The United Nations suffered a critical breach in its networks last year — which it subsequently tried to cover up.
The attack, which was likely orchestrated by state-sponsored actors, began in July, according to reports from The New Humanitarian and the Associated Press. A leaked internal document, obtained by The New Humanitarian and reviewed by AP, revealed the hackers compromised at least a dozen servers belonging to the UN.
The extent of the breach remains unclear, but reports suggest the hackers pulled a 400GB trove of data. The attack affected the servers of the UN’s Vienna and Geneva offices, as well as its Office of the High Commissioner for Human Rights, which collects sensitive data.
To penetrate its systems, the hackers exploited a flaw in Microsoft’s SharePoint software, using an unknown type of malware.
“The attack resulted in a compromise of core infrastructure components,” UN spokesperson Stéphane Dujarric told The New Humanitarian. “As the exact nature and scope of the incident could not be determined, [the UN offices in Geneva and Vienna] decided not to publicly disclose the breach.”
The reason the UN couldn’t identify the scope of the breach is the hackers deleted the activity logs. “It’s as if someone were walking in the sand, and swept up their tracks with a broom afterward,” a UN official told AP under the condition of anonymity. “There’s not even a trace of a clean-up.”
The first time UN security professionals noticed the lapse in security was in late August. “We are working under the assumption that the entire domain is compromised,” UN technicians said in a memo sent on August 30, 2019. “The attacker doesn’t show signs of activity so far, we assume they established their position and are dormant.”
Unfortunately, the memo was sent solely to the UN’s tech teams. Word of the breach only got to employees later in September, when it was presented as “infrastructure maintenance work.” At the time, employees were also asked to reset their passwords.
“Staff at large, including me, were not informed,” Ian Richards, president of the Staff Council at the United Nations, told AP. “All we received was an email (on Sept. 26) informing us about infrastructure maintenance work.”
Opting to avoid disclosing security blunders is often considered a cardinal offense by experts, who argue the lack of accountability only engenders risk of further attacks. Unfortunately, The New Humanitarian says that, due to its diplomatic status, the UN is under no obligation to disclose such breaches — like governments are supposed to.
Still, that’s hardly a good reason to keep the hack under wraps.
For the record, this isn’t the first time the UN has fallen victim to attackers. Back in 2016, a group with ties to the Chinese government accessed servers owned by the UN which contained the data of nearly 2,000 staffers. The UN tried to keep this incident on the low, too, according to CBC.
I guess it’s one of those times when staying true to your “principles” isn’t necessarily a good thing.