The organization admits experiencing sophisticated cyberattacks after Media Leaked Details.

Though the UN spends millions in dubious IT contracts, their servers and systems are totally insecure and endanger e.g. human rights defenders and persecuted refugees en masse on a daily basis.

At a glance: Key findings

  • Hackers broke into dozens of UN servers starting in July 2019.
  • A senior UN IT official called the incident a “major meltdown”.
  • Staff records, health insurance, and commercial contract data were compromised.
  • Staff were asked to change their passwords but not told about the breach.
  • Under diplomatic immunity, the UN is not obliged to divulge what was obtained by the hackers or notify those affected.
  • The attack might have been avoided with a simple patch to fix a software bug.
  • Systems in Geneva and Vienna used by thousands of staff were compromised.
  • A UN spokesperson says the attack triggered a rebuild of multiple systems.
  • UN officials warned of major vulnerabilities years ago.

By  - 30. 

The United Nations (UN) is regarded as an all-talk-no-action organization primarily because of its utter failure in protecting the developing world from destruction at the hands of and dictators and superpowers. However, it seems that the organization is as helpless in its internal matters as it is towards world issues.

According to the UN’s internal confidential report, the organization was the target of a “sophisticated” cyberattack in 2019. Reportedly, the organization is still trying to find out the extent of data loss and the identities of the hackers. The UN report was apparently leaked to The New Humanitarian and The Associated Press (AP) was able to access it from there.

As per the details of the attack shared by AP, a group of hackers exploited Microsoft SharePoint’s vulnerability and used an unidentified malware to access the UN’s servers in its Vienna and Geneva offices and the UN High Commissioners for Human Rights office.

The human rights office is where sensitive data related to human rights abuse is collected and stored. The attack occurred in July 2019 and resulted in compromising the organization’s “core infrastructure components.” The offices have a total of 4,000 employees.

The AP reported that during the espionage operation, dozens of servers were compromised. Furthermore, it is most likely that the hacker behind the spying campaign was state-sponsored. What’s most disturbing is the fact that the organization chose not to disclose details of the attack until the AP and The New Humanitarian obtained internal documents and reported about it.

As per a UN spokesperson, the nature and scope of the attack haven’t been determined yet and it was the UN’s decision to not disclose the security breach publicly.

In a comment to HackRead, Craig Hinkley, CEO, WhiteHat Security, said “In a tense geo-political climate, nation-state attacks are on the rise, and this comes as no surprise. These attacks have the potential to cause serious havoc to systems around the world, often targeting critical infrastructure like power grids and industrial control systems, as well as government agencies.”

“With the focus of today’s headlines on the United Nations, it appears the international entity has been targeted with malware that was potentially leveled through an application vulnerability in MS SharePoint. For years, these app vulnerability attacks have successfully disrupted operations and leaked sensitive information,” Craig pointed out.

“While security teams investigate which country may have launched this attack, our job as security professionals is to recognize that the threats are bigger than just one country. This is a global problem that we’re contending with, and staying ahead of nation-state attacks is fundamentally a matter of proactively taking steps and using vigilance to limit the impact of an attack.”

“WhiteHat Security has the resources, technology, and services to help the U.N. and other agencies defend against sophisticated cyberattacks like this one. We’re actively partnering with the public sector to defend against rising nation-state attacks by offering our dynamic application security testing (DAST) and an entry-level static application security testing (SAST) solution to agencies at no charge.”

A former US government hacker Jake Williams assessed the attack and concluded that it seems like an espionage operation in which hackers were able to evade detection by deleting the logs that could have stored information about their intrusion.

It is reported that the hackers downloaded approx. 400GB of data, which includes sensitive employee-related information. However, the exact contents of the hacked database are yet unknown to the organization. The organization has asked its employees to change their passwords and the targeted systems have been reinforced as well.

Author:

Waqas

ECOTERRA Intl. had informed UNON and the UN oversight already in 2017 and 2018 of serious flaws, but received no proactive response, which is why from then onwards the organization refused to communicate with UN agencies like the UNHCR through their email servers, their whatsapp numbers or SMS, if details had to be transmitted in human rights cases.

 

MUST READ:

Identity-Management and Citizen Scoring in Africa

Big Brother Net Is Coming If Not Stopped

MUST READ ALSO:

World Food Programme embraces CIA-linked Data Miner Palantir

Palantir expands Surveillance with Foundry 

Systemic Corruption at U.N. Refugee Program

The Secret War for Your Picture

---

EXCLUSIVE: The cyber attack the UN tried to keep under wraps

“If there are no consequences for the [UN] agencies for failures like these … there will be more breaches.”

By Ben Parker - 29. January 2020

 

(Maria Mahdessian/TNH)

About this investigation:
While researching cybersecurity last November, we came across a confidential report about the UN. Networks and databases had been severely compromised – and almost no one we spoke to had heard about it. This article about that attack adds to The New Humanitarian’s previous coverage on humanitarian data. We look at how the UN got hacked and how it handled this breach, raising questions about the UN’s responsibilities in data protection and its diplomatic privileges.

GENEVA

The UN did not publicly disclose a major hacking attack into its IT systems in Europe – a decision that potentially put staff, other organisations, and individuals at risk, according to data protection advocates.

On 30 August 2019, IT officials working at the UN’s Geneva offices issued an alert to their tech teams about a hacking incident:

'We are working under the assumption that the entire domain is compromised. The attacker doesn't show signs of activity so far, we assume they established their position and are dormant.'

The complex cyber attack on UN networks in Geneva and Vienna had started more than a month earlier but was only just being fully uncovered.

At a glance: Key findings

  • Hackers broke into dozens of UN servers starting in July 2019.
  • A senior UN IT official called the incident a “major meltdown”.
  • Staff records, health insurance, and commercial contract data were compromised.
  • Staff were asked to change their passwords but not told about the breach.
  • Under diplomatic immunity, the UN is not obliged to divulge what was obtained by the hackers or notify those affected.
  • The attack might have been avoided with a simple patch to fix a software bug.
  • Systems in Geneva and Vienna used by thousands of staff were compromised.
  • A UN spokesperson says the attack triggered a rebuild of multiple systems.
  • UN officials warned of major vulnerabilities years ago.

Dozens of UN servers – including systems at its human rights offices, as well as its human resources department – were compromised and some administrator accounts breached, according to a confidential UN report obtained by The New Humanitarian. The breach is one of the largest ever known to have affected the world body.

The cyber attack – unreported until TNH’s investigation – started mid-July, according to the report. Dated 20 September, the report flags vulnerabilities, describes containment efforts, and includes a section titled: “Still counting our casualties”.

The incident amounted to a “major meltdown”, according to a senior UN IT official familiar with the fallout, who spoke to TNH on condition of anonymity. This official provided TNH with the August 2019 alert above and several other alerts related to the breach.

In response to questions from TNH, the UN confirmed it had kept the breach quiet.

“The attack resulted in a compromise of core infrastructure components,” said UN spokesperson Stéphane Dujarric, who classified it as “serious”. “As the exact nature and scope of the incident could not be determined, [the UN offices in Geneva and Vienna] decided not to publicly disclose the breach.”

“You can’t be a global governance body and not be accountable for holding yourself to a professional standard.”

Staff were asked to change their passwords, but were not told of the large breach or that some of their personal data may have been compromised. The “core infrastructure” affected included systems for user and password management, system controls, and security firewalls.

No matter what exactly was exposed, the decision not to notify all the people or organisations whose data may have been compromised – including UN staff – risks damaging trust in the UN as an institution, and so its effectiveness, according to human rights and privacy analysts.

Sean McDonald, a lawyer and specialist in the use of IT in international development, reviewed the report for TNH and said failing to notify others meant the UN either had “a fundamental misread of the seriousness of what’s just happened, or it is a professionally irresponsible way to handle an issue of that magnitude”.

“You can’t be a global governance body and not be accountable for holding yourself to a professional standard,” he said.

Informed by TNH about the contents of the report, David Kaye, the UN’s special rapporteur on freedom of expression, said the UN has a special responsibility to secure its sensitive data and inform those affected, a position he articulated in a 2015 study on digital security.

The UN’s diplomatic status gives it “immunity from every form of legal process”, and it is – unlike most US and European firms – under no legal obligation to report the breach to a regulator or the public. It is also not subject to Freedom of Information requests.

The lack of reporting stems from a “cover-up culture”, the UN IT official said: “This breach might impact many actors... there is a responsibility to proceed and report.”

What’s the damage?

The breach affected dozens of servers in three separate locations: the UN Office at Vienna; the UN Office at Geneva; and the UN Office of the High Commissioner for Human Rights (OHCHR) headquarters in Geneva. These servers hold a range of data, including personal information about staff.

Asked who was notified about the attack, Dujarric mentioned that only internal IT teams and the chiefs of the UN Office at Geneva and the UN Office at Vienna had been informed.

What data was copied and downloaded elsewhere is unclear.

Asked what was copied by the intruders, Dujarric replied: “As part of the compromised infrastructure, lists of user accounts would have been exposed.”

The report, however, lists 10 other “infrastructure components” that were compromised, including printing, antivirus, and the human resources system.

Have a great idea for an investigation? Click here.

Dujarric confirmed “it was possible for the intruders to view data on the compromised server” in the Vienna office. The same was true for the OHCHR servers in Geneva but they only contained “non-sensitive” dummy information, he said. A spokesperson for the OHCHR said that its 'Active Directory' listing of internal users was also extracted by the intruders.

Dujarric did not elaborate about the third affected network: the UN Office at Geneva.

Asked if the incident was now fully contained, the UN spokesperson replied: “Multiple workshops and assessments have been conducted to verify that the exploited vulnerabilities have been mitigated.”

The senior UN IT official said much more data was stolen than the UN implied. Estimating that some 400 GB of data was downloaded, the official said the UN’s answers downplayed the level of the breach. The “user lists” were key to the network and “once you’ve got privileged access, you’ve got into everything”, they said.

The UN is a natural target for state-sponsored hacking, but news about major breaches is rare, as is firm attribution about who is responsible.

The UN IT official said the 2019 hack was deeper and more significant than an incident in 2016, when hackers – allegedly from the Chinese government-linked group dubbed Emissary Panda – gained access to the records of about 2,000 staff at the UN’s aviation agency, according to the Canadian Broadcasting Corporation.

Although it is unclear what documents and data the hackers obtained in the 2019 incident, the report seen by TNH implies that internal documents, databases, emails, commercial information, and personal data may have been available to the intruders – sensitive data that could have far-reaching repercussions for staff, individuals, and organisations communicating with and doing business with the UN.

The compromised servers included 33 in the UN Office at Geneva, three at OHCHR in Geneva, and at least four in the Vienna office. According to the report, the breach also grabbed “active directories”, with each likely to list hundreds of users as well as human resources and health insurance systems, other databases, and network resources. The three affected offices have in total about 4,000 staff.

The report, prepared by the UN Office at Geneva in the midst of containment efforts, suggests the cyber attack most seriously affected their office, which houses 1,600 staff working in a range of political and development units, including Syria peace talks, the humanitarian coordination office (OCHA), and the Economic Commission for Europe.

“There is no evidence that the attack affected further locations, nor any other agencies,” Dujarric added.

A digital “forensics” company and Microsoft have been involved in the clean-up effort, according to the IT official.

Selected UN cybersecurity incidents, 2019-2020

2019

2020

The Geneva UN Office of the High Commissioner for Human Rights “faces regular cyber attack attempts,” its spokesperson said.

The Geneva UN Office of the High Commissioner for Human Rights “faces regular cyber attack attempts,” its spokesperson said. Ben Parker/TNH

Breach of trust

For human rights activists, state-based hacking and online spying is a persistent threat that can lead to arrests or intimidation.

A spokesperson for OHCHR said via email: “OHCHR faces regular cyber attack attempts, and we are constantly monitoring to safeguard the integrity of our computer systems and the data they hold.”

“It is surprising and disappointing that this kind of big organisation, collecting such sensitive information, is not taking care of its procedures.”

Mohammed al-Maskati, a Bahraini human rights activist who has worked alongside OHCHR, said the incident and its handling may make some organisations hesitant to share information.

“It is surprising and disappointing that this kind of big organisation, collecting such sensitive information, is not taking care of its procedures,” he said.

Victims and activists can face surveillance and eavesdropping, imprisonment, and even torture by their governments in reprisal for working with the UN’s human rights office, according to the OHCHR’s own report.

Attempted cyber attacks against the UN are occasionally revealed by technology firms. Microsoft, for example, told a US court last year that North Korea-linked hackers were trying to gather login details of UN officials, in a practice known as phishing.

If sensitive data has fallen into the wrong hands, individuals and organisations should be given a chance to tighten up their personal security and adjust their plans, said al-Maskati, the Middle East digital protection coordinator for NGO Front Line Defenders.

Furthermore, if personal information was accessed, the UN’s approach would appear to go against its advice to others.

“Enterprises should notify their customers once they become aware of personal data breaches that may have affected their rights,” according to a major UN report: ‘The right to privacy in the digital age’.

In many countries, government departments, corporations, and non-profits whose systems have been hacked are required to report the breaches to authorities.

In the EU, for example, the General Data Protection Regulation (GDPR) requires that any individual put at “high risk” by a security breach should be informed without delay, as should the national regulator.

Researcher Linnet Taylor, associate professor at Tilburg Law School, said a desire to sweep bad news under the carpet is “normal in every sector – which is why we make laws to prevent it”.

Taylor, who studies the use of data by international organisations, said the UN sits "outside the framework of laws developed around the world to deal with this problem, and [has] therefore not had to develop processes for transparency about breaches”.

“Expecting any large and powerful organisation to self-regulate and behave perfectly ethically is not realistic,” she added.

Keeping the incident under wraps could undermine trust in the UN’s work, said Gus Hosein, executive director of Privacy International, after reading the report obtained by TNH.

“Financial institutions, hospitals, and even intelligence agencies have all had breaches in recent years – and we only know this because they informed us,” said Hosein. “There are at least consequences to their failures.”

Too little, too late?

Over recent years, the UN has been trying to tighten up its cybersecurity, after an “unacceptable level of risk” was recognised by an audit in 2012. A new strategy adopted in 2013 promised “urgent action” to improve network security and to monitor intrusions.

Kaye, the UN special rapporteur on freedom of expression, told TNH he would find a breach “shocking but not surprising”, adding that, in his view, the UN should have invested more in cybersecurity at the OHCHR given the “high stakes for victims and advocates”.

Under its IT czar, Atefeh Riazi, the UN has slimmed the numbers of data centres, websites, and applications it runs, updating email, security, and other infrastructure. It has also moved more systems from in-house to commercial providers and the Cloud.

The reforms involved some 4,000 IT staff, nearly 600 locations, and some $1.7 billion of annual spending across the UN’s secretariat and field missions. But progress was mixed, according to a 2018 review. An audit found that a project to check the security of 1,462 UN websites and applications flopped: only one website had been properly assessed.

Dujarric said the UN had “implemented a comprehensive containment, mitigation and recovery plan” in response to this latest hacking incident. “This included rebuilding significant elements of the infrastructure, and replacement of keys and credentials,” he said.

Dujarric said a UN cybersecurity action plan had been endorsed in December 2019. “Additional technical and procedural controls have been implemented to further strengthen information security for the affected offices,” he added.

Posters about cyber security in the office of the UN Special Envoy for Yemen in Amman, Jordan, 9 January 2020.

Posters about cyber security in the office of the UN Special Envoy for Yemen in Amman, Jordan, 9 January 2020. Ben Parker/TNH

How they did it

The attack began thanks to a basic error. Hackers were able to get into a server in Vienna because its software had not been updated. The severe flaw in the Microsoft SharePoint system allows an attacker to bypass the login process and issue system-level commands. After it was discovered by security researchers, Microsoft provided a fix on 25 April.

According to UN policy, IT staff should have installed the update – or “patch” – within a month. Dujarric, the UN spokesperson, confirmed that had not happened.

From that starting point, the hackers navigated within the UN’s networks, reaching the UN Office at Geneva on 15 July and the OHCHR headquarters later that month.

Given the number of SharePoint sites in large institutions, security researcher Kevin Beaumont had predicted in May: “I think this will be one of the biggest [vulnerabilities] in years.” After reviewing the UN report, he said “Organisations need to urgently review their patching of this SharePoint vulnerability, as it represents an open window at many organisations worldwide still.”

Once inside the UN’s network, attackers gained domain administrator access to affected offices, staffed by 4,000 people, and compromised at least 42 servers in Geneva and Vienna, according to the report. Another 25 servers may have also been affected. Although like-for-like comparisons are inexact, the total could represent five percent of the UN’s total number of 679 servers, according to a 2017 global inventory.

The vulnerability known as “CVE-2019-0604” has been exploited to attack Middle Eastern governments and US municipalities, according to cybersecurity researchers and the FBI.

Who was behind the attack?

At the request of TNH, cybersecurity researcher Kevin Beaumont reviewed the report and said the attack “has the hallmarks of a sophisticated threat actor”.

Threat actors” can run from a disgruntled employee to a superpower’s intelligence operation, as described in this Canadian government briefing. “Nation-states are frequently the most sophisticated threat actors, with dedicated resources and personnel, and extensive planning and coordination,” it explains.

Long a target of spies and hackers – even by its own account, the UN has often been subjected to highly sophisticated attacks, both on- and off-line. WikiLeaks documents, for example, detailed US attempts to gather the DNA of the UN’s top official.

In this case, the UN said it didn’t have enough information to attribute responsibility for the attack.

Analysts and human rights groups say this attack highlights the threats the institution faces, and a need to tighten up its cybersecurity given the growing volume, range, and sensitivity of the data it holds.

Taylor, the data researcher, questioned the appropriateness of diplomatic immunity.

“The UN has privileges and immunities only in relation to its mission,” she said. “They are supposed to guard it from political challenges.” In the case of a data breach, she added, “it is hard to imagine how the privileges and immunities might come into play.”

Hosein, the executive director of Privacy International, hoped revelations about the incident and the way it was handled might have a salutary effect on UN cybersecurity.

“If there are no consequences for the [UN] agencies for failures like these, they will build more problematic systems, and there will be more breaches, and nobody will ever know,” he said.

For Taylor, if such incidents continue to be covered up, things may not improve. “Without transparency,” she said, “no one will be motivated to push for change.”

Authors: bp/pd/ag

Ben Parker - Senior Editor/TNH (formerly IRIN)

Contact: WhatsApp/Signal/SMS: +44 7808 791 267

===

UN hacked: Attackers got in via SharePoint vulnerability

By Zeljka Zorz -

In summer 2019, hackers broke into over 40 (and possibly more) UN servers in offices in Geneva and Vienna and downloaded “sensitive data that could have far-reaching repercussions for staff, individuals, and organizations communicating with and doing business with the UN,” The New Humanitarian reported on Wednesday.

UN hacked

The UN, unfortunately, did not share that discovery with the authorities, the public, or even the potentially affected staff, and we now know about it only because TNH reporters got their hands on a confidential report by the UN.

How was the UN hacked?

According to the report, the attack started in July 2019, when the attackers managed to compromise a server located at the UN Office in Vienna through CVE-2019-0604, a security hole in Microsoft SharePoint patched by Microsoft in February 2019 and subsequently widely exploited by attackers to hit a variety of targets worldwide.

The hole should have been patched by the UN IT staff within a month of the release of the patch, but wasn’t.

The attackers then moved through UN’s networks and ultimately reached systems at the UN Office in Geneva and the UN Office of the High Commissioner for Human Rights (OHCHR), also in Geneva.

“The compromised servers included 33 in the UN Office at Geneva, three at OHCHR in Geneva, and at least four in the Vienna office,” TNH reported.

“According to the report, the breach also grabbed ‘active directories’, with each likely to list hundreds of users as well as human resources and health insurance systems, other databases, and network resources. The three affected offices have in total about 4,000 staff.”

The affected staff wasn’t notified that their data might have been compromised, but were just instructed to change their passwords.

The breach might not have happened if the SharePoint security vulnerability had been patched, but it’s possible and likely that the attackers would have found another way in.

After all, UN officials are targeted by attackers daily and some attacks are bound to be successful – especially when past security audits of UN systems, websites, applications, policies, etc. found them full of holes.

Why hasn’t the UN notified anyone about this?

The UN has confirmed that it had decided not to publicly disclose the breach because “the exact nature and scope of the incident could not be determined.”

As a matter of fact, the UN – as an international organization that is above national laws – does not have to report data breaches to anyone.

It is still unknown who’s behind the attack.

“In a tense geo-political climate, nation-state attacks are on the rise, and this comes as no surprise,” commented Craig Hinkley, CEO of WhiteHat Security.

“While security teams investigate which country may have launched this attack, our job as security professionals is to recognize that the threats are bigger than just one country. This is a global problem that we’re contending with, and staying ahead of nation-state attacks is fundamentally a matter of proactively taking steps and using vigilance to limit the impact of an attack.”

Oz Alashe, CEO of CybSafe, says that the unintentional disclosure of this cyber attack on such an important institution last year is concerning.

“This delay, and the fact that the UN did not report this attack to any governing authority – or even their own staff – may have put victims at unnecessary risk. Not only were staff passwords stolen, system controls and security firewalls were compromised too which could have led to the critical confidential reports falling into criminal hands,” he pointed out.

This attack could end up undermining trust in the UN – trust that they are able to keep sensitive information safe and trust that they will notify affected individuals when they fail.

Author:

Zeljka Zorz

Zeljka Zorz - Managing Editor, Help Net Security

===

Leaked Report Shows United Nations Suffered Hack

By Associated Press - 29. January 2020

The United Nations has been hacked.

An internal confidential document from the United Nations, leaked to The New Humanitarian and seen by The Associated Press, says that dozens of servers were “compromised” at offices in Geneva and Vienna.

The United Nations building in Vienna, Austria.

The United Nations building in Vienna, Austria.

Those include the U.N. human rights office, which has often been a lightning rod of criticism from autocratic governments for its calling-out of rights abuses.

One U.N. official told the AP that the hack, which was first detected over the summer, appeared “sophisticated” and that the extent of the damage remains unclear, especially in terms of personal, secret or compromising information that may have been stolen. The official, who spoke only on condition of anonymity to speak freely about the episode, said systems have since been reinforced.

The level of sophistication was so high that it was possible a state-backed actor might have been behind it, the official said.

There were conflicting accounts about the significance of the incursion.

“We were hacked,” U.N. human rights office spokesman Rupert Colville. “We face daily attempts to get into our computer systems. This time, they managed, but it did not get very far. Nothing confidential was compromised.”

The breach, at least at the human rights office, appears to have been limited to the so-called active directory - including a staff list and details like e-mail addresses - but not access to passwords. No domain administration’s account was compromised, officials said.

The United Nations headquarters in New York as well as the U.N.’s sprawling Palais des Nations compound in Geneva, its European headquarters, did not immediately respond to questions from the AP about the incident.

Sensitive information at the human rights office about possible war criminals in the Syrian conflict and perpetrators of Myanmar’s crackdown against Rohingya Muslims were not compromised, because it is held in extremely secure conditions, the official said.

The internal document from the U.N. Office of Information and Technology said 42 servers were “compromised” and another 25 were deemed “suspicious,” nearly all at the sprawling United Nations offices in Geneva and Vienna. Three of the “compromised” servers belonged to the Office of the High Commissioner for Human Rights, which is located across town from the main U.N. office in Geneva, and two were used by the U.N. Economic Commission for Europe.

Technicians at the United Nations office in Geneva, the world body’s European hub, on at least two occasions worked through weekends in recent months to isolate the local U.N. data center from the Internet, re-write passwords and ensure the systems were clean.

The hack comes amid rising concerns about computer or mobile phone vulnerabilities, both for large organizations like governments and the U.N. as well as for individuals and businesses.

Last week, U.N. human rights experts asked the U.S. government to investigate a suspected Saudi hack that may have siphoned data from the personal smartphone of Jeff Bezos, the Amazon founder and owner of The Washington Post, in 2018. On Tuesday, the New York Times’s bureau chief in Beirut, Ben Hubbard, said technology researchers suspected an attempted intrusion into his phone around the same time.

The United Nations, and its human rights office, is particularly sensitive, and could be a tempting target. The U.N. High Commissioner for Human Rights, Michelle Bachelet, and her predecessors have called out, denounced and criticized alleged war crimes, crimes against humanity and less severe rights violations and abuses in places as diverse as Syria and Saudi Arabia.

Dozens of independent human rights experts who work with the U.N. human rights office have greater leeway - and fewer political and financial ties to the governments that fund the United Nations and make up its membership - to denounce alleged rights abuses.

Jake Williams, CEO of data firm Rendition Infosec and former U.S. government hacker, said of the U.N. report: “The intrusion definitely looks like espionage.”

He noted that accounts from three different domains were compromised. “This, coupled with the relatively small number of infected machines, is highly suggestive of espionage,” he said after viewing the report.

“The attackers have a goal in mind and are deploying malware to machines that they believe serve some purpose for them,” he added.

The U.N. document highlights a vulnerability in the software program Microsoft Sharepoint, which could have been used for the hack.

Matt Suiche, a French entrepreneur based in Dubai who founded cybersecurity firm Comae Technologies, said that based on the report from September: “It is impossible to know if it was a targeted attack or just some random internet scan for vulnerable SharePoints.”

But the U.N. official, speaking to The Associated Press on Tuesday, said that since then, the intrusion appeared sophisticated.

“It’s as if someone were walking in the sand, and swept up their tracks with a broom afterward,” the official said. “There’s not even a trace of a clean-up.”

UN hacked in apparent espionage operation: report

By Associated Press - January 29, 2020

GENEVA — Sophisticated hackers infiltrated UN offices in Geneva and Vienna last year in an apparent espionage operation and their identity and the extent of the data they obtained is not clear.

An internal confidential document from the United Nations, leaked to The New Humanitarian and seen by the Associated Press, says dozens of servers were compromised including at the UN human rights office, which collects sensitive data and has often been a lightning rod of criticism from autocratic governments for exposing rights abuses.

Asked about the report, one UN official told the AP that the hack appeared “sophisticated” and that the extent of the damage remained unclear, especially in terms of personal, secret or compromising information that may have been stolen. The official, who spoke only on condition of anonymity to speak freely about the episode, said systems have since been reinforced.

The skill level was so high it was possible a state-backed actor might have been behind it, the official said.

“It’s as if someone were walking in the sand and swept up their tracks with a broom afterward,” the official said. “There’s not even a trace of a clean-up.”

There were conflicting accounts, however, about the severity of the incursion.

“We were hacked,” UN human rights office spokesman Rupert Colville. “We face daily attempts to get into our computer systems. This time, they managed, but it did not get very far. Nothing confidential was compromised.”

Colville’s statement appeared to contradict the leaked September report, however. It says logs that would have betrayed the hackers’ activities inside the UN networks — what was accessed and what may have been siphoned out — were “cleared.” It also shows that among accounts known to have been accessed were those of domain administrators — who by default have master access to all user accounts in their purview.

Jake Williams, CEO of the cybersecurity firm Rendition Infosec and a former US government hacker, said the fact that the hackers cleared the network logs indicates they were not top flight. The most skilled hackers — including US, Russian and Chinese agents — can cover their tracks by editing those logs instead of wiping them clean.

“The intrusion definitely looks like espionage,” said Williams, noting that the active directory component — where all users’ permissions are managed — from three different domains were compromised: those of United Nations offices in Geneva and Vienna and of the Office of the High Commissioner for Human Rights.

“This, coupled with the relatively small number of infected machines, is highly suggestive of espionage,” he said after viewing the report. “The attackers have a goal in mind and are deploying malware to machines that they believe serve some purpose for them.”

Any number of intelligence agencies from around the globe are likely interested in infiltrating the UN, said Williams.

UN spokesman Stephane Dujarric said the attack “resulted in a compromise of core infrastructure components” and was “determined to be serious.” The earliest detected activity related to the intrusion occurred in July and it was detected in August, he in response to emailed questions.

He said the world body does not have enough information to determine who might have been behind the incursion, but added “the methods and tools used in the attack indicate a high level of resource, capability and determination.

“The damage related to this specific attack has been contained and additional mitigation measures implemented,” Dujarric wrote. “Nevertheless the threat of future attacks continues and the United Nations Secretariat detects and responds to multiple attacks of various level of sophistication on a daily basis.”

The internal document from the UN Office of Information and Technology said 42 servers were “compromised” and another 25 were deemed “suspicious,” nearly all at the sprawling Geneva and Vienna offices. Three of the “compromised” servers belonged to Human Rights agency, which is located across town from the main UN office in Geneva and two were used by the UN Economic Commission for Europe.

The report says a flaw in Microsoft’s SharePoint software was exploited by the hackers to infiltrate the networks but that the type of malware used was not known nor had technicians identified the command and control servers on the internet used to exfiltrate information.

Security researcher Matt Suiche, a French entrepreneur based in Dubai who founded the cybersecurity firm Comae Technologies , reviewed the report and said it appeared entry was gained through an anti-corruption tracker at the UN Office of Drugs and Crime.

The report mentions a range of IP addresses in Romania that may have been used to stage the infiltration and Williams said one has some neighbors with a history of hosting malware.

Technicians at the United Nations office in Geneva, the world body’s European hub, on at least two occasions worked through weekends in recent months to isolate the local UN data center from the Internet, re-write passwords and ensure the systems were clean. Twenty machines had to be rebuilt, the report says.

The hack comes amid rising concerns about computer or mobile phone vulnerabilities, both for large organizations like governments and the UN as well as for individuals and businesses.

Last week, UN human rights experts asked the US government to investigate a suspected Saudi hack that may have siphoned data from the personal smartphone of Jeff Bezos, the Amazon founder and owner of The Washington Post, in 2018. On Tuesday, the New York Times’s bureau chief in Beirut, Ben Hubbard, said technology researchers suspected an attempted intrusion into his phone around the same time.

The United Nations and its human rights office, is particularly sensitive and could be a tempting target. The UN High Commissioner for Human Rights, Michelle Bachelet and her predecessors have called out, denounced and criticized alleged war crimes, crimes against humanity and less severe rights violations and abuses in places as diverse as Syria and Saudi Arabia.

Dozens of independent human rights experts who work with the UN human rights office have greater leeway – and fewer political and financial ties to the governments that fund the United Nations and make up its membership – to denounce alleged rights abuses.

Ian Richards, president of the Staff Council at the United Nations, expressed said “There’s a lot of our data that could have been hacked and we don’t know what that data could be.” That includes, for example, staff in the office of the special envoy for Syria carrying out sensitive investigations and human rights staffers interviewing witnesses.

How much should UN staff trust the information infrastructure the UN is providing them?” Richards asked. “Or should they stop putting their information elsewhere?”

---

Clarification of circumstances surrounding hacking of OHCHR systems

GENEVA (29 January 2020) - The UN Human Rights Office would like to clarify some details in light of news reports today about a cyber-attack on the UN which involved our office.

Although hackers accessed a self-contained part of our system in July 2019, the development servers they accessed did not hold any sensitive data or confidential information.* The hackers did manage to access our Active User Directory, which contains the user IDs for our staff and devices. However, they did not succeed in accessing passwords. Nor did they gain access to other parts of the system.

Once we became aware of the attack, we took action to shut down the affected development servers.

The UN Human Rights Office takes breaches of security extremely seriously. We are very aware of the potential effects should people gain unauthorised access to our data, and the responsibility we have, both online and offline, to protect victims, staff, partners and any individuals and groups who collaborate with us. We want to assure all concerned parties that this hacking attempt did not compromise sensitive information within this Office.

Like many other institutions and companies, we face frequent attempts to access our computer systems, and our IT team is constantly further reinforcing existing multifaceted safeguards to preserve the integrity of our systems and the data they hold.  

* Development servers are systems on which new software is written by programmers using dummy data. They are not connected to our regular systems.

==

UN confirms it suffered a 'serious' hack, but didn't inform employees

Approximately 4,000 employees may have had their data compromised.

By Igor Bonifacic - 29. January 2020 

LewisTsePuiLung via Getty Images

The United Nations was the victim of a massive, likely state-sponsored hacker attack this past summer, according to reports from The New Humanitarian and Associated Press. To make the matters worse, the organization didn't disclose the details and severity of the hack until those publications obtained an internal document on the situation.

Sometime this past July, a group of hackers took advantage of a flaw in Microsoft's SharePoint software and an unknown type of malware to gain access to dozens of servers at the UN's Geneva and Vienna offices, as well as the Office of the United Nations High Commissioner for Human Rights (OHCHR). The three offices employ approximately 4,000 staff between them.

"The attack resulted in a compromise of core infrastructure components," a spokesperson for the UN told The New Humanitarian. "As the exact nature and scope of the incident could not be determined, [the UN] decided not to publicly disclose the breach."

After reading over the report, Jake Williams, a former hacker for the US government, told the Associated Press, "the intrusion definitely looks like espionage." The hackers reportedly attempted to cover their tracks by deleting the logs that would have documented their entry into the UN's servers. "It's as if someone were walking in the sand, and swept up their tracks with a broom afterward," an anonymous UN official told the publication. "There's not even a trace of a clean-up."

The hackers reportedly downloaded approximately 400GB of data. The servers they breached contained sensitive employee information, but it's not clear exactly what they were able to download. The UN doesn't know the full extent of all the damage yet. Sometime after the attack happened, it told employees to change their passwords but didn't share full details on the situation.

This isn't the first time the UN has failed to disclose a cyberattack. In 2016, Emissary Panda, a group with ties to the Chinese government, accessed servers from the International Civil Aviation Organization. The UN only shared information about the breach after the Canadian Broadcasting Corporation reported on it. According to The New Humanitarian, the UN's unique diplomatic status means it doesn't have to disclose data breaches like other government agencies in the US and EU, something that puts it at odds against cybersecurity best practices.

News of the attack also comes at a time when state-sponsored cyberattacks have seemingly become more brazen. Last week, The Guardian reported that the phone of Amazon CEO Jeff Bezos was hacked by a WhatsApp account associated with Saudi crown prince Mohammed bin Salman. A day after the report came out, the UN called for an investigation into the hacking.

Author:

Igor Bonifacic, @igorbonifacic

 

Anonymous creates pro-Taiwan page inside UN website

Anonymous hacks into UN website to promote Taiwan's inclusion

By Keoni Everington- 05. February 2020

(Screenshot of page created by Anonymous)

(Screenshot of page created by Anonymous)

TAIPEI (Taiwan News) — The decentralized international hacktivist group Anonymous has apparently hacked into a United Nations (UN) website and created a page that supports Taiwan, a country which was removed from the organization in favor of Communist China in 1971.

On Tuesday (Feb. 4), Reddit user hubahuba111, who has recently posted many recent hacks by Anonymous into the UN, uploaded a link to a hacked page with the caption "Thanks to Anonymous Taiwan is back at UN again!" The group has apparently created a new page on the server for the United Nations Department of Economic and Social Affairs.

The new page has a black background crowned with the telltale emblem for Anonymous, a black suit and a question mark. Beneath the emblem, the words "TAIWAN NUMBAH WANNNN!!" continuously scroll across the screen, in reference to a famous quote uttered by video game streamer AngryPug in 2015.

Next is the Taiwan flag, the party emblem of the Kuomintang (KMT), and the green, pro-Taiwan independence banner. Below the flags and symbols is a YouTub video that plays Taiwan's national anthem and the closing number for the Marvel Studios film "Avengers: Endgame" titled "It's Been a Long, Long Time."

Amazingly, in the 14 hours since the link was posted on Reddit, the UN has failed to take down the Anonymous page. Reddit users on the Taiwan subreddit praised the hacktivists for standing up for the country:

"Okay, this is epic."

"We have never left. It would be nice to get official recognition. But we have always been there."

"I like how they put both KMT and DPP flags in there."

"'Taiwan numbah wannnn' LOL"

"Awesome. Fully support taking advantage of the confusion of the virus crisis."

In the event that the UN finally manages to take down the page, an archived versionposted by Reddit users will linger in perpetuity.


(Screenshot of page created by Anonymous)