In July 2019, the United Nations was the victim of a data breach, according to a confidential UN report obtained by The New Humanitarian. Targeting UN networks in Geneva and Vienna, the attacker was able to compromise accounts and data at dozens of servers, prompting one senior UN IT official to call it a “major meltdown,” the New Humanitarian said.
Caught up in the cyberattack were servers at the UN’s human rights offices and human resources department as some administrator accounts were breached, the New Humanitarian said. UN staffers were asked to change their passwords but were not told about the breach. The UN also decided not to publicly reveal what had happened.
The hacker infiltrated the UN servers by taking advantage of a vulnerability in Microsoft SharePoint. But Microsoft had issued a patch for that vulnerability in February and April 2019, several months before the attack occurred.
SEE: The 10 most important cyberattacks of the decade (free PDF) (TechRepublic)
In a statement shared on its website, the UN acknowledged that hackers had accessed several of its servers. However, the UN said that the servers in question were self-contained development systems that did not hold any sensitive data or confidential information.
“The hackers did manage to access our Active User Directory, which contains the user IDs for our staff and devices,” the UN said. “However, they did not succeed in accessing passwords. Nor did they gain access to other parts of the system. Once we became aware of the attack, we took action to shut down the affected development servers.”
In a briefing on Wednesday, UN spokesman Stephane Dujarric De La Riviere responded to questions from reporters about the incident.
“This particular attack that your colleagues reported on is not a landmark event,” Dujarric said. “These things…attempts to attack the UN IT infrastructure happen often. The attribution of any IT attack is… remains very fuzzy and uncertain. So, we are not able to pinpoint to any specific potential attacker, but it was, from all accounts, a well‑resourced attack.”
One reporter asked why the UN failed to disclose the attack by posing the following question:
“But why did the UN cover up this attack? Given that it was a hack on computers that carried sensitive humanitarian and human rights data, data that might involve partner organizations and aid agencies, didn’t they need to know that you’d been hacked?”
In response, Dujarric tried to explain the reason behind not publicly sharing the information:
“It was not…as I said, we’re under constant…like anyone, you know, there…attempts are made regularly. The server in Geneva that you are referring to was part of a development environment and contained non-sensitive test data from two development servers used for web application. People who needed to be notified were notified.”
SEE: Patch management policy (TechRepublic Premium)
Though the hacker hit only development servers and may not have compromised sensitive information, the attack points to two errors or missteps made by the UN. First, the organization failed to properly patch its systems and servers ahead of time. These may have been development servers, but clearly they were accessible to external hacking attempts, which means they should have been properly patched.
Second, the UN failed to disclose the breach, even shielding the information from its own staffers. Though the organization said it informed the necessary people, an attack of this nature could have affected individuals not just inside but outside the UN.
Security experts offer advice
While the UN grapples with the revelation of this attack, the matter serves as a warning to other organizations on how to prevent and deal with data breaches. To delve more into the attack and potential lessons learned, TechRepublic conducted an email conversation with Dr. Richard Gold, head of security engineering at Digital Shadows, a San Francisco-based provider of digital risk protection solutions; and Rui Lopes, engineering and technical support director at Panda Security.
TechRepublic: How was the hacker able to gain access to UN servers? I know it was through a flaw in SharePoint, but can you explain exactly how the flaw was exploited?
Gold: The flaw was a Remote Code Execution (RCE) flaw which, when successfully exploited, would allow an attacker to execute their own code, for example, malware, on the UN server.
Lopes: We know what is now in the public domain. A vulnerability was leveraged to compromise SharePoint deployments in a European site, from which lateral movement within the most of the UN network was possible with privilege escalation.
TechRepublic: Do you have any thoughts as why the UN failed to properly patch these servers?
Gold: It is believed that the SharePoint flaw was already patched (the attacks were reported in July 2019, the vulnerability was patched in February-April 2019). Lack of investment in IT services typically leads to poor security hygiene, otherwise known as “security debt” where patches have not been applied and secure configurations not made.
Lopes: The apparent culprit, the CVE-2019-0604 vulnerability, was patched by Microsoft in February 2019. Something obviously failed in the UN’s endpoint patch management strategy, which is not a trivial task, of course.
TechRepublic: Do you have any thoughts as to why the UN kept this data breach a secret?
Gold: Secrecy is often maintained for fear of alerting attackers, creating panic among staff and, sometimes, out of embarrassment.
Lopes: It’s likely that the UN may have been worried about additional, copycat attacks if they disclosed the breach, especially if their network wasn’t hardened to an adequate degree. Additionally, it’s easy to imagine a scenario where the data that was exfiltrated was so sensitive that it may damage worldwide diplomatic relations, or weaken the position of the UN on the worldwide stage.
TechRepublic: What advice do you have for organizations in terms of protecting themselves against breaches like this?
Gold: Whilst timely patching is of utmost importance, an organization’s security architecture should not be one vulnerability away from total compromise. Defense in depth, that is, multiple partially overlapping security controls, security monitoring/logging and a robust and well-tested Incident Response (IR) process are also required.
Lopes: Organizations large and small must have a strong endpoint protection posture in 2020, including data access monitoring and control, as well as threat hunting capabilities to detect malicious behavior on their network. The days of simplistic, reactive cybersecurity are in the past.
TechRepublic: And what advice do you have for companies on best practices for disclosing data breaches?
Gold: Honesty and transparency are essential for maintaining trust. Timely updates and disclosures are also required.
Lopes: Whenever possible, transparency is best. Work with your local authorities to determine the best course of action upon awareness of malicious activity on your network, and once the threat has been remediated, coordinate a response that focuses on the impact to the end users and the public. To ensure you have the proper processes in place to handle a security incident, it’s important for all businesses to have a thorough and up-to-date incident response plan.