The Washington PostDemocracy Dies in Darkness

Hackers breached U.N. computer networks earlier this year

The intruders apparently accessed data that could be used to target some of its agencies

Hackers targeted the United Nations’ proprietary project management software and probably gained entry by purchasing employee log-in credentials from the dark Web, according to Bloomberg News. (Mike Segar/Reuters)

Hackers infiltrated the computer networks of the United Nations earlier this year, accessing data that could be used to target some of its agencies.

“We can confirm that unknown attackers were able to breach parts of the United Nations infrastructure in April of 2021,” U.N. spokesman Stéphane Dujarric said in a statement Thursday.

The announcement followed a report from Bloomberg News detailing how intruders may have obtained as much as four months’ worth of data.

Hackers targeted the U.N.’s proprietary project management software, called Umoja, and probably gained entry by purchasing employee log-in credentials from the dark Web, according to the report. Once inside, hackers were able to dive deeper into the U.N.’s network and remained active until early August, based on the findings of the cybersecurity firm Resecurity, which flagged the breach to the U.N.

International organizations like the U.N. pose high-value targets for cyberespionage and draw the interest of many foreign state actors, said Gene Yoo, chief executive of Resecurity. “The main goal of the threat actor was to perform network intrusion,” he said, and to compromise a large number of U.N. employee accounts, which later could be used to remotely access their systems and monitor or collect specific data.

“This attack had been detected before we were notified by the company cited in the Bloomberg article, and corrective actions to mitigate the impact of the breach had already been planned and were being implemented,” Dujarric said.

“The United Nations is frequently targeted by cyberattacks, including sustained campaigns. We can also confirm that further attacks have been detected and are being responded to, that are linked to the earlier breach.”

The U.N. announcement follows a wave of cyberattacks that highlight vulnerabilities across the digital landscape, which have led to broader efforts to crack down on cybercrime.

This spring, a ransomware attack on Colonial Pipeline disrupted the U.S. East Coast’s fuel network, setting off panic buying and temporary gasoline shortages across several states. Weeks later, a cyberattack on the world’s largest meat supplier, JBS, threatened to knock out significant pieces of its global supply network, sparking concern over potential shortages and higher meat prices.

The breaches refocused attention on the threats posed by an increasingly digitized society, and underscored how much of the nation’s infrastructure remains exposed to cyberattacks.

Last month, President Biden called on the leaders of prominent businesses including Apple, Google and JPMorgan Chase, to do more to guard against cybersecurity threats.

“The reality is most of our critical infrastructure is owned and operated by the private sector, and the federal government can’t meet this challenge alone,” he said during the White House meeting. “You have the power, capacity and responsibility, I believe, to raise the bar on cybersecurity. Ultimately we’ve got a lot of work to do.”

The administration has pressed companies in critical sectors to step up efforts to prevent another massive disruption. Part of that effort includes encouraging tech providers to build software and devices with default security protections.

The account that hackers used to break into the U.N.’s network did not have two-factor authentication activated, according to Yoo, which is considered a basic security practice.

This year, Biden signed an executive order designed to boost the federal government’s digital defenses, directing the Commerce Department to craft cybersecurity standards for companies that sell software services to the federal government. Officials say such standards could ripple across the private sector and improve cybersecurity for critical systems.