United Nations Suffered a Data Breach
Table of Contents
- By Dawna M. Roberts
- Published: Oct 27, 2021
- Last Updated: Mar 18, 2022
Last week the United Nations admitted that they had suffered a ransomware attack earlier this year, which led to a slew of follow-up attacks.
What Happened?
A cybersecurity researcher notified NATO that he found access credentials to one of their enterprise resource planning software systems on a dark web forum up for sale. The same occurred for the U.N.
Bloomberg first reported on Thursday that the United Nations publicly divulged that “Unknown attackers were able to breach parts of the United Nations infrastructure in April. The United Nations is frequently targeted by cyber attacks, including sustained campaigns. We can also confirm that further attacks have been detected and are being responded to that are linked to the earlier breach.”
Cyber threat researchers criticize all government offices, including the U.N., for not implementing the proper security controls to avoid these attacks. Russia has been in the news frequently for waging attacks on various government institutions, and now the United Nations is among them.
According to Data Breach Today, “In March, one of the same groups that acquired access credentials to the U.N. also tried to sell credentials for a cybersecurity portal belonging to the North Atlantic Treaty Organization, or NATO.”
How Did the Attack Occur?
As threat investigators continue to unravel the attack, they surmised that the initial intrusion occurred in February and the actual attack occurred in April. Right after the breach, threat assessors found access credentials for Umoja, which is the U.N.’s enterprise resource planning software online in a dark web forum.
Data Breach Today adds, “Umoja is used for a variety of business processes tied to finance, human resources, and administration. Umoja’s web page reports that it has some 46,000 users in nearly 450 locations.”
Alex Holden, CTO of Hold Security, which is a leading cybersecurity forensics firm out of Wisconsin, is the group that discovered the leaked information and immediately contacted the U.N. to notify them of the sale of their internal credentials.
Data Breach Today explains, “In April, a different broker offered another set of access credentials for Umoja, Holden says. That broker is known to supply access credentials to the Nefilim ransomware operation. Holden says he suspects that this initial access broker passed the U.N. credentials to Nefilim. Many ransomware operations have close ties with access brokers, to enable them to cost-effectively target a large number of victims in search of higher profits.”
Threat researchers assume that the initial attack was through an unpatched Citrix installation. The U.N. does use Citrix as its platform for Umoja. Although Holden and his team notified the U.N. in April, the hacker was still trying to sell the credentials in July.
During its stay on the forum, other threat research consultancies saw the ad. One in particular, according to Bloomberg, was Los Angeles-based Resecurity, who also contacted the U.N. to notify them. They responded to Resecurity, letting them know they were aware of the issue “and corrective actions to mitigate the impact of the breach had already been planned and were being implemented.” The U.N. also thanked Resecurity “for sharing information related to the incident and confirmed the data breach.”
What the Experts Think
Holden and other threat assessors theorize that the hackers were able to gain access, probably due to phishing emails of some kind. That is the most popular way to trick users into providing credentials, and then once they are in, they are in.
He also noted that both NATO and the U.N. were not using multi-factor authentication for an additional layer of security. Something many security experts agree can stop criminals from gaining access.
The U.N. has since changed its authorization method using Umoja from United Identity to Microsoft’s Azure, which supports multi-factor authentication for added security.