The United Nations has released a report following an investigation into a cyber breach that one IT employee described as a “major meltdown” of its servers, and has admitted to covering up details from the media and its own staff members.
According to reports, the attack compromised United Nations offices in Vienna and Geneva, as well as the UN Office of the High Commissioner for Human Rights (OHCHR) headquarters in Geneva, Switzerland.
“Some 400GB is thought to have been exfiltrated by the hackers, including Active Directory lists of users. Although it’s unclear exactly what other info was taken, the servers in question could have provided access to sensitive details on UN employees, and commercial contract data,” according to details from the New Humanitarian listed by Phil Muncaster.
All up, 42 servers were “compromised” and another 25 machines were classified “suspicious” according to leaked documents.
The office of High Commissioner for Human Rights contains extremely sensitive information on potentially vulnerable people, such as human rights activists from countries where their activities could land them with prison time- or worse.
By the looks of the leaked internal document that has been reviewed by journalists and industry experts, hackers were able to exploit a Microsoft SharePoint vulnerability to gain access to the network with an unknown form of malware.
It is being speculated that a nation-state could have been behind the attack, considering its sophistication, and the hacker’s ability to wipe their digital footprints. “It’s as if someone were walking in the sand, and swept their tracks with a broom afterward,” one United Nations official said. “There’s not even a trace of clean-up.”
What makes this case more interesting was the response from the United Nations, whereby officials decided to cover its tracks and keep it a secret from the press, and even top UN officials; leveraging the power of diplomatic immunity to sidestep regulations stipulated in the GDPR legislation.
Stephane Durjarric, a spokesperson from the United Nations said that “as the exact nature of the scope of the incident could not be determined, [the United Nations] decided not to publicly disclose the breach.”
The same report quotes Ian Richards, president of the Staff Council at the United Nations who said that “staff at large, including me, were not informed.”
“All we received was an email (on September 26th) informing us about infrastructure maintenance work,” he said.
The AP is writing that after reviewing the documents shared by New Humanitarian, it’s clear that “everything indicates knowledge of the breach was closely held, a strategy that information security experts consider misguided because it only multiplies the risks of further data hemorrhaging.”
Peter Micek, general counsel of the digital civil liberties non-profit organisation, Access Now, said that the U.N.’s leadership made a “terrible decision” from an info-sec’s point of view by not informing staff of the breach.
“It’s best practice to alert people, let them know what they should look out for (including phishing attacks and social engineering) and inform them of what steps are being taken on their behalf,” he said.
AP’s reporting also quotes Jack Williams, CEO of Rendition Infosec and former U.S. government hacker, who said that “the intrusion definitely looks like espionage.”
“This, coupled with the relatively small number of infected machines, is highly suggestive of espionage… the attackers have a goal in mind and are deploying malware to machines that they believe serve some purpose for them.”
Rupert Colvill,e spokesperson for the U.N. human rights office dismissed the severity of the attack, saying that the office “face[s] daily attempts to get into our computer systems… this time, they managed it, but it did not get very far. Nothing confidential was compromised,” he said.
Infosecurity Magazine interviewed Joe Lareau, senior security engineer with Exabeam who stated that “once critical step all of these entities can take now is to monitor for tactics, techniques and procedures (TTPs) specific to various state-sponsored groups.”
“Overall, we recommend building and using ‘defense in depth’ - multiple layers of controls that involve staffing, procedures, technical and physical security for all aspects of the security program,” he concluded.