The United Nations’ European headquarters in Geneva and Vienna suffered a complex cyberattack last year that impacted dozens of servers, including systems at its human rights offices, as well as its human resources department, according to a confidential UN report obtained by The New Humanitarian.
According to the report dated 20 September, the attack started in mid-July 2019 but was only noticed one month later.
“We are working under the assumption that the entire domain is compromised. The attacker doesn't show signs of activity so far, we assume they established their position and are dormant,” an alert sent to tech teams on 30 August said.
The compromised servers included 33 in the UN Office at Geneva, three at OHCHR in Geneva, and at least four in the Vienna office, the publication said. These servers contained a range of data, including personal information about staff.
A senior UN IT official described the incident as a “major meltdown”, in which a vast amount of data was stolen. The official estimates that some 400 GB of data was downloaded, and while it is unclear, what data and documents intruders have obtained, the report implies that the hackers may have accessed sensitive data, including internal documents, databases, emails, commercial information, and personal information.
When asked about the incident, UN spokesperson Stéphane Dujarric told TNH that “the attack resulted in a compromise of core infrastructure components”. The “core infrastructure” affected included systems for user and password management, system controls, and security firewalls.
“As part of the compromised infrastructure, lists of user accounts would have been exposed,” Dujarric said.
According to the report, the attackers managed to compromise the networks by exploiting a known flaw in Microsoft’s SharePoint software, although it is not clear what kind of malware was used, or how exactly the hackers were able to maintain their presence on the infiltrated networks.
Surprisingly, despite the size and extent of the breach, UN largely kept mum about it, leaving those affected in the dark. Employees whose data may have been impacted were told only that they needed to change their password and were not informed of the large breach, or that their personal details had been compromised. The decision not to disclose any details stems from a “cover-up culture” the anonymous IT official who leaked the internal report told the TNH.
“There is no evidence that the attack affected further locations, nor any other agencies,” the UN spokesperson said.