Sophisticated hackers infiltrated U.N. offices in Geneva and Vienna last year in an apparent espionage operation, and their identity and the extent of the data they obtained is not clear.
An internal confidential document from the United Nations, leaked to The New Humanitarian and seen by the Associated Press, says dozens of servers were compromised including at the U.N. human rights office, which collects sensitive data and has often been a lightning rod of criticism from autocratic governments for exposing rights abuses.
Asked about the report, one U.N. official told the AP that the hack appeared “sophisticated” and that the extent of the damage remained unclear, especially in terms of personal, secret or compromising information that may have been stolen. The official, who spoke only on condition of anonymity to speak freely about the episode, said systems have since been reinforced.
The skill level was so high it was possible a state-backed actor might have been behind it, the official said.
“It’s as if someone were walking in the sand, and swept up their tracks with a broom afterward,” the official said. “There’s not even a trace of a clean-up.”
There were conflicting accounts, however, about the severity of the incursion.
“We were hacked,” said U.N. human rights office spokesman Rupert Colville. “We face daily attempts to get into our computer systems. This time, they managed, but it did not get very far. Nothing confidential was compromised.”
Colville’s statement appeared to contradict the leaked September report, however. It says logs that would have betrayed the hackers’ activities inside the U.N. networks — what was accessed and what may have been siphoned out — were “cleared.” It also shows that among accounts known to have been accessed were those of domain administrators — who by default have master access to all user accounts in their purview.
Jake Williams, CEO of the cybersecurity firm Rendition Infosec and a former U.S. government hacker, said the fact that the hackers cleared the network logs indicates they were not top flight. The most skilled hackers — including U.S., Russian and Chinese agents — can cover their tracks by editing those logs instead of wiping them clean.
“The intrusion definitely looks like espionage,” said Williams, noting that the active directory component — where all users’ permissions are managed — from three different domains were compromised: those of United Nations offices in Geneva and Vienna and of the Office of the High Commissioner for Human Rights.
“This, coupled with the relatively small number of infected machines, is highly suggestive of espionage,” he said after viewing the report. “The attackers have a goal in mind and are deploying malware to machines that they believe serve some purpose for them.”
Any number of intelligence agencies from around the globe are likely interested in infiltrating the U.N., said Williams.
U.N. spokesman Stephane Dujarric said the attack “resulted in a compromise of core infrastructure components” and was “determined to be serious.” The earliest detected activity related to the intrusion occurred in July and it was detected in August, he said in response to emailed questions.
The internal document from the U.N. Office of Information and Technology said 42 servers were “compromised” and another 25 were deemed “suspicious,” at the sprawling Geneva and Vienna offices. Three of the “compromised” servers belonged to Human Rights agency, which is located across town from the main U.N. office in Geneva, and two were used by the U.N. Economic Commission for Europe.
The report says a flaw in Microsoft’s SharePoint software was exploited by the hackers to infiltrate the networks but that the type of malware used was not known, nor had technicians identified the command and control servers on the internet used to exfiltrate information.
The report mentions a range of IP addresses in Romania that may have been used to stage the infiltration, and Williams said one has some neighbors with a history of hosting malware.
Technicians at the United Nations office in Geneva, the world body’s European hub, on at least two occasions worked through weekends in recent months to isolate the local U.N. data center from the Internet, re-write passwords and ensure the systems were clean. Twenty machines had to be rebuilt, the report says.
The hack comes amid rising concerns about computer or mobile phone vulnerabilities, both for large organizations like governments and the U.N. as well as for individuals and businesses.