[BreachExchange] United Nations’ Computers Breached by Hackers Earlier This Year

[Sophia Kingsbury]

https://finance.yahoo.com/news/united-nations-computers-breached-hackers-110000816.html

Hackers breached the United Nations’ computer networks earlier this year
and made off with a trove of data that could be used to target agencies
within the intergovernmental organization.

The hackers’ method for gaining access to the UN network appears to be
unsophisticated: They likely got in using the stolen username and password
of a UN employee purchased off the dark web.

The credentials belonged to an account on the UN’s proprietary project
management software, called Umoja. From there, the hackers were able to
gain deeper access to the UN’s network, according to cybersecurity firm
Resecurity, which discovered the breach. The earliest known date the
hackers obtained access to the UN’s systems was April 5, and they were
still active on the network as of Aug. 7.

“Organizations like the UN are a high-value target for cyber espionage
activity,” Resecurity Chief Executive Officer Gene Yoo said. “The actor
conducted the intrusion with the goal of compromising large numbers of
users within the UN network for further long-term intelligence gathering.”

The attack marks another high-profile intrusion in a year when hackers have
grown more brazen. JBS SA, the world’s largest meat producer, was hit by a
cyberattack this year that forced the shutdown of U.S. plants. Colonial
Pipeline Co., operator of the biggest U.S. gasoline pipeline, also was
compromised by a so-called ransomware attack. Unlike those hacks, whoever
breached the UN didn’t damage any of its systems, but instead collected
information about the UN’s computer networks.

Resecurity informed the UN of its latest breach earlier this year and
worked with organization’s security team to identify the scope of the
attack. UN officials informed Resecurity that the hack was limited to
reconnaissance, and that the hackers had only taken screenshots while
inside the network. When Resecurity’s Yoo provided proof to the UN of
stolen data, the UN stopped corresponding with the company, he said.

The Umoja account used by the hackers wasn’t enabled with two-factor
authentication, a basic security feature. According to an announcement on
Umoja’s website in July, the system migrated to Microsoft Corp.’s Azure,
which provides multifactor authentication. That move “reduces the risk of
cybersecurity breaches,” an announcement on Umoja’s site read.

The UN didn’t respond to requests for comment.

The UN and its agencies have been targeted by hackers before. In 2018,
Dutch and British law enforcement foiled a Russian cyberattack against the
Organisation for the Prohibition of Chemical Weapons as it probed the use
of a deadly nerve agent on British soil. Then, in August 2019, the UN’s
“core infrastructure” was compromised in a cyberattack that targeted a
known vulnerability in Microsoft’s SharePoint platform, according to a
report by Forbes. The breach wasn’t publicly disclosed until it was
reported by the New Humanitarian news organization.

In the latest breach, hackers sought to map out more information about how
the UN’s computer networks are built, and to compromise the accounts of 53
UN accounts, Resecurity said. Bloomberg News wasn’t able to identify the
hackers or their purpose in breaching the UN.

Bloomberg News did review dark web ads where users across at least three
marketplaces were selling these same credentials as recently as July 5.

The reconnaissance carried out by the hackers may enable them to conduct
future hacks or to sell the information to other groups that may seek to
breach the UN.

“Traditionally, organizations like the United Nations have been targeted by
nation state actors, but as cybercriminals are finding ways to more
effectively monetize stolen data and as access to these organizations is
more frequently available for sale by initial access brokers, we expect to
see them increasingly targeted and infiltrated by cybercriminals,” said
Allan Liska, a senior threat analyst at Recorded Future. Liska said he had
seen the username and password for UN employees for sale on the dark web.

The credentials have been offered by multiple Russian-speaking
cybercriminals, according to Mark Arena, chief executive officer of
security-intelligence firm Intel 471. The UN credentials were being sold as
part of a patch of dozens of usernames and passwords to various
organizations for just $1,000.

“Since the start of 2021 we’ve seen multiple financially motivated
cybercriminals selling access to the Umoja system run by the United
Nations,” Arena said. “These actors were selling a broad range of
compromised credentials from a multitude of organizations at the same time.
In a number of previous occasions, we’ve seen compromised credentials being
sold to other cybercriminals, who have undertaken follow up intrusion
activity within these organizations.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210909/fa99b284/attachment.html>