Hackers broke into the computer networks of United Nations early this year, stealing a plethora of data that might be used to target UN institutions.
The hackers’ strategy for getting access to the UN network appears to be simple: they most likely used a stolen UN employee’s login and password that they bought on the dark web.
The credentials belonged to an account on Umoja, the United Nations’ proprietary project management programme. According to cyber-security firm Resecurity, which identified the breach, the hackers were able to obtain deeper access to the UN’s network from there.The hackers had access to the UN’s servers as early as April 5, and they were continuously active on the network as of August 7.
Resecurity Chief Executive Officer Gene Yoo remarked, “Establishmentssuch as the UN happens to be a high-value mark for cyber spying operations.” “The intrusion was carried out with the intention of compromising a large number of users on the UN network for long-term intelligence gathering.”
In a year when hackers have become more aggressive, the attack is yet another high-profile incursion. This year, JBS SA, the world’s largest beef producer, was targeted by a cyber-attack that prompted the closure of operations in the United States.Colonial Pipeline Co., which operates the country’s largest gasoline pipeline, was also hit by a ransomware attack. Unlike prior breaches, whomever broke into the UN’s computer networks did not cause any damage to the organization’s systems. Instead, they acquired information about the UN’s computer networks.
Resecurity notified the UN of its most recent breach earlier this year, and worked with the UN’s security team to determine the scale of the incident. The intrusion was confined to reconnaissance, according to UN officials, and the hackers merely took screenshots while inside the network. According to Resecurity’sYoo, after the UN received proof of stolen data, the UN stopped communicating with the company.
Two-factor authentication, a basic security measure, was not enabled on the Umoja account accessed by the hackers. The system transitioned to Microsoft Corp.’s Azure, which supports multifactor authentication, according to an announcement on Umoja’s website in July. According to an announcement on Umoja’s website, this change “reduces the danger of cybersecurity attacks.”
The UN didn’t answer to requests for comment.
Hackers have previously targeted the United Nations and its agencies. While investigating the use of a lethal nerve toxin on British soil, Dutch and British law enforcement prevented a Russian cyber-attack against the Organisation for the Prohibition of Chemical Weapons. According to a Forbes article, the UN’s “essential infrastructure” was penetrated in a cyber-attack in August 2019 that targeted a known vulnerability in Microsoft’s SharePoint platform. The breach was not made public until the New Humanitarian news group broke the storey.
Hackers attempted to map out more information about how the UN’s computer networks are built, as well as compromise the accounts of 53 UN accounts, according to Resecurity. Bloomberg News was unable to identify the hackers or determine their motivation for breaking into the UN.
As recently as July 5, Bloomberg News looked at dark web advertisements where users on as a minimum three marketplaces used to be selling the similar credentials.
The hackers’ reconnaissance may enable them to carry out future hacks or sell the information to other groups attempting to breach the UN.
“Traditionally, nation-state actors have targeted organisations like the United Nations, but as cybercriminals find new ways to monetize stolen data and access to these organisations becomes more frequently available for sale by initial access brokers, we expect to see them increasingly targeted and infiltrated by cybercriminals,” said Allan Liska, a senior threat analyst. On the dark web, Liska said he saw UN personnel’ usernames and passwords for sale.
According to Mark Arena, CEO of security-intelligence firm Intel 471, the credentials were supplied by a number of Russian-speaking cybercriminals.The UN credentials were sold to several companies for $1,000 as part of a patch containing dozens of usernames and passwords.
“We’ve witnessed many financially motivated cyber criminals selling access to the United Nations’ Umoja system since the start of 2021,” Arena added. “At the same time, these criminals were selling a diverse set of compromised credentials from a variety of institutions. We’ve seen compromised credentials sold to other cyber criminals in the past, who then carried out follow-up intrusion operations within these companies.”