UN hacked via unpatched SharePoint server
The UN suffered a major data breach last year after it failed to patch a Microsoft SharePoint server, it emerged this week. Then it failed to tell anyone, even though it produced a damning internal report.
The news emerged after an anonymous IT employee leaked the information to The New Humanitarian, which is a UN-founded publication that became independent in 2015 to report on the global aid community. According to the outlet, internal UN staffers announced the compromise on 30 August 2019, explaining that the “entire domain” was probably compromised by an attacker who was lurking on the UN’s networks.
A confidential report sent to the publication without permission by a UN IT official revealed that the cyberattack had started in mid-July last year. The hackers had compromised dozens of servers including those in its highly sensitive human rights operation, along with its human resources department.
Stéphane Dujarric, spokesperson for the UN Secretary-General, explained to media in a briefing on Tuesday:
Attempts to attack the UN IT infrastructure happen often. The attribution of any IT attack remains very fuzzy and uncertain. So, we are not able to pinpoint to any specific potential attacker, but it was, from all accounts, a well‑resourced attack.
The Associated Press (AP), which has seen the report, said that system logs had been meticulously cleared during the attack.
The hackers targeted a total of 42 servers, compromising the Active Directory domains of UN offices in Geneva, Vienna, and at the Office of the High Commissioner for Human Rights, although an official told the AP that nothing at the latter location was compromised. The three hacked locations employ around 4,000 staff. Geneva was the hardest hit, with 33 hacked servers, according to The New Humanitarian.
The attackers likely got in through an anti-corruption tracker at the UN Office of Drugs and Crime, reports said. The entry point was a flaw in Microsoft’s SharePoint software. CVE-2019-0604 discloses a remote code execution vulnerability in the collaboration system that enabled an attacker to run arbitrary code. Microsoft patched this in February 2019, but the UN hadn’t applied the fix.
News of the breach follows an IT audit in 2018 that revealed significant problems with the UN’s technology systems. The audit found that 223 servers at the secretariat were operating with obsolete or unsupported technology such as Windows 2000 servers on legacy networks as of March 2018. They were not centrally managed. The audit also complained of fragmented issue tracking and couldn’t confirm that a network segmentation project had been completed.
Most damning is the fact that the organisation had shifted to self-certification for website and web application security, leaving it up to individual offices to confirm that they had applied updates to web-based systems. Of 37 offices, only 9 responded. Of those, only 3 reported full compliance with all policies. Only one in 1,462 UN websites have been checked by an external cybersecurity team.
In a commercial setting, GDPR could well kick in here. However, as UN officials have said when apologising for other data breaches in the past, they consider UN agencies to be above such things.
Latest Naked Security podcast
Click-and-drag on the soundwaves below to skip to any point in the podcast.