Sophisticated hackers infiltrated and hacked United Nations networks in Geneva and Vienna last year in an apparent espionage operation that top officials at the world body kept largely quiet. The hackers’ identity and the extent of the data they obtained are not known.
Must Watch: Would you live on 3D Printed Mars for a year for $60,000?
- Hackers broke into dozens of UN servers starting in July 2019.
- A senior UN IT official called the incident a “major meltdown”.
- Staff records, health insurance, and commercial contract data were compromised.
- Staff were asked to change their passwords but not told about the breach.
- Under diplomatic immunity, the UN is not obliged to divulge what was obtained by the hackers or notify those affected.
- The attack might have been avoided with a simple patch to fix a software bug.
- Systems in Geneva and Vienna used by thousands of staff were compromised.
- A UN spokesperson says the attack triggered a rebuild of multiple systems.
- UN officials warned of major vulnerabilities years ago.
An internal confidential document from the United Nations, leaked to The New Humanitarian and seen by The Associated Press, says dozens of servers were compromised including at the U.N. human rights office, which collects sensitive data and has often been a lightning rod of criticism from autocratic governments for exposing rights abuses.
Everything indicates knowledge of the breach was closely held, a strategy that information security experts consider misguided because it only multiplies the risks of further data hemorrhaging.
“Staff at large, including me, were not informed,” said Geneva-based Ian Richards, president of the Staff Council at the United Nations. “All we received was an email (on Sept. 26) informing us about infrastructure maintenance work.” The council advocates for the welfare of employees of the world body.
Asked about the intrusion, one U.N. official told the AP it appeared “sophisticated” with the extent of damage unclear, especially in terms of personal, secret or compromising information that may have been stolen. The official, who spoke only on condition of anonymity to speak freely about the episode, said systems have since been reinforced.
Subscribe to GreatGameIndia
Given the high skill level, it is possible a state-backed actor was behind it, the official said. “It’s as if someone were walking in the sand, and swept up their tracks with a broom afterward,” the official added. “There’s not even a trace of a clean-up.”
The leaked Sept. 20 report says logs that would have betrayed the hackers’ activities inside the U.N. networks — what was accessed and what may have been siphoned out — were “cleared.” It also shows that among accounts known to have been accessed were those of domain administrators — who by default have master access to all user accounts in their purview.
“Sadly … still counting our casualties,” the report says.
Jake Williams, CEO of the cybersecurity firm Rendition Infosec and a former U.S. government hacker, said the fact that the hackers cleared the network logs indicates they were not top flight. The most skilled hackers — including U.S., Russian and Chinese agents — can cover their tracks by editing those logs instead of clearing them.
“The intrusion definitely looks like espionage,” said Williams, noting that the active directory component — where all users’ permissions are managed — from three different domains were compromised: those of United Nations offices in Geneva and Vienna and of the Office of the High Commissioner for Human Rights.
“This, coupled with the relatively small number of infected machines, is highly suggestive of espionage,” he said after viewing the report. “The attackers have a goal in mind and are deploying malware to machines that they believe serve some purpose for them.”
The U.N. is known to have been trying to patch its myriad IT systems for years, and Williams said any number of intelligence agencies from around the globe are likely interested in infiltrating it.
The hack was not severe at the U.N. human rights office, said its spokesman, Rupert Colville. “We face daily attempts to get into our computer systems,” he said. “This time, they managed, but it did not get very far. Nothing confidential was compromised.”
Clearly concerned that word of the hack could have a chilling effect on people reporting human rights violations to it, the office said in a statement issued later that it wanted to “assure all concerned parties” no sensitive information was compromised.
U.N. spokesman Stephane Dujarric said earlier Wednesday that attack was “serious,” compromised “core infrastructure components” and was contained. The earliest activity appeared to have come in July and was detected in August, he said in response to emailed questions. He said the world body does not have enough information to determine the author but added that “the methods and tools used in the attack indicate a high level of resource, capability and determination.”
Dujarric noted that the U.N. “detects and responds to multiple attacks of various level of sophistication on a daily basis.”
Peter Micek, general counsel of the digital civil liberties nonprofit AccessNow, said U.N. leadership made a “terrible decision” from an information-security standpoint by denying staff information about the breach.
This is the forgotten story of when India censured Britain as a terrorist state and almost broke the United Nations.https://t.co/BEybRHcon8
— GreatGameIndia (@GreatGameIndia) May 10, 2019
“It’s best practice to alert people, let them know what they should look out for (including phishing attacks and social engineering) and inform them of what steps are being taken on their behalf,” he said.
Otherwise, you are compounding the threat, and a missed opportunity for a teaching moment becomes an example of “intransigence and obfuscation, which is unfortunate,” said Micek, who works with U.N. human rights workers to shore up their cyber-defenses.
The internal document from the U.N. Office of Information and Technology said 42 servers were “compromised” and another 25 were deemed “suspicious,” nearly all at the sprawling Geneva and Vienna offices. Three of the “compromised” servers belonged to Human Rights agency, which is located across town from the main U.N. office in Geneva, and two were used by the U.N. Economic Commission for Europe.
The report says a flaw in Microsoft’s SharePoint software was exploited by the hackers to infiltrate the networks but that the type of malware used was not known, nor had technicians identified the command and control servers on the internet used to exfiltrate information. Nor was it known what mechanism was used by the hackers to maintain their presence on the infiltrated networks.
Security researcher Matt Suiche, the Dubai-based founder of the cybersecurity firm Comae Technologies, reviewed the report and said it appeared entry was gained through an anti-corruption tracker at the U.N. Office of Drugs and Crime.
The report mentions a range of IP addresses in Romania that may have been used to stage the infiltration, and Williams said one is reported to have some neighbors with a history of hosting malware.
Technicians at the United Nations office in Geneva, the world body’s European hub, on at least two occasions worked through weekends in recent months to isolate the local U.N. data center from the internet, re-write passwords and ensure the systems were clean. Twenty machines had to be rebuilt, the report says.
Richards, of the U.N. Staff Council, complained of uncertainty over the safety of U.N. networks. “There’s a lot of our data that could have been hacked, and we don’t know what that data could be,” he said.
“How much should U.N. staff trust the information infrastructure the U.N. is providing them?” Richards asked. “Or should they start putting their information elsewhere?”
GreatGameIndia is a journal on Geopolitics and International Relations. Get to know the Geopolitical threats India is facing in our exclusive book India in Cognitive Dissonance. Past magazine issues can be accessed from the Archives section.
Read the forgotten story of when India censored Britain as a terrorist state and almost broke the United Nations.