United Nations building with flags showing the UN data breach from unpatched SharePoint vulnerability
UN Admits Data Breach From Unpatched SharePoint Vulnerability by Byron Muhlberg

UN Admits Data Breach From Unpatched SharePoint Vulnerability

A journalistic investigation by The New Humanitarian based on leaked documentation from the United Nations (UN) reveals that the global organization had suffered a major data breach that began in July 2019. The attack made use of a Microsoft SharePoint vulnerability to compromise the UN’s entire European IT system — leaving staff information, commercial contract data, and health insurance data exposed to hackers in its wake.

In total, the breach targeted information held on 42 servers belonging to three UN branches: the UN Office at Vienna, the UN Office at Geneva, and the UN Office of the High Commissioner for Human Rights (OHCHR) headquarters, also housed in Geneva.

Only limited information has so far been disclosed by the UN on the subject, prompting concerns over secrecy and a potential cover-up. In spite of the limited information, however, the data breach is widely speculated as having been among the worst in the organization’s history, with one UN official in the IT department allegedly having referred to the incident as a “major meltdown.”

SharePoint vulnerability exploited by ‘threat actors’

Although details about the data breach are still being investigated, new information suggests that the attackers managed to compromise the UN’s IT system by exploiting a flaw in Microsoft’s SharePoint software. According to The New Humanitarian, the SharePoint vulnerability could have been mitigated had the software merely been kept updated — an action which would have reduced the inevitability of data breach in the first place.

The hackers’ use of a Microsoft SharePoint vulnerability, which was uncovered after the Associated Press (AP) viewed the leaked UN document, was confirmed as the manner in which data breach was initiated. However, the precise malware the hackers used is not yet known.

As a result of the SharePoint vulnerability, the report suggests that the hackers managed to get away with as much as 400 gigabytes worth of sensitive information, compromising the personal information of around 4,000 staff members, as well as corporate and political information relating to UN operations. The data breach was able to occur in the first place as a result of the targeted hacking of several UN infrastructure components; including its human resources, printing, and antivirus systems.

In spite of this, however, there has so far been limited information concerning exactly how the attackers had managed both to infiltrate the networks using the SharePoint vulnerability, as well as how they had managed to maintain presence on them over a period of time.

Although UN and Microsoft technicians are reportedly in the process of analysing the SharePoint vulnerability data breach and taking major steps to prevent its reoccurrence, the complex nature of the data breach stands in testament to the sophistication of the attackers responsible.

UN security history

Largely due to its political prominence, the UN has suffered several major cyber-attacks in the past years, raising questions around the organization’s ability to respond to such events and the level of transparency with which it treats digital threats.

In November 2016, for example, cybercriminals operating under the name ‘Emissary Panda’ — a known espionage group with alleged links to the Chinese government — successfully hacked into the UN’s International Civil Aviation Organization (ICAO) servers in Montreal, Canada. There they gained access to around 2,000 staff records, compromising sensitive information in the process. The UN later went on to attempt a cover up of the incident by downplaying its true extent, according to a report by CBC at the time.

This came a year after the UN had committed its efforts toward securing digital information and sensitive data, after a 2015 Human Rights Council report showed that the organization had been lacking in this area. The report went on to recommend that the UN take bigger steps to inform those who had been affected in the event of a data breach.

More than a mere data breach

The UN’s susceptibility to cybercrime and propensity toward downplaying its extent does not come without its broader consequences.

Unlike most governments and corporations around the world, the UN is not obliged by any legal framework do disclose information about data breaches — not even to those directly affected. Under the General Data Protection Regulation (GDPR), for example, new guidelines exist in Europe which oblige corporations to immediately disclose any breach of personal data with those who are affected. The United Nations, by contrast, is subject to no such regulation due to its intergovernmental nature, and relies instead on self-regulation.

When things go wrong, the manner in which the organization handles its affairs becomes subject to an understandable degree of scrutiny. In this way, a lot rests on the line when it comes to the United Nations, especial concerning its credibility as an institution.

As CEO of CybSafe Oz Alashe explains, the manner in which officials handled the recent cyberattack could negatively impact the trust placed in the UN, especially considering it is intended to be an organisation “centred around opening lines of communication and diffusing political situations.”

“Reporting data breaches is key in protecting victims and learning from mistakes,” Alashe adds.

#Hackers took away 400 gigabytes worth of data from recent UN #databreach that compromised information of 4,000 staff and its operations. #respectdata Click to Tweet

In this way, the issue which rests at the heart of the UN’s response to the recent cyberattack is an issue of transparency. If an intragovernmental body of the stature and importance of the UN continue to supress information about such attacks when they occur — they will doubtlessly continue to place their institutional credibility at risk for years to come.