Hackers breached U.N. networks
’19 attack targeted servers for 3 offices, document shows
GENEVA — Sophisticated hackers infiltrated U.N. networks in Geneva and Vienna last year in an apparent espionage operation that top officials at the world body kept largely quiet. The hackers’ identities and the extent of the data they obtained are not known.
An internal, confidential document from the United Nations, leaked to The New Humanitarian news agency and seen by The Associated Press, says dozens of servers were compromised, including at the U.N. human-rights office, which collects sensitive data and has often been a lightning rod for criticism from autocratic governments for exposing rights abuses.
Knowledge of the breach was closely held, a strategy that information security experts consider misguided because it only multiplies the risks of further data hemorrhaging.
“Staff at large, including me, were not informed,” said Geneva-based Ian Richards, president of the Staff Council at the U.N. “All we received was an email [on Sept. 26] informing us about infrastructure maintenance work.” The council advocates for the welfare of employees of the world body.
Asked about the intrusion, one U.N. official told the AP that it appeared “sophisticated” and that the extent of the damage was unclear, especially in terms of personal, secret or compromising information that may have been stolen. The official, who spoke only on condition of anonymity to speak freely about the episode, said systems have since been reinforced.
Given the high skill level of the operation, it is possible a state-backed actor was behind it, the official said. “It’s as if someone were walking in the sand, and swept up their tracks with a broom afterward,” the official added. “There’s not even a trace of a cleanup.”
The leaked Sept. 20 report says logs that would have betrayed the hackers’ activities inside the U.N. networks — what was accessed and what may have been siphoned out — were “cleared.” It also shows that among the accounts known to have been accessed were those of domain administrators — who by default have master access to all user accounts in their purview.
But Jake Williams, CEO of the cybersecurity firm Rendition Infosec and a former U.S. government hacker, said the fact that the hackers cleared the network logs indicates they were not top-flight. The most skilled hackers — including U.S., Russian and Chinese agents — can cover their tracks by editing those logs instead of clearing them.
“The intrusion definitely looks like espionage,” said Williams, noting that the active directory component — where all users’ permissions are managed — from three different domains were compromised: those of U.N. offices in Geneva and Vienna and of the Office of the High Commissioner for Human Rights.
“This, coupled with the relatively small number of infected machines, is highly suggestive of espionage,” he said after viewing the report. “The attackers have a goal in mind and are deploying malware to machines that they believe serve some purpose for them.”
Any number of intelligence agencies from around the world are likely interested in infiltrating the U.N., Williams said.
The hack was not severe at the U.N. human-rights office, said its spokesman, Rupert Colville.
“We face daily attempts to get into our computer systems,” Colville said. ” This time, they managed, but it did not get very far. Nothing confidential was compromised.”
U.N. spokesman Stephane Dujarric said the attack “resulted in a compromise of core infrastructure components” and was “determined to be serious.” The earliest detected activity related to the intrusion occurred in July, though the attack was actually detected in August, he said in response to emailed questions.
He said the world body does not have enough information to determine the perpetrators but added that “the methods and tools used in the attack indicate a high level of resource, capability and determination.”
“The damage related to this specific attack has been contained, and additional mitigation measures implemented,” Dujarric wrote. “Nevertheless the threat of future attacks continues, and the United Nations Secretariat detects and responds to multiple attacks of various level of sophistication on a daily basis.”
The internal document from the U.N. Office of Information and Communications Technology said 42 servers were “compromised” and another 25 were deemed “suspicious,” nearly all at the Geneva and Vienna offices. Three of the “compromised” servers belonged to the human-rights agency, which is across the city from the main U.N. office in Geneva, and two were used by the U.N. Economic Commission for Europe.