UN hacked: Attackers got in via SharePoint vulnerability
In summer 2019, hackers broke into over 40 (and possibly more) UN servers in offices in Geneva and Vienna and downloaded “sensitive data that could have far-reaching repercussions for staff, individuals, and organizations communicating with and doing business with the UN,” The New Humanitarian reported on Wednesday.
The UN, unfortunately, did not share that discovery with the authorities, the public, or even the potentially affected staff, and we now know about it only because TNH reporters got their hands on a confidential report by the UN.
How was the UN hacked?
According to the report, the attack started in July 2019, when the attackers managed to compromise a server located at the UN Office in Vienna through CVE-2019-0604, a security hole in Microsoft SharePoint patched by Microsoft in February 2019 and subsequently widely exploited by attackers to hit a variety of targets worldwide.
The hole should have been patched by the UN IT staff within a month of the release of the patch, but wasn’t.
The attackers then moved through UN’s networks and ultimately reached systems at the UN Office in Geneva and the UN Office of the High Commissioner for Human Rights (OHCHR), also in Geneva.
“The compromised servers included 33 in the UN Office at Geneva, three at OHCHR in Geneva, and at least four in the Vienna office,” TNH reported.
“According to the report, the breach also grabbed ‘active directories’, with each likely to list hundreds of users as well as human resources and health insurance systems, other databases, and network resources. The three affected offices have in total about 4,000 staff.”
The affected staff wasn’t notified that their data might have been compromised, but were just instructed to change their passwords.
The breach might not have happened if the SharePoint security vulnerability had been patched, but it’s possible and likely that the attackers would have found another way in.
After all, UN officials are targeted by attackers daily and some attacks are bound to be successful – especially when past security audits of UN systems, websites, applications, policies, etc. found them full of holes.
Why hasn’t the UN notified anyone about this?
The UN has confirmed that it had decided not to publicly disclose the breach because “the exact nature and scope of the incident could not be determined.”
As a matter of fact, the UN – as an international organization that is above national laws – does not have to report data breaches to anyone.
It is still unknown who’s behind the attack.
“In a tense geo-political climate, nation-state attacks are on the rise, and this comes as no surprise,” commented Craig Hinkley, CEO of WhiteHat Security.
“While security teams investigate which country may have launched this attack, our job as security professionals is to recognize that the threats are bigger than just one country. This is a global problem that we’re contending with, and staying ahead of nation-state attacks is fundamentally a matter of proactively taking steps and using vigilance to limit the impact of an attack.”
Oz Alashe, CEO of CybSafe, says that the unintentional disclosure of this cyber attack on such an important institution last year is concerning.
“This delay, and the fact that the UN did not report this attack to any governing authority – or even their own staff – may have put victims at unnecessary risk. Not only were staff passwords stolen, system controls and security firewalls were compromised too which could have led to the critical confidential reports falling into criminal hands,” he pointed out.
This attack could end up undermining trust in the UN – trust that they are able to keep sensitive information safe and trust that they will notify affected individuals when they fail.