30 January 2020

Leaked docs show dozens of United Nations servers hacked in apparent espionage action


Leaked docs show dozens of United Nations servers hacked in apparent espionage action

The United Nations’ European headquarters in Geneva and Vienna suffered a complex cyberattack last year that impacted dozens of servers, including systems at its human rights offices, as well as its human resources department, according to a confidential UN report obtained by The New Humanitarian.

According to the report dated 20 September, the attack started in mid-July 2019 but was only noticed one month later.

“We are working under the assumption that the entire domain is compromised. The attacker doesn't show signs of activity so far, we assume they established their position and are dormant,” an alert sent to tech teams on 30 August said.

The compromised servers included 33 in the UN Office at Geneva, three at OHCHR in Geneva, and at least four in the Vienna office, the publication said. These servers contained a range of data, including personal information about staff.

A senior UN IT official described the incident as a “major meltdown”, in which a vast amount of data was stolen. The official estimates that some 400 GB of data was downloaded, and while it is unclear, what data and documents intruders have obtained, the report implies that the hackers may have accessed sensitive data, including internal documents, databases, emails, commercial information, and personal information.

When asked about the incident, UN spokesperson Stéphane Dujarric told TNH that “the attack resulted in a compromise of core infrastructure components”. The “core infrastructure” affected included systems for user and password management, system controls, and security firewalls.

“As part of the compromised infrastructure, lists of user accounts would have been exposed,” Dujarric said.

According to the report, the attackers managed to compromise the networks by exploiting a known flaw in Microsoft’s SharePoint software, although it is not clear what kind of malware was used, or how exactly the hackers were able to maintain their presence on the infiltrated networks.

Surprisingly, despite the size and extent of the breach, UN largely kept mum about it, leaving those affected in the dark. Employees whose data may have been impacted were told only that they needed to change their password and were not informed of the large breach, or that their personal details had been compromised. The decision not to disclose any details stems from a “cover-up culture” the anonymous IT official who leaked the internal report told the TNH.

“There is no evidence that the attack affected further locations, nor any other agencies,” the UN spokesperson said.

Back to the list

Latest Posts

‘Cloud Snooper’ operation uses a unique combination of techniques to evade detection

‘Cloud Snooper’ operation uses a unique combination of techniques to evade detection

The attack involves piggybacking C2 traffic on a legitimate traffic, thus allowing to bypass firewalls.
26 February 2020
PayPal customers hit with fraudulent charges via Google Pay

PayPal customers hit with fraudulent charges via Google Pay

It's not clear what vulnerability is being exploited, but the issue may be related to a bug reported to PayPal a year ago.
25 February 2020
Croatia’s largest petrol station chain joins list of victims of ransomware attacks

Croatia’s largest petrol station chain joins list of victims of ransomware attacks

The CLOP ransomware family is suspected to be involved in the attack.
21 February 2020