Stolen Credentials Led to Data Theft at United Nations

Threat actors accessed the organization’s proprietary project management software, Umoja, in April, accessing the network and stealing info that can be used in further attacks.

A threat actor used stolen credentials from a United Nations employee to breach parts of the UN’s network in April and steal critical data, a spokesman for the intergovernmental organization has confirmed.

That data lifted from the network can be used to target agencies within the UN, which already has experienced and responded to “further attacks” linked to the breach, Stéphane Dujarric, spokesman for the UN Secretary-General, told Bloomberg, which broke the news in a report published Thursday.

“We can confirm that unknown attackers were able to breach parts of the United Nations infrastructure in April of 2021,” Dujarric said, according to the report. “The United Nations is frequently targeted by cyberattacks, including sustained campaigns.”

Infosec Insiders Newsletter

In another high-profile attack in January 2020, the operators behind the notorious Emotet malware took aim at the UN with a concerted phishing campaign, the intent of which was to steal credentials and deliver the TrickBot trojan. The attack ultimately was found to be the result of a Microsoft SharePoint flaw, allowing attackers to steal 400 GB of sensitive data.

Lack of 2FA Allowed Breach

The stolen credentials at the center of the latest attack belonged to an account on the UN’s proprietary project management software, called Umoja, according to the report.

The user of the account apparently had not enabled two-factor authentication (2FA) to secure entry, allowing attackers to use credentials to access the software and move deeper into the network from there, security firm Resecurity told the UN, according to the report. Resecurity discovered the attack earlier this year.

Indeed, the attack highlights why simply using a username/password combination to secure entry into a system on an organization’s larger network—especially an organization that should demand stringent security due to the sensitive nature of its business–is so dangerous, one security expert said.

“This is a very good example of why passwords as a credential are bad,” Baber Amin, COO of security firm Veridium, said in an email to Threatpost.

While it’s not clear if attackers obtained UN-specific credentials or if the user was re-using credentials from another account, eliminating the use of passwords from as many systems as possible could be one way to solve the problem, he said.

“If that is not possible, multi-factor authentication should be implemented for all access,” Amin said. “MFA has become easy to implement over the last few years, and it should be the default.”

Months of Lateral Movement

Attackers were active on the UN network for at least four months, with the original network access occurring on April 5 and intruder activity still detected as of Aug. 7, researchers said.

This lateral movement on the network also could have been prevented by the simple security practice of establishing a hierarchy of privilege within applications on a network, giving users access only to the assets they need to do their job and nothing further, Veridium’s Amin asserted.

“This means that each person has the minimal level of trust granted for the task at hand,” he said.

Upon discovery of the breach, Resecurity informed the UN and worked with the organization’s security team to investigate. However, Dujarric said that UN officials already knew of the attack when the security firm got in touch with them, according to the report.

While UN officials told Resecurity that hackers had only performed reconnaissance on the network in the form of taking screenshots, the security firm provided proof to the organization that data also had been stolen. The UN halted communications with Resecurity after that, according to the report.

It’s time to evolve threat hunting into a pursuit of adversaries. JOIN Threatpost and Cybersixgill for Threat Hunting to Catch Adversaries, Not Just Stop Attacks and get a guided tour of the dark web and learn how to track threat actors before their next attack. REGISTER NOW for the LIVE discussion on September 22 at 2 PM EST with Cybersixgill’s Sumukh Tendulkar and Edan Cohen, along with researcher and vCISO Chris Roberts and Threatpost host Becky Bracken.

Suggested articles