Hackers get data trove in U.N. breach

Reconnaissance, not damage, apparent goal; risks feared for some agencies

International flags fly outside the United Nations headquarters on Sept. 22. 2020. MUST CREDIT: Bloomberg photo by Jeenah Moon.
International flags fly outside the United Nations headquarters on Sept. 22. 2020. MUST CREDIT: Bloomberg photo by Jeenah Moon.

Hackers breached the United Nations' computer networks earlier this year and made off with a trove of data that could be used to target agencies within the intergovernmental organization.

The hackers' method for gaining access to the U.N. network appears to be unsophisticated: They likely got in using the stolen username and password of a U.N. employee purchased off the dark web.

The credentials belonged to an account on the U.N.'s proprietary project management software, called Umoja. From there, the hackers were able to gain deeper access to the U.N.'s network, according to cybersecurity firm Resecurity, which discovered the breach. The earliest known date the hackers obtained access to the U.N.'s systems was April 5, and they were still active on the network as of Aug. 7.

"Organizations like the U.N. are a high-value target for cyber espionage activity," Resecurity Chief Executive Officer Gene Yoo said. "The actor conducted the intrusion with the goal of compromising large numbers of users within the U.N. network for further long-term intelligence gathering."

The attack marks another high-profile intrusion in a year when hackers have grown more brazen. JBS, the world's largest meat producer, was hit by a cyberattack this year that forced the shutdown of U.S. plants. Colonial Pipeline Co., operator of the biggest U.S. gasoline pipeline, also was compromised by a so-called ransomware attack. Unlike those hacks, whoever breached the U.N. didn't damage any of its systems, but instead collected information about the UN's computer networks.

Resecurity informed the U.N. of its latest breach earlier this year and worked with the organization's security team to identify the scope of the attack. U.N. officials informed Resecurity that the hack was limited to reconnaissance, and that the hackers had only taken screenshots while inside the network. When Resecurity's Yoo provided proof to the U.N. of stolen data, the U.N. stopped corresponding with the company, he said.

The Umoja account used by the hackers wasn't enabled with two-factor authentication, a basic security feature. According to an announcement on Umoja's website in July, the system migrated to Microsoft's Azure, which provides multifactor authentication. That move "reduces the risk of cybersecurity breaches," an announcement on Umoja's site read.

The U.N. didn't respond to requests for comment.

The U.N. and its agencies have been targeted by hackers before. In 2018, Dutch and British law enforcement foiled a Russian cyberattack against the Organization for the Prohibition of Chemical Weapons as it probed the use of a deadly nerve agent on British soil. Then, in August 2019, the U.N.'s "core infrastructure" was compromised in a cyberattack that targeted a known vulnerability in Microsoft's SharePoint platform, according to a report by Forbes. The breach wasn't publicly disclosed until it was reported by the New Humanitarian news organization.

In the latest breach, hackers sought to map out more information about how the U.N.'s computer networks are built, and to compromise the accounts of 53 U.N. agencies, Resecurity said. Bloomberg News wasn't able to identify the hackers or their purpose in breaching the U.N.

Bloomberg News did review dark web ads where users across at least three marketplaces were selling these same credentials as recently as July 5.

The U.N. credentials were being sold as part of a patch of dozens of usernames and passwords to various organizations for just $1,000.

The reconnaissance carried out by the hackers may enable them to conduct future hacks or to sell the information to other groups that may seek to breach the U.N.

Upcoming Events