to outsiders and valuable data would have remained protected.
The UN data breach also highlights a particular measure that is too often overlooked, yet is a simple solution; better management of employee credentials. Even without multi-factor authentication in place, the initial breach would not have occurred if the accounts of former employees or inactive employees had been systematically disabled. And regular analysis of the appearance of leaked credentials on the dark web can reduce the damage caused by breaches that compromise current employee accounts, as can regular prompts to change passwords.
