UN didn't patch SharePoint, got mega-hacked, covered it up, kept most staff in the dark, finally forced to admit it

The United Nations’ European headquarters in Geneva and Vienna were hacked last summer, putting thousands of staff records at miscreants' fingertips. Incredibly, the organization decided to cover it up without informing those affected nor the public.

That is the extraordinary claim of The New Humanitarian, which until a few years ago was an official UN publication covering humanitarian crises. Today, it said the UN has confirmed both the hack and the decision not to divulge any details.

Dozens of UN servers were impacted in an attack that began in mid-July 2019 but was only noticed one month later, according to a confidential report dated September 20. The publication gained access to that report, which outlines a series of security holes discovered by an external forensic company as well as internal efforts to contain the hack.

“We are working under the assumption that the entire domain is compromised,” an alert sent to internal sysadmins on August 30 noted. “The attacker doesn't show signs of activity so far, we assume they established their position and are dormant.”

A senior IT official dubbed the attack a “major meltdown,” in which personnel records - as well as contract data covering thousands of individuals and organizations - was accessed. The hackers were able to get into user-management systems and past firewalls; eventually compromising over 40 servers, with the vast majority at the European headquarters in Geneva.

But despite the size and extent of the hack, the UN decided to keep it secret. Only IT teams and the heads of the stations in question were informed.

“The attack resulted in a compromise of core infrastructure components,” a UN spokesperson told The New Humanitarian. “As the exact nature and scope of the incident could not be determined, [the UN] decided not to publicly disclose the breach.”

Just a quick password change, nothing to worry about

Employees whose data was within reach of the hackers were told only that they needed to change their password and were not informed that their personal details had been compromised. That decision not to disclose any details stems from a “cover-up culture” the anonymous IT official who leaked the internal report told the publication.

The report notes it has been unable to calculate the extent of damage but one techie – it’s not clear it is the same one that leaked the report – estimated that 400GB had been pulled from United Nations servers.

Most worrying is the fact the UN Office of the High Commissioner for Human Rights (OHCHR) was one of those compromised. The OHCHR deals with highly sensitive information from people who put their lives at risk to uncover human rights abuses.

Making matters worse, IT specialists had warned the UN for years that it was at risk from hacking. An audit in 2012 identified an “unacceptable level of risk,” and resulted in a restructure that consolidated servers, websites, and typical services like email, and then outsourced them to commercial providers at a cost of $1.7bn.

But internal warnings about lax security continued, and an official audit in 2018 was full of red flags. “The performance management framework had not been implemented,” it stated, adding that there were “policy gaps in areas of emerging concern, such as the outsourcing of ICT services, end-user device usage, information-sharing, open data and the reuse and safe disposal of decommissioned ICT equipment.”

There were lengthy delays in security projects, and, internally, departments were ignoring compliance efforts. The audit “noted with concern” that 28 of the 37 internal groups hadn’t responded at all and that over the nearly 1,500 websites and web apps identified only a single one had carried out a security assessment.

The audit also found that less than half of the 38,105 staff had done a compulsory course in basic IT security that had been designed to help reduce overall security risks. In short, this was an accident waiting to happen, especially given the UN’s high-profile status.

SharePoint shafting

As to the miscreants' entry point, it was a known flaw in Microsoft SharePoint (CVE-2019-0604) for which a software patch had been available for months yet the UN had failed to apply it.

The hole can be exploited by a remote attacker to bypass logins and issue system-level commands – in other words, a big problem from a security standpoint. The hackers broke into a vulnerable SharePoint deployment in Vienna and then, with admin access, moved within the organization's networks to access the Geneva headquarters and then the OHCHR.

Who honestly has a crown prince in their threat model? UN report officially fingers Saudi royal as Bezos hacker

READ MORE

One person who was shown the report – cybersecurity researcher Kevin Beaumont – said that the intrusion “has the hallmarks of a sophisticated threat actor.”

With North Korea, China, Iran, and others, investing heavily in cyber-attack capabilities, as well as private criminal gangs, it could be anyone, and the report does not find any fingerprints that point to a specific group. That may be a result of the UN trying to keep the entire thing under wraps.

It could also, of course, be the US, which would legally be allowed to target the UN in Geneva, rather than UN headquarters in New York because it is outside North America. The United States, like other countries, has a long history of trying to find out what is going on behind closed doors at the United Nations.

Either way, it was a huge security cock-up on the UN’s part and its decision not to disclose it to anyone, even those impacted, flies in the face of modern best practice. ®