The e-mail addresses and account passwords for more than one thousand United Nations staff and other users of a UN development Web site were leaked online by the hacking group TeamP0ison, which has been linked to past attacks on governments in the U.S. and India.
The information, comprising was posted to the online file sharing site Pastebin.com on MOnday, along with a message castigating the UN as a “Senate for Global Corruption,” a “fraud” and a “beast that must be stopped.”
Many of the pilfered addresses and passwords are for accounts belonging to the United Nations Development Programme (UNDP),the UN’s primary agency for promoting economic development around the world. However, e-mail addresses and passwords for users representing a wide range of other governments were also caught up in TeamP0ison’s haul, including those for government employees working in an assortment of agencies of the British, Venezuelan, Spanish, Finnish, Israeli and Dutch governments. Those addresses and passwords could open those agencies to follow-on hacks.
The exact motive of the attack is unclear, as are the methods used to obtain the e-mail addresses and passwords. A spokeswoman for UNDP was not able to immediately comment on the leak. However, a Twitter account associated with TeamP0ison was used to claim responsibility for the attack and a Youtube video was posted linking the compromise to the group.
The UN has come under scrutiny before for allowing gaping holes in its cyber defenses. In one instance, a SQL injection vulnerability that was used to deface a UN Web site was left unpatched for three years after the attack took place.
Not much is know about TeamP0ison, though the group appears to be led by a hacker known as “TriCk,” to be based in the UK and to have allegiances with other Pakistani and muslim-affiliated hacking groups. TeamP0ison claimed credit for past attacks on Indian government Web sites and for the leak of confidential contact information from the UK Ministry of Defense and Australian government agencies.