Even the United Nations has been the victim of a hacker attack, likely supported by some enemy state, last summer. The organization did not reveal the details and severity of the attack until Associaded Press and The New Humanitarian managed to get hold of internal documentation detailing the situation.
The fact dates back to last July, when a group of hackers was able to take advantage of a flaw in Microsoft SharePoint to convey an unknown type of malware that subsequently allowed to gain access to various UN server systems – Associated Press speaks of "dozens" – located in the offices of Geneva and Vienna, as well as in the headquarters of the High Commissioner for Human Rightsthe. The three offices employ around 4000 staff members overall.
"The attack resulted in the compromise of key infrastructure elements. Given that it may not be possible to determine the exact nature and purpose of the incident, the United Nations has decided not to publicly disclose the violation," said a spokesman for the UN to The New Humanitarian.
Associated Press then reports the opinion of Jake Williams, a hacker formerly in the pay of the US government, who supports that the intrusion has the traits of an espionage action. Hackers would have tried to cover the tracks by deleting the logs that would document their access to the UN servers. "It is as if someone walking on the sand was sweeping the footprints with a broom," an anonymous UN official told AP. "There is not even a trace of the cleaning operations".
Hackers allegedly downloaded around 400GB of data. The servers they hacked contained sensitive employee data, although it was not possible to clearly determine what the hackers were able to download. Among other things, the United Nations is not yet aware of the extent of the damage. Some time after the attack, the UN communicated to employees of change their password, without however sharing the details on the situation.
According to The New Humanitarian, the only UN diplomatic position on the matter that is not obliged to reveal violations like other government agencies in the United States or the European Union: a policy that is clearly in contradiction with recognized cybersecurity best practices.
