The United Nations building in Geneva, Switzerland

United Nations admits data breach and says cyberattacks are ongoing

A United Nations (UN) spokesperson has confirmed the organisation suffered a data breach in the early months of 2021. It is believed the data breach originated from an employee login that was sold on the dark web. Having gained access to UN data and systems, the hackers moved through UN networks, with at least another 53 accounts targeted.

Another data breach likely to have been the source of UN account details

Reports indicate that the employee details were found within data from another breach. Several security researchers have reportedly said they have seen UN employee details listed in packs of usernames and passwords that sell on dark web forums. Such databases are sometimes on sale for as little as $1,000.

Having acquired the data, the hackers reportedly began working their way around UN networks, with those responsible attempting to manipulate and escalate access privileges since April.

The account the hackers used to gain access to UN systems was for the organisation’s proprietary project management software, Umoja. Since the UN became aware of the hack in April, an external security provider has analysed the hackers attempting further attacks. At the time of writing, the last attack was attempted on 7th August.

While the hackers have been persistent in trying to gain access to data, the UN says no damage has been done.

“No damage,” but a debate around what has been stolen

Notably, it isn’t clear exactly when the attack occurred, while there is also debate around who actually discovered it.

The UN says it detected the breach itself and that the hackers have only been able to take internal network screenshots. The UN has also claimed it was taking steps to deal with the data breach before being contacted by any external companies.

In contrast, several security firms reportedly detected the data breach earlier and attempted to notify the UN about it, only to be rebuffed. One firm, cybersecurity provider Resecurity, claims to have evidence that data has been stolen. Resecurity says it offered assistance to the UN but was turned down.

Lack of two-factor authentication among contributing factors to breach

One reason hackers could access UN systems with relative ease was that multi-factor authentication wasn’t enabled. Perhaps surprisingly, given the sensitivity of a lot of the data the UN holds, such a feature wasn’t even available on the Umoja platform until July, when the service migrated to Microsoft Azure.

The UN is one of the world’s prime hacking targets and regularly deals with highly sophisticated attacks from various sources. Thus, the fact the organisation has fallen victim to a breach in one of the simplest ways possible is likely to be a source of embarrassment.

This incident is the latest in a long line of attacks dealt with by the UN through the years. Whether this one becomes as high-profile as others will depend on the extent to which information is stolen and made public.

Recent incidents include:

  • A 2018 hack by suspected state-backed Russian hackers targeted the UN’s Organisation for the Prohibition of Chemical Weapons.
  • A 2019 hack exploited a known vulnerability in the Microsoft SharePoint platform to access the UN’s core network infrastructure, which led to the leaking of confidential reports the following year.
  • Earlier in 2021, a data breach at the United Nations Environmental Programme led to around 100,000 employee records being leaked.

Lessons to be learned, but how many are things we already know?

Speaking to CPO Magazine, Trevor Morgan, of data security specialist comforte, said, “The tactically simple but successful cyberattack on the United Nations’ computer networks, now being reported as an ongoing breach with activity occurring for months, accentuates two very clear points. First, that while the impression of hackers is usually of technical geniuses using brilliant attack methods and sophisticated tools to skirt defensive measures, the reality is far from it. A majority of incidents are due to preventable human error or simple methods of attack such as stolen credentials. Second, that cybersecurity isn’t just a personal issue that affects our individual PII and sensitive financial information (though these are key concerns too). It is a matter of national security and potentially affects every single one of us with the repercussions of attacks on national entities.”

Running down what the UN could have done differently reads like any cybersecurity bulletin or guide to securing systems written over the past decade:

  • Have multi-factor authentication in place
  • Use automated security tools
  • Have a robust internal security culture
  • Make use of features like tokenisation and encryption

If the UN isn’t already doing everything it can to prevent such incidents, how serious an attack would need to happen for the organisation to sit up and take notice and embrace a more proactive approach to cybersecurity?

Neil Jones of Egnyte also spoke to CPO Magazine, and said organisations not being up to speed with the cybersecurity landscape was one of the primary contributing factors behind the increase in cyberattacks in recent years.

Jones said, “Unfortunately, far too often methods and tools are being employed that don’t meet the security and control needs of an organisation, particularly a large Non-Government Organisation like the UN. Security should be viewed as way more than a checklist … The reality is that all content and communications are vulnerable without proper data governance, and it is imperative that organisations protect the data itself. This type of security incident occurs regularly, particularly in decentralised settings like the United Nations and the mission-critical systems they use to communicate with hundreds of global nation-states on a daily basis. If secure file collaboration tools with suspicious login capabilities are implemented correctly, they can render cybercriminals’ attacks ineffective. Used in a case like this where adversaries were able to infiltrate the network and grind activities to a halt, the systems themselves would have been inaccessible to outsiders, and the valuable data would have remained protected.”

Has your data been involved in a data breach involving a government or non-governmental organisation?

If so, then you could be entitled to compensation.

Contact LawPlus today for a free, no-obligation assessment of your data breach claim.

Leave a Reply