In the wake of a highly visible hack of its network infrastructure, a spokeswoman for the United Nations Development Programme (UNDP) says that hackers from the group TeamP0ison compromised an unpatched server and that e-mail addresses and account passwords exposed in the attack were outdated.
Staff at UNDP located the source of the attack: a server that dated to 2007 and took it off line, according to Sausan Ghosheh, a UNDP spokeswoman. The announcement came one day after members of the underground hacking group TeamP0ison posted hundreds of e-mail addresses and passwords online that they claimed to have taken from a UNDP server. Ghosheh said the passwords were no longer valid.
TeamP0ison has been linked to past attacks on governments in the U.S. and India. The information, comprising a list of e-mail addresses and passwords was posted to the online file sharing site Pastebin.com on MOnday, along with a message castigating the UN as a “Senate for Global Corruption,” a “fraud” and a “beast that must be stopped.”
Many of the pilfered addresses and passwords were for accounts belonging to the United Nations Development Programme (UNDP),the UN’s primary agency for promoting economic development around the world. However, e-mail addresses and passwords for users representing a wide range of other governments were also caught up in TeamP0ison’s haul, including those for government employees working in an assortment of agencies of the British, Venezuelan, Spanish, Finnish, Israeli and Dutch governments.
The UN has come under scrutiny before for allowing gaping holes in its cyber defenses. In one instance, a SQL injection vulnerability that was used to deface a UN Web site was left unpatched for three years after the attack took place.
