Cybercrime , Cyberwarfare / Nation-State Attacks , Fraud Management & Cybercrime

UN Kept Hacker Attacks Under Wraps

United Nations Downplays Significance of Hacks Revealed by News Agency This Week

United Nations office in Geneva (Source: Bobbsled via Flickr/CC)

The United Nations did not reveal hacks last year that compromised dozens of servers and domains and may have exposed sensitive data, including information related to human rights abuses, according to The New Humanitarian, a news agency that covers human rights issues.

See Also: Live Webinar | Cybersecurity in Healthcare Supply Chains: A CISO Perspective

The hacking incidents, which took place at three United Nations' offices in Vienna and Geneva sometime around July 2019, appear to have compromised at least 40 servers as well as several domains, according to the Wednesday New Humanitarian report, which is based on confidential UN report it obtained.

The domains included those for the United Nations offices in Geneva and Vienna and the Office of the High Commissioner for Human Rights, according to the Associated Press.

While some United Nations' officials knew about the hacking, most were kept in the dark for months until this week's news reports, the news agency says. A few staffers were told in August to change their passwords, but were not told why, according to the New Humanitarian.

Since the hacking incidents, U.N. staffers have spent weeks rebuilding servers and clearing out malicious code from the networks in Vienna and Geneva, the news agency reports.

Many of the compromised servers and domains contained data from U.N. human rights offices that track and collect sensitive data about abuses around the world, according to the news report.

At a press briefing on Wednesday, U.N. spokesperson Stephane Dujarric acknowledged the hacks but downplayed their significance.

"This particular attack that your colleagues reported on is not a landmark event," Dujarric said, according to the readout provided to Information Security Media Group. "These things - attempts to attack the U.N. IT infrastructure - happen often. The attribution of any IT attack ... remains very fuzzy and uncertain. So we are not able to pinpoint to any specific potential attacker, but it was, from all accounts, a well-resourced attack."

Vulnerability Exploited

The attack bears the hallmarks of a "significant" operation, according to the Associated Press, which also reviewed internal U.N. documents related to the hacking.

It appears that threat actors were able to take advantage of a vulnerability in Microsoft SharePoint, which is tracked as CVE-2019-0604, according to The New Humanitarian report. This flaw has been known since February 2019, when Microsoft first issued a patch for it. If left unpatched, an attacker could run arbitrary code within the SharePoint applications.

Kevin Beaumont, an independent security researcher based in the U.K. who reviewed the internal U.N. report for The New Humanitarian, has been warning about this particular SharePoint flaw ever since attackers were spotted taking advantage of it in the wild in March 2019.

SharePoint vulnerability CVE-2019-0604 from a year ago has been used to hack the UN. Three different UN agencies got owned, about 20 domain admin accounts accessed and implants on 40 servers. They didn't disclose. https://t.co/teGFqahVhK — Kevin Beaumont (@GossiTheDog) January 29, 2020

What Was Compromised?

While UN officials have kept tight lipped about the incident, the hacks remain under investigation by UN investigators and IT personnel, according to news reports.

The New Humanitarian reported that at least 400 GB of data may have been downloaded by the hackers. That may have included internal documents, databases, emails, commercial information and personal data, according to the news report.

In addition to the compromised servers and domains, the attackers appear to have swiped the passwords and credentials of several high-ranking administrators, which could have allowed the hackers to gain access to some of the most sensitive data, The New Humanitarian reports.

It also appears that the attackers were able to "wipe" internal IT logs, which helped hide their activity and makes tracing the hacking to a specific group of country more difficult, AP reports.

On Twitter, Jake Williams, president of cybersecurity consultancy Rendition Infosec, says the hacks raise significant questions about how well the U.N. security and IT teams are monitoring infrastructure.

The United Nations was hacked by... we don't know. But the attackers compromised three different domains. The attack appears to relatively unsophisticated, which raises another set of questions about monitoring. Great reporting by Jamey Keaten and @fbajak.https://t.co/YKUSUPfAFk — Jake Williams (@MalwareJake) January 29, 2020

Williams, who also reviewed some of the leaked documents, tells ISMG that the attackers showed a good deal of discipline in the number of systems that they exploited as well as the ability to move across different domains. The tools used during the hacks, however, were fairly unsophisticated but still leave the impression of a nation-state operation.

"So what it looks like is that you have a group that has better tradecraft, but some of the tooling and techniques that they used are not that sophisticated, and yet they escaped detection," Williams says. "In this case, the vulnerability was public and should have been patched, but it's the post-exploitation stuff that tells us we're dealing with a group that has more sophisticated targeting. ... What you see here is a very small number of machines compromised compared to the privileges that the hackers had, and that's why I would assess it's an espionage operation."

In a statement released Wednesday, the U.N. Human Rights Office noted that while the attackers appear to have compromised the organization's Active Directory, an internal review did not show that sensitive data was compromised.

"We are very aware of the potential effects should people gain unauthorized access to our data, and the responsibility we have, both online and offline, to protect victims, staff, partners and any individuals and groups who collaborate with us," according to the statement. "We want to assure all concerned parties that this hacking attempt did not compromise sensitive information within this office."

Other Security Incidents

U.N. agencies have previously been targeted by hackers.

In 2016, for instance, the UN's Montreal-based International Civil Aviation Organization, which oversees civilian aviation standards, was compromised by a group called "Emissary Panda," which has ties to the government of China, according to CBC.

A report released by Palo Alto Networks' Unit 42 in May 2019 found that hackers associated with Emissary Panda had been attempting to install webshells on SharePoint servers to compromise government agencies in the Middle East. The analysts found that this group was looking to exploit CVE-2019-0604, which is the same vulnerability used in the hacking of the United Nations' offices.

Lessons Learned

While the United Nations may dispute how much or what data may have been compromised during this recent hack, a lesson for CISOs from the incident is that leaving software vulnerabilities unpatched remains the easiest way for attacker to gain a foothold within a networks, says Ray Kelly, principal solutions architect at security firm WhiteHat.

" With the information disclosed thus far, the vulnerability was an unpatched SharePoint vulnerability," Kelly tells ISMG. "So, this is not going to be a case of a sophisticated hack, it was simply exploiting an already known vulnerability."