Hackers have been inside the United Nations network for months. According to a report from Bloomberg, stolen credentials of a UN employee were sold on the Dark Web for as little as $1,000. The report claims that Russian-speaking cybercriminals sold access to the UN systems for months—from April through August of 2021.
Wearing a Bullseye
Much of the threat landscape is indiscriminate. Attackers often use automated scanners to find vulnerable systems and spray-and-pray techniques to launch attacks. Some attacks are targeted, though, and some targets are more valuable than others. The United Nations is a high-profile target with one of the biggest breach bullseyes of any organization in the world on its back from a geopolitical standpoint.
What I am somewhat surprised by in this latest breach is that it took place when the attackers used stolen credentials lifted from a Dark Web site. Credentials get compromised or stolen all the time. That’s why it’s a good idea to require users to change passwords regularly and/or implement multi-factor authentication so a stolen password alone won’t allow unauthorized access. It’s also a good idea for organizations to keep an eye on the Dark Web and monitor for any activity related to their networks or users.
The bottom line is that a stolen password should not enable attackers to gain access for months—especially not just a username and password alone. The UN is no different than any public or private defender who must improve their training, preparation and awareness and the ability to detect malicious activity much earlier to reduce risk. Companies need to build stronger resilience to malicious activity and ensure that the blast radius of payloads is minimized and generally use peace time to foster anti-fragility. It’s about how we adapt and improve every day.
Compromise vs. Breach
Overall, there's no shame in being attacked, and disclosing it properly is laudable. There's a world of difference between an infrastructure compromise where a nation state, rogue group or hacktivists is able to infiltrate a network, and an information or material breach that causes damage.
For a target like the UN, there is more value in persistence than damage. Nation-state backed organizations often work diligently to obscure their activity and maintain persistence within a targeted organization’s network. They spend much more time hiding their presence than stealing data because specific information on any member country of the United Nations can fetch a pretty penny on the Dark Web—like the username and password used for this instance.
The scope and impact of cyber threats continues to grow. Attackers work around the clock to identify weaknesses to exploit, and to develop creative new tactics, techniques, and procedures, so organizations and cybersecurity professionals need to be at least as diligent in improving defenses.
Effective cybersecurity starts with the basics—following established security best practices and implementing policies around identity and access management to prevent an attack like this—or at least minimize its impact. Beyond that, organizations need to have tools in place that provide an operation-centric point of view—an ability to see the whole attack from end-to-end, along with the context necessary to take action and stop it in its tracks before damage is done.
About the Author
Sam Curry is CSO at Cybereason and is a Visiting Fellow at the National Security Institute. Previously, Sam was CTO and CISO for Arbor Networks (NetScout) and was CSO and SVP R&D at MicroStrategy in addition to holding senior security roles at McAfee and CA. He spent 7 years at RSA, the Security Division of EMC as Chief Technologist and SVP of Product. Sam also has over 20 patents in security from his time as a security architect, has been a leader in two successful startups and is a board member of the Cybersecurity Coalition, of SSH Communications and of Sequitur Labs.