Cyber Incident Victim: United Nations Children's Fund
Date:
Mar 2019
Location:
United States of America
Summary
A phishing campaign targeted officials from UNICEF, the UN, and Red Cross, aiming to compromise Okta and Microsoft credentials for potential further attacks or intelligence gathering. The sophisticated operation utilized mobile-friendly phishing sites that logged passwords in real-time, even if users abandoned the login process, and evaded detection by Google Safe Browsing for extended periods. Security researchers identified prolonged site activity, including expired SSL certificates, but could not attribute the campaign definitively—suspecting involvement from either nation-state actors seeking intelligence on investigations/members or financially motivated groups attempting payment hijacking. The infrastructure remained active at the time of discovery.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In March 2019, a phishing campaign targeting officials from UNICEF, the United Nations, and the Red Cross was initiated, with infrastructure remaining active through at least October 2019. Cybersecurity firm Lookout discovered the operation, noting phishing sites created during this period were still operational months later despite some SSL certificates expiring due to prolonged undetected activity. The attackers employed sophisticated phishing pages optimized for mobile devices that logged credentials in real-time as users typed them—a technique allowing credential capture even if victims abandoned the login attempt before submission. None of the identified phishing domains were flagged in Google's Safe Browsing database during Lookout's investigation, leaving most users unprotected against the malicious links. The campaign specifically sought to compromise Okta and Microsoft account credentials, which could enable unauthorized access to organizational systems for follow-on attacks or intelligence collection.
Lookout's analysis revealed no definitive attribution, with potential actors ranging from nation-state groups to financially motivated cybercriminals. A human rights advocate corroborated that such organizations face targeting from both espionage-focused actors seeking operational intelligence on investigations or whistleblowers and from business email compromise (BEC) groups pursuing financial theft. The phishing infrastructure's longevity—remaining online for months without detection—highlighted gaps in threat visibility, as security tools failed to identify or block the malicious pages. While Lookout documented technical indicators like real-time password logging and mobile-optimized designs, no containment actions or victim responses were disclosed in the available reporting. The incident underscored persistent threats against humanitarian entities, with compromised credentials posing risks of data exfiltration, financial fraud, or secondary intrusions.