The UN did not publicly disclose a major hacking attack into its IT systems in Europe – a decision that potentially put staff, other organisations, and individuals at risk, according to data protection advocates.
On 30 August 2019, IT officials working at the UN’s Geneva offices issued an alert to their tech teams about a hacking incident:
'We are working under the assumption that the entire domain is compromised. The attacker doesn't show signs of activity so far, we assume they established their position and are dormant.'
The complex cyber attack on UN networks in Geneva and Vienna had started more than a month earlier but was only just being fully uncovered.
At a glance: Key findings
- Hackers broke into dozens of UN servers starting in July 2019.
- A senior UN IT official called the incident a “major meltdown”.
- Staff records, health insurance, and commercial contract data were compromised.
- Staff were asked to change their passwords but not told about the breach.
- Under diplomatic immunity, the UN is not obliged to divulge what was obtained by the hackers or notify those affected.
- The attack might have been avoided with a simple patch to fix a software bug.
- Systems in Geneva and Vienna used by thousands of staff were compromised.
- A UN spokesperson says the attack triggered a rebuild of multiple systems.
- UN officials warned of major vulnerabilities years ago.
Dozens of UN servers – including systems at its human rights offices, as well as its human resources department – were compromised and some administrator accounts breached, according to a confidential UN report obtained by The New Humanitarian. The breach is one of the largest ever known to have affected the world body.
The cyber attack – unreported until TNH’s investigation – started mid-July, according to the report. Dated 20 September, the report flags vulnerabilities, describes containment efforts, and includes a section titled: “Still counting our casualties”.
The incident amounted to a “major meltdown”, according to a senior UN IT official familiar with the fallout, who spoke to TNH on condition of anonymity. This official provided TNH with the August 2019 alert above and several other alerts related to the breach.
In response to questions from TNH, the UN confirmed it had kept the breach quiet.
“The attack resulted in a compromise of core infrastructure components,” said UN spokesperson Stéphane Dujarric, who classified it as “serious”. “As the exact nature and scope of the incident could not be determined, [the UN offices in Geneva and Vienna] decided not to publicly disclose the breach.”
“You can’t be a global governance body and not be accountable for holding yourself to a professional standard.”
Staff were asked to change their passwords, but were not told of the large breach or that some of their personal data may have been compromised. The “core infrastructure” affected included systems for user and password management, system controls, and security firewalls.
No matter what exactly was exposed, the decision not to notify all the people or organisations whose data may have been compromised – including UN staff – risks damaging trust in the UN as an institution, and so its effectiveness, according to human rights and privacy analysts.
Sean McDonald, a lawyer and specialist in the use of IT in international development, reviewed the report for TNH and said failing to notify others meant the UN either had “a fundamental misread of the seriousness of what’s just happened, or it is a professionally irresponsible way to handle an issue of that magnitude”.
“You can’t be a global governance body and not be accountable for holding yourself to a professional standard,” he said.
Informed by TNH about the contents of the report, David Kaye, the UN’s special rapporteur on freedom of expression, said the UN has a special responsibility to secure its sensitive data and inform those affected, a position he articulated in a 2015 study on digital security.
The UN’s diplomatic status gives it “immunity from every form of legal process”, and it is – unlike most US and European firms – under no legal obligation to report the breach to a regulator or the public. It is also not subject to Freedom of Information requests.
The lack of reporting stems from a “cover-up culture”, the UN IT official said: “This breach might impact many actors... there is a responsibility to proceed and report.”
What’s the damage?
The breach affected dozens of servers in three separate locations: the UN Office at Vienna; the UN Office at Geneva; and the UN Office of the High Commissioner for Human Rights (OHCHR) headquarters in Geneva. These servers hold a range of data, including personal information about staff.
Asked who was notified about the attack, Dujarric mentioned that only internal IT teams and the chiefs of the UN Office at Geneva and the UN Office at Vienna had been informed.
What data was copied and downloaded elsewhere is unclear.
Asked what was copied by the intruders, Dujarric replied: “As part of the compromised infrastructure, lists of user accounts would have been exposed.”
The report, however, lists 10 other “infrastructure components” that were compromised, including printing, antivirus, and the human resources system.
Dujarric confirmed “it was possible for the intruders to view data on the compromised server” in the Vienna office. The same was true for the OHCHR servers in Geneva but they only contained “non-sensitive” dummy information, he said. A spokesperson for the OHCHR said that its 'Active Directory' listing of internal users was also extracted by the intruders.
Dujarric did not elaborate about the third affected network: the UN Office at Geneva.
Asked if the incident was now fully contained, the UN spokesperson replied: “Multiple workshops and assessments have been conducted to verify that the exploited vulnerabilities have been mitigated.”
The senior UN IT official said much more data was stolen than the UN implied. Estimating that some 400 GB of data was downloaded, the official said the UN’s answers downplayed the level of the breach. The “user lists” were key to the network and “once you’ve got privileged access, you’ve got into everything”, they said.
The UN is a natural target for state-sponsored hacking, but news about major breaches is rare, as is firm attribution about who is responsible.
The UN IT official said the 2019 hack was deeper and more significant than an incident in 2016, when hackers – allegedly from the Chinese government-linked group dubbed Emissary Panda – gained access to the records of about 2,000 staff at the UN’s aviation agency, according to the Canadian Broadcasting Corporation.
Although it is unclear what documents and data the hackers obtained in the 2019 incident, the report seen by TNH implies that internal documents, databases, emails, commercial information, and personal data may have been available to the intruders – sensitive data that could have far-reaching repercussions for staff, individuals, and organisations communicating with and doing business with the UN.
The compromised servers included 33 in the UN Office at Geneva, three at OHCHR in Geneva, and at least four in the Vienna office. According to the report, the breach also grabbed “active directories”, with each likely to list hundreds of users as well as human resources and health insurance systems, other databases, and network resources. The three affected offices have in total about 4,000 staff.
The report, prepared by the UN Office at Geneva in the midst of containment efforts, suggests the cyber attack most seriously affected their office, which houses 1,600 staff working in a range of political and development units, including Syria peace talks, the humanitarian coordination office (OCHA), and the Economic Commission for Europe.
“There is no evidence that the attack affected further locations, nor any other agencies,” Dujarric added.
A digital “forensics” company and Microsoft have been involved in the clean-up effort, according to the IT official.
- February: Canadian media exposes UN aviation agency attempt to cover up 2016 hack.
- February: Security firm reveals targeted phishing campaign on UN in North Korea.
- July-August: UN offices in Vienna and Geneva accessed by unknown hackers.
- September: UNICEF accidentally circulates 8,000 names and email addresses of a training site.
- October: The UN pension fund system announces it was hacked, but says its systems were fixed without loss of data.
- October: Security firm Lookout reveals multiple UN agencies, NGOs, and the Red Cross targeted in similar North Korea-related phishing scheme that started in March.
- September: The French cybersecurity authority ANSSI says the UN was targeted in a widespread campaign to gather login details from diplomatic targets.
- December: Microsoft court papers describe another North Korea-related phishing operation targeting UN and others by a group dubbed “Thallium”.
Breach of trust
For human rights activists, state-based hacking and online spying is a persistent threat that can lead to arrests or intimidation.
A spokesperson for OHCHR said via email: “OHCHR faces regular cyber attack attempts, and we are constantly monitoring to safeguard the integrity of our computer systems and the data they hold.”
“It is surprising and disappointing that this kind of big organisation, collecting such sensitive information, is not taking care of its procedures.”
Mohammed al-Maskati, a Bahraini human rights activist who has worked alongside OHCHR, said the incident and its handling may make some organisations hesitant to share information.
“It is surprising and disappointing that this kind of big organisation, collecting such sensitive information, is not taking care of its procedures,” he said.
Victims and activists can face surveillance and eavesdropping, imprisonment, and even torture by their governments in reprisal for working with the UN’s human rights office, according to the OHCHR’s own report.
Attempted cyber attacks against the UN are occasionally revealed by technology firms. Microsoft, for example, told a US court last year that North Korea-linked hackers were trying to gather login details of UN officials, in a practice known as phishing.
If sensitive data has fallen into the wrong hands, individuals and organisations should be given a chance to tighten up their personal security and adjust their plans, said al-Maskati, the Middle East digital protection coordinator for NGO Front Line Defenders.
Furthermore, if personal information was accessed, the UN’s approach would appear to go against its advice to others.
“Enterprises should notify their customers once they become aware of personal data breaches that may have affected their rights,” according to a major UN report: ‘The right to privacy in the digital age’.
In many countries, government departments, corporations, and non-profits whose systems have been hacked are required to report the breaches to authorities.
In the EU, for example, the General Data Protection Regulation (GDPR) requires that any individual put at “high risk” by a security breach should be informed without delay, as should the national regulator.
Taylor, who studies the use of data by international organisations, said the UN sits "outside the framework of laws developed around the world to deal with this problem, and [has] therefore not had to develop processes for transparency about breaches”.
“Expecting any large and powerful organisation to self-regulate and behave perfectly ethically is not realistic,” she added.
Keeping the incident under wraps could undermine trust in the UN’s work, said Gus Hosein, executive director of Privacy International, after reading the report obtained by TNH.
“Financial institutions, hospitals, and even intelligence agencies have all had breaches in recent years – and we only know this because they informed us,” said Hosein. “There are at least consequences to their failures.”
Too little, too late?
Over recent years, the UN has been trying to tighten up its cybersecurity, after an “unacceptable level of risk” was recognised by an audit in 2012. A new strategy adopted in 2013 promised “urgent action” to improve network security and to monitor intrusions.
Kaye, the UN special rapporteur on freedom of expression, told TNH he would find a breach “shocking but not surprising”, adding that, in his view, the UN should have invested more in cybersecurity at the OHCHR given the “high stakes for victims and advocates”.
Under its IT czar, Atefeh Riazi, the UN has slimmed the numbers of data centres, websites, and applications it runs, updating email, security, and other infrastructure. It has also moved more systems from in-house to commercial providers and the Cloud.
The reforms involved some 4,000 IT staff, nearly 600 locations, and some $1.7 billion of annual spending across the UN’s secretariat and field missions. But progress was mixed, according to a 2018 review. An audit found that a project to check the security of 1,462 UN websites and applications flopped: only one website had been properly assessed.
Dujarric said the UN had “implemented a comprehensive containment, mitigation and recovery plan” in response to this latest hacking incident. “This included rebuilding significant elements of the infrastructure, and replacement of keys and credentials,” he said.
Dujarric said a UN cybersecurity action plan had been endorsed in December 2019. “Additional technical and procedural controls have been implemented to further strengthen information security for the affected offices,” he added.
The attack began thanks to a basic error. Hackers were able to get into a server in Vienna because its software had not been updated. The severe flaw in the Microsoft SharePoint system allows an attacker to bypass the login process and issue system-level commands. After it was discovered by security researchers, Microsoft provided a fix on 25 April.
According to UN policy, IT staff should have installed the update – or “patch” – within a month. Dujarric, the UN spokesperson, confirmed that had not happened.
From that starting point, the hackers navigated within the UN’s networks, reaching the UN Office at Geneva on 15 July and the OHCHR headquarters later that month.
Given the number of SharePoint sites in large institutions, security researcher Kevin Beaumont had predicted in May: “I think this will be one of the biggest [vulnerabilities] in years.” After reviewing the UN report, he said “Organisations need to urgently review their patching of this SharePoint vulnerability, as it represents an open window at many organisations worldwide still.”
Once inside the UN’s network, attackers gained domain administrator access to affected offices, staffed by 4,000 people, and compromised at least 42 servers in Geneva and Vienna, according to the report. Another 25 servers may have also been affected. Although like-for-like comparisons are inexact, the total could represent five percent of the UN’s total number of 679 servers, according to a 2017 global inventory.
Who was behind the attack?
At the request of TNH, cybersecurity researcher Kevin Beaumont reviewed the report and said the attack “has the hallmarks of a sophisticated threat actor”.
“Threat actors” can run from a disgruntled employee to a superpower’s intelligence operation, as described in this Canadian government briefing. “Nation-states are frequently the most sophisticated threat actors, with dedicated resources and personnel, and extensive planning and coordination,” it explains.
Long a target of spies and hackers – even by its own account, the UN has often been subjected to highly sophisticated attacks, both on- and off-line. WikiLeaks documents, for example, detailed US attempts to gather the DNA of the UN’s top official.
In this case, the UN said it didn’t have enough information to attribute responsibility for the attack.
Analysts and human rights groups say this attack highlights the threats the institution faces, and a need to tighten up its cybersecurity given the growing volume, range, and sensitivity of the data it holds.
Taylor, the data researcher, questioned the appropriateness of diplomatic immunity.
“The UN has privileges and immunities only in relation to its mission,” she said. “They are supposed to guard it from political challenges.” In the case of a data breach, she added, “it is hard to imagine how the privileges and immunities might come into play.”
Hosein, the executive director of Privacy International, hoped revelations about the incident and the way it was handled might have a salutary effect on UN cybersecurity.
“If there are no consequences for the [UN] agencies for failures like these, they will build more problematic systems, and there will be more breaches, and nobody will ever know,” he said.
For Taylor, if such incidents continue to be covered up, things may not improve. “Without transparency,” she said, “no one will be motivated to push for change.”
It was The New Humanitarian’s investigation with the Thomson Reuters Foundation that uncovered sexual abuse by aid workers during the Ebola response in the Democratic Republic of Congo and led the World Health Organization to launch an independent review and reform its practices.
This demonstrates the important impact that our journalism can have.
But this won’t be the last case of aid worker sex abuse. This also won’t be the last time the aid sector has to ask itself difficult questions about why justice for victims of sexual abuse and exploitation has been sorely lacking.
We’re already working on our next investigation, but reporting like this takes months, sometimes years, and can’t be done alone.
The support of our readers and donors helps keep our journalism free and accessible for all. Donations mean we can keep holding power in the aid sector accountable, and shine a light on similar abuses.