UN data breach (2021)
| Date | The first reported access to the United Nations’ system was on 5 April 2021.[1] The attackers were allegedly still active on the network up to 7 August 2021.[1] |
|---|---|
| Suspected actor | The identity of the hackers has not been yet determined.[1] It is unclear whether it could have been a criminal group or if the actors were state-related.[2] |
| Target | United Nations’ computer network infrastructure.[1] |
| Target systems | According to several sources, including the cybersecurity firm that alerted the UN of the breach,[1] the hackers targeted the Umoja system, i.e. the United Nations’ “proprietary project management software”,[3] [1] [2]and from there gained more extensive access to the UN’s network.[4][1] |
| Method | The suspected method of access to the management software was through UN employees’ accounts using stolen credentials – username and password –, acquired on the dark web. [1]According to Bloomberg News, the same credentials were still sold by different users by 5 July 2021. [1]The Umoja system accounts were allegedly not protected by a two-factor authentication feature, a standard security practice,[3] until July 2021.[2] |
| Purpose | The purpose behind the incident has not been clarified. There was reportedly no damage or sabotage to the computer networks.[5] The attack allegedly aimed at performing “network intrusion” [3]and “compromising large numbers of users within the UN network for further long-term intelligence gathering”, [1]monitor and collection of specific data.[3] |
| Result | The cybersecurity company Resecurity informed the UN of the breach early in 2021. The UN stated on 9 September 2021 that the attack had been detected before said notification and that corrective actions had been and were being implemented.[6]
There was no reported damage to the system.[4][1]According to Resecurity, the UN informed that the incident “was limited to reconnaissance, and that the hackers had only taken screenshots while inside the network”, [1][4]while no data was exfiltrated.[2]For its part, the company affirmed that on the latest breach the attackers compromised at least 53 UN accounts[1] and that there was proof of data breach of UN computer system,[1] including the theft of documents with sensitive information.[2] |
| Aftermath | The UN confirmed that the organization is frequently targeted by cyberattacks and that further attacks linked with the initial breach were detected.[6]
According to analysts, both the reconnaissance and the information stolen may be used to support future attacks against the UN or its agencies.[1][3] The Umoja system announced in July 2021 that it “migrated to Microsoft Corp.’s Azure, which provides multifactor authentication”[1] providing enhanced security against breaches. |
| Analysed in | Although no scenario addresses this exact set of circumstances, relevant scenarios include:
Scenario 02: Cyber espionage against government departments |
Collected by: Dominique Steinbrecher
- ↑ 1.00 1.01 1.02 1.03 1.04 1.05 1.06 1.07 1.08 1.09 1.10 1.11 1.12 1.13 1.14 1.15 William Turton and Kartikay Mehrotra, UN Computer Networks Breached by Hackers Earlier This Year, Bloomberg (9 September 2021)
- ↑ 2.0 2.1 2.2 2.3 2.4 Pierluigi Paganini, The United Nations this week confirmed that its computer networks were hit by a cyberattack earlier this year, as first reported by Bloomberg, Security Affairs (10 September 2021)
- ↑ 3.0 3.1 3.2 3.3 3.4 Hamza Shaban, Hackers breached U.N. computer networks earlier this year, The Washington Post (9 September 2021)
- ↑ 4.0 4.1 4.2 Scott Ikeda, United Nations Data Breach: Hackers Obtained Employee Login From Dark Web, Are Executing Ongoing Attacks on UN Agencies, CPO Magazine (16 September 2021)
- ↑ Sarah Coble, Hackers Steal Data from United Nations, InfoSecurity (9 September 2021)
- ↑ 6.0 6.1 Stéphane Dujarric, Note to Correspondents: In response to questions about a reported cyberattack, UN Spokesman for the Secretary-General (9 September 2021)