Cybercrime , Endpoint Security , Fraud Management & Cybercrime

United Nations Says Attackers Breached Its Systems

Brokers With Ransomware Ties Advertised Access to UN ERP and Also NATO Systems
United Nations Says Attackers Breached Its Systems
The United Nations flag. (Photo: Sanjitbakshi via Flickr/CC)

The United Nations says that its networks were accessed by intruders earlier this year, leading to follow-on intrusions. One cybercrime analyst reports that he'd alerted NATO after seeing access credentials for one of its enterprise resource planning software systems being offered for sale via the cybercrime underground.

See Also: OnDemand | Combatting Rogue URL Tricks: How You Can Quickly Identify and Investigate the Latest Phishing Attacks

"Unknown attackers were able to breach parts of the United Nations infrastructure in April," the U.N. says.

"The United Nations is frequently targeted by cyberattacks, including sustained campaigns," it adds. "We can also confirm that further attacks have been detected and are being responded to that are linked to the earlier breach." The intrusions were first reported Thursday by Bloomberg.

The breach highlights the extent to which many major governments and governmental organizations need to enhance their cybersecurity posture, says Alex Holden, CTO for Hold Security, which is a Wisconsin-based consultancy that analyzes the cybercriminal underground.

"Improvements are needed as Russian cybercriminals are not only attacking the United States or European Union but now they are targeting global government organizations," he says.

Indeed, Holden says that in March, one of the same groups that acquired access credentials to the U.N. also tried to sell credentials for a cybersecurity portal belonging to the North Atlantic Treaty Organization, or NATO.

Access Credentials for Sale

Although the U.N. says the intrusion occurred April, the initial access appears to date back to at least February, Holden says, based on when a threat actor privately offered for sale access credentials to Umoja, which is the U.N.'s enterprise resource planning software.

Umoja is used for a variety of business processes tied to finance, human resources and administration. Umoja's web page reports that it has some 46,000 users in nearly 450 locations.

After seeing the advertisement for U.N. credentials, Holden says that his firm notified the U.N. in February, via a partner. The sale of the access credentials was a private offer, and there was no advertisement on a dark web forum where such credentials are often traded and sold at that time, Holden says.

February advertisement for access credentials to the U.N.'s Umoja system (Source: Hold Security)

In April, a different broker offered another set of access credentials for Umoja, Holden says. That broker is known to supply access credentials to the Nefilim ransomware operation. Holden says he suspects that this initial access broker passed the U.N. credentials to Nefilim. Many ransomware operations have close ties with access brokers, to enable them to cost-effectively target a large number of victims in search of higher profits.

Attackers' entry point could have been via its Citrix technology, since the U.N. used Citrix as an access layer leading to Umoja. As New Zealand's national computer emergency response team warned last year, Nefilim was targeting organizations that use unpatched or poorly secured Citrix remote access technology (see: Nefilim Ransomware Gang Tied to Citrix Gateway Hacks).

An initial access broker close to the Nefilim ransomware group offered this screenshot as proof it had gained access to Umoja in April. (Source: Hold Security)

Once again, Holden's firm notified the U.N. about the apparent breach and credential theft, via a partner. Holden reports that the access broker was still trying to sell the credentials as late as July.

Bloomberg reports that another cybersecurity consultancy, Los Angeles-based Resecurity, also saw the Umoja credentials for sale and warned the U.N.

The U.N. says that it was already aware of the problems when it was contacted by Resecurity "and corrective actions to mitigate the impact of the breach had already been planned and were being implemented." It says it thanked Resecurity at the time "for sharing information related to the incident and confirmed the breach."

NATO Adopts MFA for ERP System

How two different groups were able to capture login credentials for Umoja isn't clear. But Holden says a likely method would have been phishing attacks, in which users get tricked into revealing their login credentials.

Holden notes that at the time the credentials were stolen, NATO didn't appear to have configured Umoja to use two-step verification. In such a system, a user is required to enter what is usually a six-digit, time-sensitive code, generated via an app or delivered via an SMS message, which helps block the use of stolen credentials.

Since the intrusions, however, the U.N. has moved to a different authentication system for Umoja, switching from United Identity - also known as the Enterprise Identity Management Service - to Microsoft's Azure. In an undated blog post, the U.N. notes that the move to Azure would allow single sign-on to be enabled with Office 365.

"Azure supports multi-factor authentication, which reduces the risk of cybersecurity breaches," according to the blog post.

Prior to the move to Azure SSO, U.N. users with access to Umoja were already using MFA to log into Office 365 so "users who have signed in to Office 365 or Umoja on their browsers will benefit from SSO, eliminating the need to login separately to these solutions," the blog post says.

NATO Also Hit

In March, Holden says the access broker close to Nefilim was also selling access credentials for a computer system affiliated with NATO's Cyber Security Center. Again, he suspects the broker will have passed those credentials to Nefilim.

The Nefilim group offered this screenshot as proof of access to a NATO computer system. (Source: Hold Security)

The credentials were being sold for $300 through private channels, Holden says. The credentials purportedly provided access to NATO's Cyber Security Service Line portal.

ISMG notified NATO's communication department of the situation March 5. The department thanked ISMG and said it would investigate.

About the Author

Jeremy Kirk

Jeremy Kirk

Executive Editor, Security and Technology, ISMG

Kirk was executive editor for security and technology for Information Security Media Group. Reporting from Sydney, Australia, he created "The Ransomware Files" podcast, which tells the harrowing stories of IT pros who have fought back against ransomware.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.