The United Nations suffered a serious breach of servers in Geneva and Vienna last year. It then chose to cover up an internal report on the matter. The attacked compromised a number of departments and saw the attackers gained control of several administrator accounts.
Among those departments who were affected are those of human resources and the human rights offices. The data held by the latter is highly sensitive. It could well have put United Nations workers and local human rights activists at serious risk.
Details from the report have been published by online news site The New Humanitarian. It claims that the report shows the attack was active for over a month. Importantly, the attackers have still not been identified. The New Humanitarian claims that the report flags vulnerabilities, describes containment efforts, and includes a section titled: “Still counting our casualties”.
What data was lost?
It appears that the report is coy about the full impact of the breach. This might just be because the investigators just don’t have enough evidence. What The New Humanitarian has reported is that the attackers:
- Compromised three UN offices: Vienna, Geneva and the UN Office of the High Commissioner for Human Rights (OHCHR).
- Exfiltrated lists of user accounts from the various office include the Active Directory list from the UNHCR.
- Acquired infrastructure details on printers and anti-virus software.
- Were able to view all data on the servers.
- Stole a total of 400GB of data.
- Deleted log files to hide evidence of the attack.
- Used unpatched vulnerabilities to gain access to the systems.
Given the loss of all logs and the fact that the security tools used by the UN failed to detect the attack, the full extent of the data stolen may not be known. There is also a suggestion that the attack came from state sponsored attackers. However, there is no attempt to name any country or group for the attack.
Diplomatic immunity should not be used to hide cyber attacks
The New Humanitarian rightly points out that there is no legal obligation on the United Nations to report this attack to any authorities. This is because it’s extra-territorial role grants it diplomatic immunity.
However, Morey Haber, CTO & CISO at BeyondTrust believes this is not acceptable. “In my opinion, unless the organization’s public disclosure would actually create harm in the form of national security (which this does not), there is no good reason to cover up the incident.
“In fact, the sheer fact that a Microsoft SharePoint vulnerability was exploited with such success warrants this information being shared with other agencies and should have been publicly disclosed to help others protect against the threat. I can see no good reason why this was hidden unless the data and individuals compromised had some multinational security ramifications. Some may say that due to diplomatic immunity from regulations like GDPR the UN is not required to publish the incident, however, this may be used as an excuse not to report and still does not help others protect against the threat.”
Haber continues: “I would not make the assumption that the hacker was a neophyte versus experienced. Clearing the logs may have been the only option that he/she had in order to stay persistent, versus the time and tools necessary to manually or automatically edit any indications of their activity. That is, it is so much easier to just clear log files then find everyone that might have an indicator of compromise. Regardless, in my opinion, it should have been a red flag to security teams that these logs where missing and should have sparked an investigation on its own if these where properly being monitored via a logging or security solution.”
A complete failure of controls
The New Humanitarian quotes from an email sent by a spokesperson for the OHCHR: “OHCHR faces regular cyber attack attempts, and we are constantly monitoring to safeguard the integrity of our computer systems and the data they hold.”
That statement alone means that there are some serious questions to be answered by the United Nations cybersecurity team.
- Why were the attackers not detected through routine scanning of the security logs? It is known that the attackers deleted logs and gaps should have been a red flag.
- How were they able to move across multiple systems without detection?
- Why was the UN not using behavioural analysis to detect unusual activity by the compromised administrative accounts?
- Were the vulnerabilities used by the attackers zero-day?
- Were all UN systems fully patched and checked?
To help understand the complexity and causes of the attack, the UN called in an external digital forensics team. Microsoft also took part in the investigation to discover the causes of the attack.
Enterprise Times: What does this mean
There is a lot in the report and the coverage by The New Humanitarian that is concerning. The lack of constant monitoring of sensitive systems is just one. The United Nations has a poor history when it comes to cybersecurity. This incident, report and attempted cover-up will do nothing to improve that.
Commercial organisations are rightly concerned over the reputational damage of a breach. The UN needs to adopt that same approach. Given that one of the targets here was the OHCHR, any reputational damage could lead to a lack of future information about human rights violations. At the very least, it is likely to lead to some activists worrying about additional threats to their safety from a body that should be protecting them.
