A UN spokesman acknowledged that the organisation was hacked by hackers in early 2021, and that attacks on multiple UN branches are still underway as a result of that breach. An employee login that was sold on the darknet appears to have been the source of the data breach. Between April and August, the attackers exploited this point of access to penetrate deeper into the UN’s networks and perform reconnaissance. The information gained from this action appears to have been used in subsequent assaults, with at least 53 accounts being targeted.
The UN’s data leak has long-term consequences for the institution.
The UN attack started with the theft of an employee’s login and password from a darknet forum, very certainly as part of another data leak. With the first incident occurring in April, the attackers were able to stroll in and immediately begin scouting the network and attempting to increase access. Several security experts have reported finding UN employee accounts advertised among big packs of usernames and passwords for sale on underground forums, in one case as part of a $1,000 bundle.
The first account to be hacked was for “Umoja,” a proprietary project management programme used by the United Nations. An outside security firm has subsequently seen the hackers reconnoitring and launching new assaults, with the most recent effort being on August 7. The attackers, however, have yet to cause any damage, according to the UN.
Outside business Resecurity discovered and reported the data breach to the UN, and there is considerable disagreement between the two regarding exactly what was taken. According to the UN, the attackers merely took pictures of the internal network. Resecurity, which was turned down by the UN when it offered assistance, claims to have proof that information was stolen in the data breach. Since the data breach began, at least 53 UN accounts have been targeted with subsequent assaults, according to Resecurity. According to CNN, “multiple” additional security firms identified the data breach and sought to notify the UN, but the UN maintains that it had previously detected the issue and was taking efforts to mitigate it before any other parties contacted it.
The initial hacked Umoja account did not have multi-factor authentication enabled; according to the Umoja website, that option was introduced when the service migrated to Microsoft Azure in July, a bit too late to aid the UN.
Given that it is one of the world’s top targets for hackers and receives regular attacks from advanced operators, the UN has a particular need for cutting-edge cybersecurity. Many of these go unnoticed, but the group has recently faced several high-profile attacks. In retaliation for the Organization for the Prohibition of Chemical Weapons’ investigation into the use of a nerve toxin in a political assassination attempt against a former spy living in Salisbury, Russian hackers alleged to be state-backed launched an attack in 2018. An assault in 2019 exploited a known weakness in Microsoft SharePoint to compromise the UN’s fundamental network infrastructure, and the incident was only revealed to the public when secret reports were leaked to the New Humanitarian in early 2020. After the article was published, the UN acknowledged that its Geneva and Vienna offices had been hacked. In early 2021, Sakura Samurai researchers uncovered a data breach at the UN Environment Programme (UNEP) that exposed around 100,000 confidential employee records via unprotected Git folders.
Data breach at the United Nations has taught us some valuable lessons.
Trevor Morgan, product manager at data security experts comforte AG, sees this instance as just another example of the need for sophisticated cybersecurity not being driven with the urgency that it should be:
“The tactically simple but successful cyberattack on the United Nations’ computer networks, now being reported as an ongoing breach with activity occurring for months, accentuates two very clear points. First, that while the impression of hackers is usually of technical geniuses using brilliant attack methods and sophisticated tools to skirt defensive measures, the reality is far from it. A majority of incidents are due to preventable human error or simple methods of attack such as stolen credentials. Second, that cybersecurity isn’t just a personal issue that affects our individual PII and sensitive financial information (though these are key concerns too). It is a matter of national security and potentially affects every single one of us with the repercussions of attacks on national entities.”
There are a variety of conventional security measures that might have been implemented in this situation to offer layers of preventative protection: standard usage of multifactor authentication, automated tool installation, security culture promotion, tokenization, encryption, and so on. What might be stated to the UN to make a difference if they aren’t already aware of the necessity of protection against nation-state hackers and aren’t already making good faith efforts to stay up?
The fact that businesses frequently fall behind the threat landscape, according to Neil Jones, Cybersecurity Evangelist at Egnyte, is a direct contributor to the recent cybercrime surge.
“Unfortunately, far too often methods and tools are being employed that don’t meet the security and control needs of an organization, particularly a large Non-Government Organization like the UN. Security should be viewed as way more than a checklist … The reality is that all content and communications are vulnerable without proper data governance, and it is imperative that organizations protect the data itself. This type of security incident occurs regularly, particularly in decentralized settings like the United Nations and the mission-critical systems they use to communicate with hundreds of global nation-states on a daily basis. If secure file collaboration tools with suspicious log-in capabilities are implemented correctly, they can render cybercriminals’ attacks ineffective. Used in a case like this where adversaries were able to infiltrate the network and grind activities to a halt, the systems themselves would have been inaccessible to outsiders, and the valuable data would have remained protected.”
The UN data leak also brings to light a simple step that is all too frequently overlooked: improved staff credential management. Even if multifactor authentication had been implemented, the original breach would not have occurred if former or inactive workers’ accounts were frequently deactivated. Regularly monitoring for the appearance of stolen credentials on the darknet, as well as recommendations to reset passwords, can help mitigate the harm caused by breaches that affect existing employees’ accounts.
Some closing remarks, at Zero Security Penetration Testing. We do offer a service that scans the Clearnet, deep web and darknet.
Feel free to check out our services at the top there, this attack could had been potentially prevented with a simple solution like what Zero Security offers…