Sun shining behind United Nations building showing data breach

United Nations Data Breach: Hackers Obtained Employee Login From Dark Web, Are Executing Ongoing Attacks on UN Agencies

A spokesperson for the United Nations has confirmed that the organization was breached by hackers in early 2021, and that attacks tied to that breach on various branches of the UN are ongoing. The data breach appears to stem from an employee login that was sold on the dark web. The attackers used this entry point to move farther into the UN’s networks and conducted reconnaissance between April and August. Information gleaned from this activity appears to have been put to use in further attacks, with attempts made on at least 53 accounts.

UN data breach creates long-term havoc for organization

The UN hack began with acquisition of an employee username and password from a dark web forum, very likely as part of another data breach. This allowed the attackers to walk in and immediately begin scouting the network and attempting to escalate privileges, with the first incident taking place in April. A number of security researchers have reported seeing the accounts of UN employees listed among large packs of usernames and passwords sold on underground forums, in this case as part of a package going for only $1,000.

The initial account that was compromised was for proprietary project management software that the UN uses called “Umoja.” The hackers have since been observed by an outside security firm to have been reconnoitering and attempting further attacks, with the last attempt taking place on August 7. However, the UN reports that the attackers have yet to do any damage.

The data breach was detected and reported to the UN by outside firm Resecurity, and there is some debate between the two about exactly what was stolen. The UN claims the attackers have only taken screenshots of the internal network. Resecurity, which was rebuffed by the UN upon offering assistance, says that it has evidence that information has been exfiltrated in the data breach. Resecurity also claims that at least 53 UN accounts have been targeted with additional attacks since the data breach began. CNN is reporting that “multiple” other security firms detected the data breach and attempted to warn the UN about it, but the UN claims that it had already detected the breach and was taking steps to mitigate it before it was contacted by any outside parties.

The Umoja account that was originally compromised did not have multi-factor authentication enabled; the Umoja website says that the service added that option when it moved to Microsoft Azure in July, a little too late to help the UN.

The UN has a unique need for cutting-edge cybersecurity given that it is one of the world’s prime targets for hackers, and that it fields regular attacks from advanced operators. Many of these go unrecorded, but the organization has weathered some high-profile attacks in recent years. In 2018, Russian hackers thought to be state-backed attacked the Organisation for the Prohibition of Chemical Weapons in retaliation for its investigation into the use of a nerve agent for a political assassination attempt against a former spy living in Salisbury. An attack in 2019 leveraged a known vulnerability in the Microsoft SharePoint platform to breach the UN’s core network infrastructure, and only became known to the public when confidential reports were leaked to the New Humanitarian in early 2020. After publication the UN confirmed that the attack had compromised its offices in Geneva and Vienna. And in early 2021, researchers with the Sakura Samurai firm discovered a data breach at the United Nations Environmental Programme (UNEP) that exposed about 100,000 private employee records via exposed Git directories.

Lessons from UN data breach

Trevor Morgan, product manager with data security specialists comforte AG, notes this case as another illustration of the need for advanced cybersecurity not necessarily driving the implementation with the urgency that it should: “The tactically simple but successful cyberattack on the United Nations’ computer networks, now being reported as an ongoing breach with activity occurring for months, accentuates two very clear points. First, that while the impression of hackers is usually of technical geniuses using brilliant attack methods and sophisticated tools to skirt defensive measures, the reality is far from it. A majority of incidents are due to preventable human error or simple methods of attack such as stolen credentials. Second, that cybersecurity isn’t just a personal issue that affects our individual PII and sensitive financial information (though these are key concerns too). It is a matter of national security and potentially affects every single one of us with the repercussions of attacks on national entities.”

There are a number of standard measures that can be pointed out that would have provided layers of preventive security in this case: standard use of multifactor authentication, implementation of automated tools, promotion of security culture, tokenization, encryption, and so on. But if the UN is not already aware of the importance of defense against nation-state hackers and already making good faith attempts to keep pace, what could be said to them to make a difference?

Neil Jones, Cybersecurity Evangelist for Egnyte, notes that the fact that organizations so commonly lag behind the threat landscape is a direct contributing factor in the cybercrime boom of recent years: “Unfortunately, far too often methods and tools are being employed that don’t meet the security and control needs of an organization, particularly a large Non-Government Organization like the UN. Security should be viewed as way more than a checklist … The reality is that all content and communications are vulnerable without proper data governance, and it is imperative that organizations protect the data itself. This type of security incident occurs regularly, particularly in decentralized settings like the United Nations and the mission-critical systems they use to communicate with hundreds of global nation-states on a daily basis. If secure file collaboration tools with suspicious log-in capabilities are implemented correctly, they can render cybercriminals’ attacks ineffective. Used in a case like this where adversaries were able to infiltrate the network and grind activities to a halt, the systems themselves would have been inaccessible to outsiders, and the valuable data would have remained protected.”

The UN data breach also highlights a particular measure that is too often overlooked, yet is a simple fix; better management of employee credentials. Even without multifactor authentication in place, the initial breach would not have happened if the accounts of former or inactive employees were routinely disabled. And regular scanning for the appearance of leaked credentials on the dark web can cut off damage from breaches that compromise the accounts of current employees, as can regular prompts to change passwords.