Cyber Incident Victim: United Nations
Date:
Jul 2019
Location:
Switzerland
Summary
A major cyber attack targeted the United Nations' European IT infrastructure, exploiting the vulnerability CVE-2019-0604—previously used against Middle Eastern governments and US municipalities. The breach, among the largest in the organization's history, compromised internal networks in Geneva and prompted alerts to technical teams. The UN chose not to publicly disclose the incident, a decision criticized by data protection advocates for potentially endangering staff, partner organizations, and vulnerable individuals. The attack highlighted systemic security weaknesses while raising concerns about transparency and risk management practices following such intrusions.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
The United Nations experienced a significant cyber intrusion in mid-2019, with initial detection occurring around July 15 when anomalous activity was observed in its Geneva office networks. IT officials confirmed attackers had exploited CVE-2019-0604, a SharePoint vulnerability previously leveraged against Middle Eastern governments and US municipalities. The breach compromised core infrastructure components including the UN's Active Directory server, which manages user credentials and access permissions across the organization. Attackers maintained persistent access for months, exfiltrating sensitive data from at least 42 servers according to internal assessments. This incident represented one of the most extensive known breaches in UN history, though the full scope of compromised data wasn't publicly disclosed.
The UN's Office of Information and Communications Technology issued an internal alert on August 30, 2019, directing technical teams to address the compromise. Response measures included isolating affected systems, resetting administrative credentials, and applying security patches. The organization chose not to publicly acknowledge the breach despite its scale, a decision criticized by data protection advocates who argued this lack of transparency prevented partner organizations and affected individuals from taking protective actions. The prolonged attacker presence raised concerns about potential exposure of humanitarian data and staff information. No attribution or motive was formally identified in available reports, though the exploited vulnerability's history suggested possible state-sponsored involvement.