Cyber Incident Victim: United Nations Development Programme
Date:
Oct 2019
Location:
United States of America
Summary
A phishing campaign targeted officials from humanitarian organizations, including the United Nations Development Programme, aiming to compromise Okta and Microsoft credentials for potential follow-on attacks or intelligence gathering. Discovered by cybersecurity researchers, the sophisticated operation utilized mobile-friendly phishing sites that logged passwords in real-time, even before form submission, enhancing credential capture efficiency. The infrastructure remained active for an extended period, with some sites' SSL certificates expiring undetected, and the phishing links evaded inclusion in major safe-browsing databases, reducing user warnings. While attribution remains unclear—spanning possible nation-state actors seeking surveillance capabilities or financially motivated groups—the campaign demonstrated advanced tactics uncommon in typical credential-harvesting operations, underscoring persistent threats to non-governmental entities.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 2 techniques |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In October 2019, cybersecurity firm Lookout identified an active phishing campaign targeting officials from the United Nations Development Programme (UNDP), UNICEF, and the Red Cross. The campaign, which began operating phishing sites as early as March 2019, remained undetected for months, with infrastructure still active at the time of discovery. Attackers created fraudulent login pages designed to harvest Okta and Microsoft credentials, enabling unauthorized access to organizational accounts. The phishing sites evaded detection by not being listed in Google's Safe Browsing database, preventing standard browser warnings for visitors. Some sites operated long enough for their SSL certificates to expire, indicating prolonged activity without security intervention. Lookout researchers confirmed the servers hosting these pages remained operational through October 2019, though the specific actor behind the campaign remained unidentified, with possibilities ranging from nation-state groups to cybercriminal organizations.
The phishing operation employed sophisticated techniques uncommon in typical credential-harvesting schemes. Attackers developed mobile-optimized pages that rendered properly on smartphones and tablets, expanding potential victim access points. A distinctive feature involved JavaScript code capturing keystrokes in real-time, allowing credential theft even when users abandoned login attempts without submitting forms. This approach increased the likelihood of successful credential compromise compared to conventional phishing methods that only harvest submitted data. While the primary motive centered on stealing authentication credentials for potential follow-on attacks or intelligence gathering, human rights advocates noted that such organizations face targeting from both espionage-focused actors seeking operational intelligence and financially motivated groups attempting payment diversion scams. Lookout documented technical indicators of compromise in its public report but did not disclose specific containment measures taken by affected organizations or subsequent incident response activities.