UN data breach (2021)
|Date||The first reported access to the United Nations’ system was on 5 April 2021. The attackers were allegedly still active on the network up to 7 August 2021.|
|Suspected actor||The identity of the hackers has not been yet determined. It is unclear whether it could have been a criminal group or if the actors were state-related.|
|Target||United Nations’ computer network infrastructure.|
|Target systems||According to several sources, including the cybersecurity firm that alerted the UN of the breach, the hackers targeted the Umoja system, i.e. the United Nations’ “proprietary project management software”,  and from there gained more extensive access to the UN’s network.|
|Method||The suspected method of access to the management software was through UN employees’ accounts using stolen credentials – username and password –, acquired on the dark web. According to Bloomberg News, the same credentials were still sold by different users by 5 July 2021. The Umoja system accounts were allegedly not protected by a two-factor authentication feature, a standard security practice, until July 2021.|
|Purpose||The purpose behind the incident has not been clarified. There was reportedly no damage or sabotage to the computer networks. The attack allegedly aimed at performing “network intrusion” and “compromising large numbers of users within the UN network for further long-term intelligence gathering”, monitor and collection of specific data.|
|Result||The cybersecurity company Resecurity informed the UN of the breach early in 2021. The UN stated on 9 September 2021 that the attack had been detected before said notification and that corrective actions had been and were being implemented.
There was no reported damage to the system.According to Resecurity, the UN informed that the incident “was limited to reconnaissance, and that the hackers had only taken screenshots while inside the network”, while no data was exfiltrated.For its part, the company affirmed that on the latest breach the attackers compromised at least 53 UN accounts and that there was proof of data breach of UN computer system, including the theft of documents with sensitive information.
|Aftermath||The UN confirmed that the organization is frequently targeted by cyberattacks and that further attacks linked with the initial breach were detected.
The Umoja system announced in July 2021 that it “migrated to Microsoft Corp.’s Azure, which provides multifactor authentication” providing enhanced security against breaches.
|Analysed in||Although no scenario addresses this exact set of circumstances, relevant scenarios include:|
Collected by: Dominique Steinbrecher
- William Turton and Kartikay Mehrotra, UN Computer Networks Breached by Hackers Earlier This Year, Bloomberg (9 September 2021)
- Pierluigi Paganini, The United Nations this week confirmed that its computer networks were hit by a cyberattack earlier this year, as first reported by Bloomberg, Security Affairs (10 September 2021)
- Hamza Shaban, Hackers breached U.N. computer networks earlier this year, The Washington Post (9 September 2021)
- Scott Ikeda, United Nations Data Breach: Hackers Obtained Employee Login From Dark Web, Are Executing Ongoing Attacks on UN Agencies, CPO Magazine (16 September 2021)
- Sarah Coble, Hackers Steal Data from United Nations, InfoSecurity (9 September 2021)
- Stéphane Dujarric, Note to Correspondents: In response to questions about a reported cyberattack, UN Spokesman for the Secretary-General (9 September 2021)