UN data breach (2021)

From International cyber law: interactive toolkit
Jump to navigation Jump to search
Date The first reported access to the United Nations’ system was on 5 April 2021.[1] The attackers were allegedly still active on the network up to 7 August 2021.[1]
Suspected actor The identity of the hackers has not been yet determined.[1] It is unclear whether it could have been a criminal group or if the actors were state-related.[2]
Target United Nations’ computer network infrastructure.[1]
Target systems According to several sources, including the cybersecurity firm that alerted the UN of the breach,[1] the hackers targeted the Umoja system, i.e. the United Nations’ “proprietary project management software”,[3] [1] [2]and from there gained more extensive access to the UN’s network.[4][1]
Method The suspected method of access to the management software was through UN employees’ accounts using stolen credentials – username and password –, acquired on the dark web. [1]According to Bloomberg News, the same credentials were still sold by different users by 5 July 2021. [1]The Umoja system accounts were allegedly not protected by a two-factor authentication feature, a standard security practice,[3] until July 2021.[2]
Purpose The purpose behind the incident has not been clarified. There was reportedly no damage or sabotage to the computer networks.[5] The attack allegedly aimed at performing “network intrusion” [3]and “compromising large numbers of users within the UN network for further long-term intelligence gathering”, [1]monitor and collection of specific data.[3]
Result The cybersecurity company Resecurity informed the UN of the breach early in 2021. The UN stated on 9 September 2021 that the attack had been detected before said notification and that corrective actions had been and were being implemented.[6]

There was no reported damage to the system.[4][1]According to Resecurity, the UN informed that the incident “was limited to reconnaissance, and that the hackers had only taken screenshots while inside the network”, [1][4]while no data was exfiltrated.[2]For its part, the company affirmed that on the latest breach the attackers compromised at least 53 UN accounts[1] and that there was proof of data breach of UN computer system,[1] including the theft of documents with sensitive information.[2]

Aftermath The UN confirmed that the organization is frequently targeted by cyberattacks and that further attacks linked with the initial breach were detected.[6]

According to analysts, both the reconnaissance and the information stolen may be used to support future attacks against the UN or its agencies.[1][3]

The Umoja system announced in July 2021 that it “migrated to Microsoft Corp.’s Azure, which provides multifactor authentication”[1] providing enhanced security against breaches.

Analysed in Although no scenario addresses this exact set of circumstances, relevant scenarios include:

Scenario 02: Cyber espionage against government departments
Scenario 04: A State’s failure to assist an international organization
Scenario 12: Cyber operations against computer data
Scenario 25: Cyber disruption of humanitarian assistance

Collected by: Dominique Steinbrecher

  1. 1.00 1.01 1.02 1.03 1.04 1.05 1.06 1.07 1.08 1.09 1.10 1.11 1.12 1.13 1.14 1.15 William Turton and Kartikay Mehrotra, UN Computer Networks Breached by Hackers Earlier This Year, Bloomberg (9 September 2021)
  2. 2.0 2.1 2.2 2.3 2.4 Pierluigi Paganini, The United Nations this week confirmed that its computer networks were hit by a cyberattack earlier this year, as first reported by Bloomberg, Security Affairs (10 September 2021)
  3. 3.0 3.1 3.2 3.3 3.4 Hamza Shaban, Hackers breached U.N. computer networks earlier this year, The Washington Post (9 September 2021)
  4. 4.0 4.1 4.2 Scott Ikeda, United Nations Data Breach: Hackers Obtained Employee Login From Dark Web, Are Executing Ongoing Attacks on UN Agencies, CPO Magazine (16 September 2021)
  5. Sarah Coble, Hackers Steal Data from United Nations, InfoSecurity (9 September 2021)
  6. 6.0 6.1 Stéphane Dujarric, Note to Correspondents: In response to questions about a reported cyberattack, UN Spokesman for the Secretary-General (9 September 2021)