Cyber Incident Victim: United Nations
Date:
Mar 2020
Location:
North Korea
Summary
A North Korean hacking group known as Kimsuky conducted persistent spear-phishing campaigns targeting officials affiliated with the United Nations, particularly members of its Security Council and the Office of the High Commissioner for Human Rights. The attackers impersonated UN security alerts and media interview requests via email and WhatsApp to deceive victims into divulging credentials or installing malware, aiming to gather intelligence on deliberations about North Korean sanctions. The operations demonstrated long-term focus on individuals with access to sensitive information, reflecting strategic objectives tied to monitoring diplomatic activities. Security analysts observed continuous targeting tactics, including the use of fraudulent domains mimicking internal UN systems to sustain espionage efforts.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
In March and April 2020, a North Korean state-sponsored hacking group known as Kimsuky conducted a series of cyberattacks targeting United Nations officials, particularly members of the UN Security Council and their staff. The campaign involved spear-phishing emails designed to mimic legitimate UN security alerts and requests for interviews from journalists. These messages contained malicious links directing recipients to phishing pages that harvested credentials or delivered malware payloads when opened. At least 28 UN officials were targeted during this period, including 11 individuals representing six countries on the Security Council. The attacks were first detected after an unnamed UN member state alerted the organization to suspicious activity. Subsequent analysis confirmed the involvement of Kimsuky, a group known for conducting cyber espionage operations aligned with North Korean strategic interests. Some attacks extended beyond email to include WhatsApp messages, broadening the threat surface. The campaign specifically sought access to Gmail accounts used by officials, potentially compromising sensitive communications and institutional data.
The attacks formed part of a sustained espionage effort to monitor UN decision-making processes regarding North Korean affairs, particularly discussions about potential sanctions. According to a UN Security Council report published following the incidents, Kimsuky demonstrated persistent targeting patterns, pursuing certain individuals throughout their government careers based on their access to valuable intelligence. Security analysts observed continued operations against UN entities for at least six months after the initial March-April campaign, with particular focus on the Office of the High Commissioner for Human Rights (OHCHR). Attackers registered fraudulent domains mimicking OHCHR intranet portals to deceive targets. The group employed dual objectives in many operations: stealing credentials through phishing pages and deploying malware to maintain persistent access to compromised systems. While the UN did not publicly disclose specific containment measures, the incidents prompted enhanced scrutiny of digital communications within affected departments. The compromise of official accounts created risks of unauthorized access to diplomatic correspondence and internal policy deliberations related to North Korean sanctions enforcement.