In Other Media-eg New Statesman, AJE, FP, Georgia, NYT,  Azerbaijan, CSM Click here to contact us     .

By Matthew Russell Lee, Exclusive, Patreon
BBC - Guardian UK - Honduras - CJR - PFT

UN GATE, Feb 6 – Amid the flurry of interest in the UN covering up having been hacked, Inner City Press nine days ago noted  that the UN has in the past not waited to cover up a hack but instead straight up gave information about activists to China - and at least one of the activists was killed.  

 Then the retaliation began, against the whistleblower and against Inner City Press which reported on it. Now on February 6, Inner City Press exclusively reported this leak about the hack, that the UN internally says could easily have been prevented. So who will be held accountable? It should be the king of impunity, Antonio Guterres. Here is today's UN leak to Inner City Press, more forthcoming: "From: Thomas Braun braunt [at] un [dot] org

Sent: Wednesday, February 5, 2020 10:34:19 PM Subject: Reported cybersecurity incident   [to all ICT Managers, Information Security Focal Points and BRMs/TSAs]  

Dear colleagues,   I assume that you are all aware of last week’s press reports about a cybersecurity incident affecting UNOV, UNOG and OHCHR.  The response to the incident was managed the affected offices, with UNOG / RTC-Europe taking a coordination role, but I want to provide a very brief summary and share some key lessons.  

The incident began with the compromise of a server in UNODC that was missing a critical security update. From there the attackers gained access to, and compromised further servers and infrastructure components of the network in both UNOV/UNODC and UNOG.  The compromise was detected several weeks later at OHCHR.  Containment, and other incident response measures were initiated immediately after the incident was detected.    

As soon as it became apparent that accounts from the UNOV were implicated, OICT was informed as well, and we provided support with the forensic analysis and detailed instructions for the required recovery steps.  While the exact extent of the damage is unknown, with respect to UNOG and UNOV the incident was determined serious, and the recovery required the rebuilding of core infrastructure components and resetting of passwords.  

As publicly reported, the initially compromised server was a SharePoint on-premises server.  However, the reason it was compromised a procedural failure to install a critical security update, there is no inherent security weakness or issue specific to that technology.   With respect to key lessons, the incident highlights the importance of compliance with established information security and ICT operational policies:  

1.   The initial compromise could have been easily prevented if the relevant security update had been applied.  Microsoft publishes security updates on the second Tuesday of every month and the OICT Cybersecurity Service releases advisories for these and other security updates. These advisories are distributed by email, and are also published in the CyberSec Advisory channel in Teams. The Teams channel is accessible to all users in the UN Secretariat, please let me know if you want to be added to the email group. 

2.   The initial compromise could have been contained, if it had been detected and responded to in a more timely manner. An intrusion detection system has been deployed in some locations, and it is essential that all alerts are followed up on as soon they are received. In addition, logs of critical systems should be reviewed to detect anomalous or suspicious activity. Once an incident has been detected or reported the OICT Cybersecurity Service can provide assistance and instructions to ensure a timely containment and mitigation of underlying risks. 

3.   The spread of the intrusion both within and between locations could have been mitigated if adequate network segmentation had been implemented. The need to segment the historically “flat” network architecture had been included in the ten-point action plan (2013), and the lack of network segmentation is a common root cause in the large scale incidents that affected the Secretariat in recent years.     Unfortunately, attacks like the one that lead to this incident are very common, and we will continue to see such breaches unless we significantly improve compliance in these areas.  I hope this incident serves as a wake-up call.   Best,  

Thomas P. Braun Chief, Cybersecurity Section Office of Information and Communications Technology United Nations   UNHQ FF-0776 Phone: +1.917 367 2671 | Mobile: +1.917 324 1047"

 In 2018, just before being ousted from the UN by Guterres and UN Lt Ronald E. Dobbins, Stephane Dujarric and now Melissa Fleming, Inner City Press published this, and later in 2019 from the UN Gate, this and this.

The quotedd David Kaye - after wanly raising to the UN questions abou its ouster of Inner City Press, what follow up did he do?  

The explanation of all of this shameful lassitude is that those few who want to cover and enter the UN will do anything for access, and when they see that a vindictive access controller like Antonio Guterres will not change position, they just let the issues go.

Profiles in Cowardice, and the continuing decline of the UN. We'll have more on this. 

***

Your support means a lot. As little as $5 a month helps keep us going and grants you access to exclusive bonus material on our Patreon page. Click here to become a patron.

Feedback: Editorial [at] innercitypress.com
SDNY Press Room 480, front cubicle
500 Pearl Street, NY NY 10007 USA

Mail: Box 20047, Dag Hammarskjold Station NY NY 10017

Reporter's mobile (and weekends): 718-716-3540

Other, earlier Inner City Press are listed here, and some are available in the ProQuest service, and now on Lexis-Nexis.

 Copyright 2006-2020 Inner City Press, Inc. To request reprint or other permission, e-contact Editorial [at] innercitypress.com for