- Hackers have managed to breach into forty central UN servers, stealing 400 GB of data in the process.
- UN claimed reasons of immunity to support their decision of choosing not to disclose the incident.
- Although the organization has been investing in bolstering its security for years now, they have failed.
According to reports by “The New Humanitarian”, the United Nations has fallen victim of a major hacking attack that compromised its Europe-based IT systems, and which the officials of the organization chose to keep it a secret. The attack was detected in August 2019 by the UN’s Geneva IT team, who figured that the break-in had actually happened a month earlier. Upon further investigation, the UN employees discovered that the compromise spread over to 40 of their servers in Geneva and Vienna holding important data of its human resources department, as well as the human rights office.
The accounts that have been compromised first belong to administrators, and from there, tapping onto staff accounts was easy for the actors. The records that have been accessed by the infiltrators include the commercial contracts of the organization, the staff records, their health insurance, their passwords, and various business documents. According to the reports, the UN employees who have been exposed through this incident are approximately 4000. However, the UN informed none of them about the fact that their personal data has been compromised, saying that under diplomatic immunity they were not obliged to make the incident known to anybody.
A senior UN IT official has admitted that the actors have downloaded about 400 GB of data from the organization’s servers. According to experts, this attack was the work of a sophisticated threat actor, who took advantage of a bug existing in an unpatched software tool (SharePoint). The UN has failed to protect its systems and to disclose a similar occurrence in 2016. Since then, the organization has spent over $1.7 billion in reforms aiming to secure the data they’re holding, but several audits that followed showed that nothing has changed for the better.
Rui Lopes, the Engineering and Technical Support Director at Panda Security has provided us with the following comment:
“The news that the United Nations was the victim of an advanced persistent threat (APT), likely state-sponsored, for the purposes of espionage, is not all that surprising. The UN maintains critical data at a global scale that multiple states and organizations would like to have their hands on, and this level of sophistication is indicative of that purpose. What may strike as surprising is the UN’s IT security strategy likely not including a strong endpoint protection posture, including data access monitoring and control as well as Threat Hunting, thus allowing bad actors to exfiltrate untold amounts of data.”
In December 2019, the United Nations endorsed a comprehensive cybersecurity action plan that introduced additional technical and procedural controls, but the effectiveness of these measures remains to be seen. The one thing that needs to change in the way things work in the UN is to be more transparent instead of hiding incidents like this. Immunities are meant to protect the UN’s mission against political challenges, and not to be exploited as excuses to hide grave security breaches. If the UN suffers no consequences about their failure in this field, then no one will feel any pressure to build more secure systems and manage data more responsibly.