Darren Pauli of Computerworld Australia is reporting that “The United Nations (UN) has been hit by a string of hacking attacks aimed at identity and credit card theft, and building botnet hordes. The attack on the UN Asia Pacific website is believed to originate from the same group responsible for attacks on the US-based Biotechnology Information Organization and the prominent Indian Syndicate Bank. The financially-motivated incursions, launched from the same remote location, infected a server common to all three websites and downloaded a Trojan to visitor computers via drive-by attacks…
The report continues: “A keylogger and a Trojan were downloaded to visitor computers, flagged by an online scanner as positive to multiple Microsoft vulnerabilities, via hidden Java iFrames which is an old trick to refer visitors to a compromised server. The Trojan maintains a backdoor, allowing attackers to monitor and hijack user machines to steal valuable user data, and turn the computer into a zombie as part of a botnet horde. Websense Australia and New Zealand country manager, Joel Camissar, said such attacks exploit remote servers with weak security and typically target common brand names to maximise exposure.
‘The groups will target ISPs which don’t have sufficient security, common brands of servers, and servers in locations without tight controls or law enforcement,’ Camissar said. ‘Typical scanners [used in attacks] only scan for one vulnerability but this looked for multiple exploits. We informed the authorities whose job it is to pursue them, shut down their servers and bring them to justice’. The attack executed the malicious e.js JavaScript file to create two additional iframes, and did not trigger any Java or antivirus alerts. Websense discovered the attack on The United Nations Aids and HIV Web portal after scanning 600,000 web pages as part of routine malware detection. Camissar said it is unknown if the group is responsible for more attacks.”
The full story can be found here.
Here are comments from a UN spokesperson on reports of an earlier hacking attack in mid-August, from the DPI Noon Briefing On Monday 13 August 2007:
“Question: Could you, and I hope I didn’t miss this, could you tell us what happened with the hacking of the UN website yesterday?
Spokesperson: Yes, well we had two attacks that occurred during the day. In the morning — it started at 9 a.m. in the morning, but we managed to get the services back shortly before 12. A number of sites were attacked — our own, the Secretary-General’s site, statements in particular, were replaced by a statement made by the hackers. It lasted a few minutes, but we managed to get them off, and change that.
We also had to change our archives and to redo, actually rebuild the whole site. However, measures have been taken for this not to occur anymore. We are very concerned that this happened. Quick action, as I said, was used to prevent damage to our own computer system, and the Department of Public Information is working with the Information Technology Services Division to prevent future occurrences.
Question: Any suspicion of an inside job?
Spokesperson: At this time we are still investigating. We don’t know. It was — the message was signed by three hackers. Of course, they were all pseudonyms. We can’t really know their names, but these are real people …
Question: Thank you. Just back to this cyber attack. There’s a certain amount of sort of crowing on various hackers’ sites, that the UN uses pretty antiquated technology and that’s how they’re able to use this fairly simple technique to get it. And a lot of surprise expressed that such an international organization laid itself so wide open to an obvious attack. Are there any plans to sort of redo the system on which you base your website?
Spokesperson: Yes, definitely. I think one of the dangers is, of course, that, you know, the fact that we could post information so fast and so readily might be hampered by that. But of course there will some measures taken.
Question: Did you also talk to UNEP (the United Nations Environment Programme)? Because the UNEP site in Paris was attacked as well.
Spokesperson: Yes, they also attacked the ECOSOC site. They also attacked the CyberSchoolBus site, so there were a number of sites attacked at the same time.
Question: And just on slightly similar things, like security, is it true that UNDP has hired cyber security experts to try to track who has been leaking information to journalists.
Spokesperson: That I don’t know. That I don’t know. I can check. Sure. Pardon me?
Question: Follow-up on that? Are any of the internal systems, have they been compromised in any way, you know, the financial systems?
Spokesperson: No, no.”
Question: You know that for a fact?
Spokesperson: Yes. We know that for a fact. We know exactly which sites were attacked…
Question: Only the public ones?
Spokesperson: Only the public ones were attacked. Yes.
Question: All of the people were Sudanese? All of them?
Spokesperson: We have no idea what they were. Those are the names -– pseudonyms — that were used. We don’t know what they are. Why are you assuming they are Sudanese?
Correspondent: [talkover]
Question: I thought everybody knew these were people representing themselves as Turks. A Turkish website, right?
Spokesperson: No, only one of them claimed to be Turkish. We don’t have yet the information, the results, of… right now, what we are doing is just protecting our sites.
Question: Are you investigating this as UN, or are you hiring in any kind of national cyber security helpers or any private companies, or something like that?
Spokesperson: Well, for the time being it’s being investigated within the house.
Question: And why were you using such an antiquated, leaky system?
Spokesperson: Well, essentially, because the UN, like the building, you know, we are improving slowly, and it takes some time.
Question: [Inaudible]
Spokesperson: Exactly. The start of it.
Question: One other thing on this cyber thing. Are you looking at this more as a nasty prank, or is this a form of cyber terrorism? And as follow-up, what is the UN doing about the issue of cyber terrorism, since one of the things the UN looks into is counter-terrorism efforts? And then I have a couple of UNDP questions.
Spokesperson: Yes, the cyber terrorism is an issue that has been discussed for a while in the house. Is this seen as cyber terrorism? I don’t know. I think it was seen more like a prank. And this was done before to other sites. The UN is not the only site, I mean, the same hackers have gone to other sites in different places. And, in fact, when you go through the names, you see the number of sites that they have invaded in the last few years –- few months. It’s not just the UN.
Question: You said the same hackers have gone into other sites. Does that mean you have identified them and know who they are?
Spokesperson: No, they just have their pseudonyms.
Correspondent: The same pseudonyms.
Spokesperson: The same pseudonyms — people using the same pseudonyms. Are they the same people? I don’t know. Yes?
Question: There was a report that what was posted on the Secretary-General’s site was criticism of Mideast policy and the United States. Can you confirm that?
Spokesperson: Yes.
Question: You’re agreeing [inaudible]?
Spokesperson: I’m not saying I’m agreeing, I can simply confirm that was what happened. Yes Jonathan?
Question: The other question?
Correspondent: [talkover] …cyber issues, cyber analogies…
Spokesperson: I think the cyber is probably quite a…
Correspondent: A little cyber rattle. [Laughter]
Spokesperson: Yes, a little cyber rattle.”
This UN Noon Briefing briefing transcript is filed here.
The journalists’ questioning continued the following day, and here is an excerpt from the UNHQ/NY’s daily Noon Briefing on Tuesday 14 August 2007:
“…We were attacked by hackers, so our site on Sunday was disturbed. We replaced the texts that were missing, but yesterday we were asked by the people in charge of our technology department, it was announced that they would shut down the whole process. So we could not post anything yesterday, which was why many of you were not aware, for instance, of the meeting that took place this morning. So there’s nothing we can do about this. We are waiting to find out when this can be totally restored.
Question: And the other piece of that question…?
Spokesperson: But you can, in the meantime, find that information in our Office.
Question: Okay. Good. And then the other piece of the question is, people online who have familiarity with security problems are discussing this situation, and watching and trying to see if there’s a way in the discussion to be helpful. I wondered if you’ve been able to get some help from that kind of discussion. Do you know?
Spokesperson: Yes, I think we are getting all the help we need on that. Thank you very much. Yes?
Question: Do you think that this attack on the UN website is a random one?
Spokesperson: Well, it has occurred before. You know, it’s not a random one, but it happens, and it’s not just the UN. It happens to several companies and several organizations throughout the world. It’s not just us…”
This daily Noon Briefing transcript is filed here.
What happened when the UN website was hacked?
Matthew Lee of Inner City Press reports:
“On the morning of August 12, just after 9 a.m. New York time, the speeches of Ban Ki-moon were replaced by an admonition to “Ysrail” and the United States — ‘dont kill children and other people’. Before the UN caught on to the hack, the news went out worldwide, complete with screenshots and a critique of the UN’s web security …
[O]nline skeptics note that the same hack could be repeated tomorrow, and that the UN is using outdated protocols: ‘you can still check the screenshot. Moreover, the hole seems not to be patched yet, thus the site could be defaced again at will: not the best order for fixing stuff, is it? While most of us may agree with the message, many will object to the spelling, and specifically to the dont used instead of don’t. There’s a technical reason for the missing apostrophe, though, because messing with this very character (‘) is part of the technique apparently used by the attackers. As you can easily verify by opening this URL, the site is vulnerable to an attack called SQL Injection. This is a very well known kind of vulnerability, fairly easy to avoid and very surprising to find in such a high profile web site. If only prepared SQL statements were used properly, this embarrassing incident would have been easily prevented. And yes, prepared statements are available even in the very obsolete ASP “Classic” + ADODB Microsoft setup they’re using’.
This is ironic, given that the UN Communications Group, at its June 21-22 meeting in Madrid, spoke at length about its desire to go high-tech — while also discussing trying to exclude bloggers in the future, click here for that. The solution should not be for the UN to become a fortress, but increase and improve its online presence and expertise, as well as its transparency. We’ll see”.