The UN Deliberately Hid a Massive Hacking Attack That Could Have Put a Lot of People in Danger
News of cyberattacks aimed at organizations of all shapes and sizes comes out on a daily basis, and it's often accompanied by a lot of criticism for the victim. Usually, the problem lies in the way the incident is handled, but there are also cases when cyberattack victims are condemned for not taking enough precautions to prevent the breach from happening in the first place. Yesterday, the United Nations, the organization responsible for, among other things, preserving the fragile peace on our precious planet, admitted that it has been targeted by hackers. It's safe to say that people can criticize it not only for failing to prevent the breach but also for the way it reported it.
UN suffered a "well-resourced" cyberattack in the Summer of 2019
Before we get to the UN's mistakes, we must first see what happened. After all, we're talking about an enormous organization responsible for a huge amount of data. Some of it is so sensitive that if it falls into the wrong hands, it could lead to the loss of human life. Fortunately, if the UN is to be believed, the hackers failed to access the most sensitive bits of information.
According to the official announcement, the attack hit "core infrastructure components" in the UN's offices in Vienna and Geneva. One of the UN's arms in Geneva is the Office of the High Commissioner for Human Rights (OHCHR), and it was confirmed that its servers were targeted. Thankfully, the attackers only managed to get to the development environment, which is just as well because OHCHR likely handles sensitive data that could lead to the persecution of activists by certain regimes. While they didn't get to see that information, the hackers did manage to compromise some Active Directory user IDs, though the UN was quick to point out that no passwords have been stolen.
UN officials preferred not to go into too many details about what else was compromised. They did point out, however, that the incident was "serious," and they implied that the UN was attacked by a sophisticated group of hackers who have plenty of resources. Although this may very well be the case, the attack's success can't be entirely attributed to the hackers' skills. The UN's sloppy patch management also played a key role.
The attack was successful because of a delayed update
Many people are worried because yesterday's announcement proves once again that even huge organizations with global importance can be hacked successfully. The truly scary bit, however, is that these organizations leave themselves vulnerable to cyberattacks.
To understand what really happened, we must rewind the clock back to February 2019 when security researchers found a remote code execution flaw in Microsoft SharePoint, a collaborative document and file management system used by hundreds of thousands of organizations all around the world. The flaw could allow hackers to bypass SharePoint's authentication and execute code on the target's server. The potential consequences of such an attack were enormous, which is why the vulnerability was classified as critical, it was given a CVE number (CVE-2019-0604), and work on a patch started immediately. In March, Microsoft issued an update to address CVE-2019-0604 on most of the affected SharePoint versions, and on April 25, 2019, it released another patch for the rest of the vulnerable platforms.
The UN's IT policies apparently dictate that security updates must be installed within a month of their release, but unfortunately, the rules are not followed very strictly. In July 2019, the hackers exploited CVE-2019-0604 on the UN's SharePoint platform and gained access to the organization's servers.
Cybersecurity specialists invest quite a lot of time and effort into convincing users and businesses that keeping software applications and operating systems up-to-date is extremely important. We all tend to assume that the IT experts working for organizations of global significance don't need to be reminded of this, but apparently, this is not the case.
It's high time we all learn that there is absolutely no excuse for ignoring security updates. We must also see how the UN handled the incident and learn from its mistakes.
The UN deliberately kept the attack under wraps
It's difficult to speculate whether or not the UN had the intention of disclosing the breach yesterday, but the fact of the matter is, a few hours before the organization's officials stood in front of the cameras, an agency by the name The New Humanitarian (TNH) broke the news. The report was the result of a rather long investigation, which started in November 2019 when Ben Parker, a Senior Editor for TNH, stumbled upon an internal UN report from late-August of last year.
It revealed that back then, the UN's IT team was in the middle of plugging in all the holes and investigating what had happened. At the time, the experts were communicating among themselves and were trying to assess the damage. An anonymous IT official told TNH that the whole thing was a "major meltdown," and indeed, Ben Parker's investigation reveals that no fewer than 40 servers were compromised during the attack. The servers were likely linked to human resources and health insurance systems, which means that while they didn't get to see lists of human rights activists, the hackers did manage to access the personal details of UN's staff in Geneva and Vienna.
TNH's investigation also shows that the UN did urge its employees to change their passwords but had absolutely no intention of telling them that their data had been the target of a cyberattack. The only people who knew about the incident were the IT specialists in charge of cleaning up the mess and the people further up the hierarchy.
If this was a normal organization, it would've been in all sorts of trouble. The fine under EU's GDPR would have been massive, and the fact that affected employees were not informed in time would have served as a solid ground for a lawsuit. The UN isn't a normal organization, though. It has diplomatic immunity, which means that regulators don't have the legal rights to hold it accountable, and the options for affected individuals aren't exactly plentiful, either.
The only thing we can do at this point is hope that other organizations, both big and small, learn some lessons.