What just happened? In an apparent espionage operation launched in July 2019, hackers were able to compromise IT systems of UN offices in Geneva and Vienna. The incident was not disclosed by the organization, even to its employees, citing its undetermined nature and scope. A senior UN IT official recently confirmed the complex cyberattack that’s estimated to have leaked 400 GB of data.
According to The New Humanitarian, IT officials at the UN's Geneva offices seemingly became aware of the hack a month later after it took place and issued an alert to their tech teams in August 2019.
"We are working under the assumption that the entire domain is compromised. The attacker doesn't show signs of activity so far, we assume they established their position and are dormant."
The publication also managed to obtain a confidential UN report mentioning "dozens of UN servers" – including systems at its human rights offices and HR department being compromised, some administrator accounts breached, along with identified vulnerabilities, containment efforts and a section titled: "Still counting our casualties."
UN spokesperson Stéphane Dujarric, classified the incident as "serious" and noted that the breach was not publicly disclosed as its exact nature and scope could not be determined.
Keeping with the "cover-up culture” generally prevalent in such situations, the incident was not disclosed to the affected staff, who were asked to change their passwords after the breach. The only informed parties included internal IT teams and the chiefs of the UN Office at Geneva and the UN Office at Vienna.
The attack reportedly used some unknown malware and exploited a flaw in Microsoft SharePoint (CVE-2019-0604), a patch for which had been made available for months, but not applied.
The compromised data is said to include personnel records and information on thousands of commercial contracts, as hackers gained admin access on the network and ended up infiltrating over 40 servers across the organization's offices in Vienna and Geneva, including its high commissioner’s office for human rights.
Given the UN’s unique diplomatic status, the organization is under no legal obligation to report the breach to a regulator or the public and is also not subject to Freedom of Information requests. However, keeping affected employees uninformed during such events goes against established cyber security practices, which brings into question the world body’s preparedness against such attacks and risks damaging its reputation and effectiveness in managing global affairs.