Cyber Incident Victim: United Nations

On January 15, 2020, the United Nations headquarters in New York was targeted by a phishing campaign deploying the Emotet malware. Attackers impersonated representatives from the Permanent Mission of Norway, sending emails to hundreds of UN staff and officials claiming a "problem" existed with an attached signed agreement. The emails directed recipients to review a malicious Microsoft Word document, which displayed a spoofed template with a pop-up warning stating the document was only accessible via desktop or laptop versions of Microsoft Office Word. Users were prompted to click 'Enable editing' or 'Enable Content' to view the document, triggering malicious macros that downloaded and installed Emotet onto their devices. The attack specifically exploited trusted communication channels to bypass security awareness, leveraging the legitimacy of diplomatic correspondence to increase success rates.

Once activated, Emotet operated covertly to harvest login credentials and propagate itself by sending spam emails to additional UN targets from compromised accounts. The malware further downloaded secondary payloads, including the TrickBot trojan, which facilitated lateral movement within the network and data exfiltration. Researchers from cybersecurity firm Cofense identified the campaign, noting its connection to TrickBot’s established links to Ryuk ransomware, though no ransomware deployment was confirmed in this incident. The attack’s primary impact involved unauthorized access to UN systems, potential theft of sensitive credentials, and disruption to operational continuity due to the malware’s persistent background activity. No specific containment measures or remediation actions by the UN were detailed in the available reporting. The incident underscored the persistent threat of socially engineered attacks against high-profile international organizations.