The United Nations confirmed on Wednesday that its offices in Geneva and Vienna were targeted by a hacker group, compromising dozens of servers. The full extent of the breach and the identity of the attackers remain unknown, but the international organization said the hackers might have gained access as early as July, 2019.
How the Cyberattack Happened
Information about the attack came to light when The New Humanitarian (TNH), a news agency focusing on humanitarian stories, acquired a confidential document that confirmed hackers had infiltrated multiple servers across UN’s Geneva and Vienna offices.
When the hack was detected in August, employees in the affected offices were asked to change passwords. An alert was issued by UN’s Geneva offices to tech teams saying, “We are working under the assumption that the entire domain is compromised. The attacker doesn’t show signs of activity so far, we assume they established their position and are dormant.”
The UN decided to keep this information from the public until TNH broke the news. The hackers were able to gain access to UN servers using a known vulnerability (CVE-2019-0604) in the Microsoft SharePoint server. The malware and mechanism that was used by the hackers to carry out the attack remain unknown. Incidentally, Microsoft had disclosed this vulnerability and rolled out the patch way back in March 2019.
Damage from the Breach
In a statement, UN spokesman Stephane Dujarric said that the full extent of the attack is still not clear. Three UN offices were affected: the UN Office at Geneva, the UN Office at Vienna, and the UN Office of the High Commissioner for Human Rights (OHCHR) headquarters in Geneva. A report by the Associate Press mentions that 42 core servers were compromised and another 25 were deemed suspicious, mostly at the Geneva and Vienna UN offices. The core infrastructure affected included systems for user and password management, system controls, and security firewalls.
This would have given hackers access to usernames and passwords of employees. The scope of exposure could have extended to internal documents, databases, emails, commercial information, and personal data. Though the UN has not made any statement on how much data was exfiltrated, the TNH report claims that approximately 400 GB of data might have been downloaded. The attack may have far-reaching implications for close to 4000 employees who work in the affected offices.
Learnings from the United Nations Cyberattack
International organizations like the UN have been targets for state-sponsored attacks. Over the last decade, hackers have begun using sophisticated techniques to gain access and remain undetected for months. Commonly known Advanced Persistent Threats or APTs, attackers using this form of attack lay dormant for long periods and do reconnaissance to find open ports and firewall gaps that allow them to access critical servers, databases, and applications.
According to the Ponemon Institute’s 2019 Cost of a Data Breach Study, the average time to detect a data breach is 206 days. It is evident that the current state of security, which is largely reactive, has to change if organizations and businesses are serious about defending their data, applications, and intellectual property.
When hackers are proactively finding new ways to exploit vulnerabilities, it makes sense for security to also take a proactive stance. Here’s what you can make your security proactive:
Reduce the Attack Surface
Hackers use land and expand strategy, and all that is needed for them to get inside the perimeter is one click on a malicious link. It’s virtually impossible to keep all attacks at bay. There will be some that get through. The best strategy is to ensure that the attack surface is minimal, which can be achieved using micro-segmentation to separate environments and isolate critical servers and applications. With an increasing number of applications moving to the cloud, choose a solution that can protect both data center and cloud workloads.
Protect your Endpoints
Antivirus and anti-malware software used in most systems rely on a directory of signatures that is updated over regular intervals. It can only protect against the known and is completely vulnerable to zero-day threats or unknown malware strains. Adopt proactive endpoint protection solutions that allow process-level control and lockdown endpoints and servers. Also, make sure your endpoint security is capable of protecting unpatched and unsupported legacy systems.
Conduct Cyber Hygiene Education
Human error is the only security vulnerability which probably has no permanent fix. However, regularly communicating with employees on cyber hygiene practices can significantly reduce social engineering and phishing attacks. Employees need to be educated on how to identify suspicious emails with malicious links and attachments. Over time, this leads to a more cyber-aware work culture within your company making it tougher for attackers to get into the network.
The consequences of the attack on the UN have yet to fully unfold, but the breach does serve as a valuable learning opportunity and a strong case to adopt a proactive security approach across all network layers.