Hackers who breached the United Nations’ computer networks earlier this year now have data that could be used to target agencies within the organization, Bloomberg reported Thursday.
“We can confirm that unknown attackers were able to breach parts of the United Nations infrastructure in April of 2021,” Stéphane Dujarric, spokesman for the UN Secretary-General, said in a statement that day.
So far, the earliest date hackers had access to the system was April 5. They were still in the system as of Aug. 7. To break into the intergovernmental organization, hackers most likely used a stolen username and password of a UN employee purchased off the dark web, Bloomberg said.
Cybersecurity firm Resecurity discovered the breach, according to the outlet. It also worked with the UN security team to identify its scope.
“Organizations like the UN are a high-value target for cyber espionage activity,” Resecurity Chief Executive Officer Gene Yoo explained.
“The actor conducted the intrusion with the goal of compromising large numbers of users within the UN network for further long-term intelligence gathering.”
Credentials used in the hack belonged to an account on Umoja, the UN proprietary project software. This Umoja account used wasn’t enabled with two-factor authentication, described by Bloomberg as a basic security feature. An announcement on Umoja’s website in July said the system migrated to Microsoft Corp.’s Azure, which provides multifactor authentication.
Related
Once the hackers were in, they were able to gain deeper access to the UN’s network, said Security. Hackers took screenshots while in the network and their mission appeared to be limited to reconnaissance, the UN told Resecurity.
However, when Yoo provided proof to the UN of stolen data, the UN stopped corresponding with the company, he said.
The UN didn’t respond to requests from Bloomberg for comment.
“The United Nations is frequently targeted by cyberattacks, including sustained campaigns. We can also confirm that further attacks have been detected and are being responded to, that are linked to the earlier breach,” said Dujarric in his statement Thursday.
In 2018, Dutch and British law enforcement prevented a Russian cyberattack against the Organisation for the Prohibition of Chemical Weapons, a UN agency, as it researched the use of a deadly nerve agent on British soil, said Bloomberg. The following year, the UN “core infrastructure” was compromised in a cyberattack that exploited a vulnerability in Microsoft’s SharePoint platform.
Related
This year, the UN attack is one of multiple high-profile hacks.
JBS SA, the world’s largest meat producer, was hit by a cyberattack this year that forced the shutdown of U.S. plants and Colonial Pipeline Co., operator of the biggest U.S. gasoline pipeline, also was compromised by a ransomware attack.
While JBS SA and Colonial Pipeline Co. systems were damaged during those hacks, the UN hackers were able to collect information about the organization’s computer networks without damaging systems, said Bloomberg. Hackers also sought to compromise 53 UN accounts, Resecurity said.
Reconnaissance carried out by the hackers may enable them to conduct future hacks or to sell the information to other groups that may seek to breach the UN, said Bloomberg.
Related
“Traditionally, organizations like the United Nations have been targeted by nation state actors, but as cybercriminals are finding ways to more effectively monetize stolen data and as access to these organizations is more frequently available for sale by initial access brokers, we expect to see them increasingly targeted and infiltrated by cybercriminals,” said Allan Liska, a senior threat analyst at Recorded Future. Liska said he had seen the username and password for UN employees for sale on the dark web.
Bloomberg News wasn’t able to identify the hackers or their purpose in breaching the UN. However, the outlet did find dark web ads where users were selling the same credentials as recently as July 5.
Credentials have been offered by multiple Russian-speaking cybercriminals, according to Mark Arena, chief executive officer of security-intelligence firm Intel 471. UN credentials were being sold along with dozens of usernames and passwords to various organizations for just $1,000.
“Since the start of 2021 we’ve seen multiple financially motivated cybercriminals selling access to the Umoja system run by the United Nations,” Arena said. Sometimes, cybercriminals sell credentials to other criminals, he added.
Related
