United Nations’ HQ in New York HACKED after criminals bought stolen password off the dark web


Hackers have been gathering data from the United Nations’ internal system since April, using an employee’s stolen login credentials that have been sold on the dark web for as little as $1,000.

The combination of username and password was sold by multiple Russian-speaking cybercriminals as late as July, but the identity of the hackers and their explicit purpose is still unknown.

The credentials offer access to the organization’s project management software Umoja. The entry point provides valuable insight into government and humanitarian work across the globe.

The UN, which is in constant contact with high-powered nations and companies, has been targeted by state-directed hackers before, but everyday cybercriminals are now going after large companies and organizations with the goal of selling access to highly coveted information.

Hackers gathered data from the United Nations through the organization’s project management software Umoja. Above, UN headquarters in New York City

A login was offered for as little as $1,000 by multiple Russian-speaking cybercriminals on the dark web, according to one cybersecurity expert. The purpose of the hack is unknown

A login was offered for as little as $1,000 by multiple Russian-speaking cybercriminals on the dark web, according to one cybersecurity expert. The purpose of the hack is unknown

Hackers gained access to the UN system on April 5 and were still active in the network a month ago, according to Bloomberg. 

‘Organizations like the UN are a high-value target for cyber espionage activity,’ said Gene Yoo, the CEO of Resecurity, a cybersecurity firm that says it discovered the breach.

‘The actor conducted the intrusion with the goal of compromising large numbers of users within the UN network for further long-term intelligence gathering.’ 

Yoo told DailyMail.com that his firm alerted the UN about a breach in July after ‘monitoring’ the Dark Web.

The UN responded that the hackers had only taken screenshots, but when the firm alerted them to stolen data, the organization stopped talking to them, Resecurity says.

On Thursday, a UN spokesman said the organization was  aware of the hack before Resecurity told them about it. He also said the UN has detected even more breaches.

‘This attack had been detected before we were notified by the company cited in the Bloomberg article, and corrective actions to mitigate the impact of the breach had already been planned and were being implemented,’ UN spokesman Farhan Haq wrote in an email shared with DailyMail.com.

‘At that time, we thanked the company for sharing information related to the incident and confirmed the breach to them.

‘The United Nations is frequently targeted by cyberattacks, including sustained campaigns. We can also confirm that further attacks have been detected and are being responded to, that are linked to the earlier breach.’

In 2018, Dutch and British law enforcement stopped Russian hackers from gaining access to the Organization for the Prohibition of Chemical Weapons, which frequently cooperates with the United Nations.

The organization was investigating the March 2018 poisoning of Sergei and Yulia Skripal, a Russian double-agent for British intelligence and his daughter, who was in England at the time. The attack left them both critically ill.

Colonial Pipeline paid more than $4 million in ransom to a hacker group that stopped their services in May until they got paid. More than half of the ransom was eventually recovered

Colonial Pipeline paid more than $4 million in ransom to a hacker group that stopped their services in May until they got paid. More than half of the ransom was eventually recovered

Close to 50 million former, prospective and current T-Mobile customers had their IDs and social security numbers exposed in a huge breach revealed in August

Close to 50 million former, prospective and current T-Mobile customers had their IDs and social security numbers exposed in a huge breach revealed in August

In April, four Russians were caught with spying equipment at a hotel next to the OPCW, according to Reuters.

In October, the US Department of Justice indicted seven Russian intelligence (GRU) officers, four of whom allegedly took part in the planned hack. In 2020, the DOJ charged six hackers from the GRU for that and other breaches, including an attempt to disrupt the 2017 elections in France. 

In 2019, dozens of UN servers were breached by unknown actors, including some at the UN human rights office, which collects sensitive data and has often been a lightning rod of criticism from autocratic governments for exposing rights abuses, according to the Associated Press.

‘Traditionally, organizations like the United Nations have been targeted by nation state actors, but as cybercriminals are finding ways to more effectively monetize stolen data and as access to these organizations is more frequently available for sale by initial access brokers, we expect to see them increasingly targeted and infiltrated by cybercriminals,’ Allan Liska, a senior threat analyst at Recorded Future, told Bloomberg about the latest breach. 

The UN credentials were being sold in combination with dozens of usernames and passwords to various organizations for just $1,000, said Mark Arena, chief executive officer of security-intelligence firm Intel 471, in an interview with Bloomberg.

The credentials were marketed by multiple Russian-speaking cybercriminals, he said.

‘Since the start of 2021 we’ve seen multiple financially motivated cybercriminals selling access to the Umoja system run by the United Nations,’ Arena said. 

‘These actors were selling a broad range of compromised credentials from a multitude of organizations at the same time. In a number of previous occasions, we’ve seen compromised credentials being sold to other cybercriminals, who have undertaken follow up intrusion activity within these organizations.’ 

Cybercriminals have targeted large operations before, sometimes holding their networks hostage for money.

In June, the Justice Department announced it had seized more than half of the $4.4 million ransom payment to DarkSide hackers.

The group interrupted access to Colonial Pipeline’s systems on May 7 until it was paid, triggering fuel shortages and panic buying at the pump.

Last month, T-Mobile announced that close to 50 million current, former and prospective US customers had their names, social security numbers, and IDs stolen by a ‘bad actor’ who snaked into the company’s system and allegedly posted the data for sale on an ‘underground forum.’ 

Motherboard reported that a hacker was selling a subset of the data with 30 million customers’ Social Security numbers and drivers’ licenses for six Bitcoin, or $270,000. 

Read more at DailyMail.co.uk