Published Date: 2021-09-09
| Postmortem Analysis | |
|---|---|
| Timeline | 1. The software failure incident at the United Nations happened in April 2021 as reported in [Article 118495], [Article 118875], and [Article 118825]. |
| System | 1. United Nations' internal system - Umoja project management software [Article 118495, Article 118875, Article 118825] |
| Responsible Organization | 1. The software failure incident at the United Nations was caused by unidentified hackers who breached the computer systems and gained access to the organization's project management software Umoja [118495, 118875, 118825]. |
| Impacted Organization | 1. United Nations [118495, 118875, 118825] |
| Software Causes | 1. The software cause of the failure incident was hackers infiltrating the United Nations' computer networks and accessing data through the organization's project management software Umoja [118495, 118875, 118825]. 2. The hackers gained entry by purchasing employee login credentials from the dark web, allowing them to access the UN's network and remain active for an extended period [118495, 118875, 118825]. 3. The software vulnerability was exacerbated by the lack of two-factor authentication on the account used by the hackers to breach the UN's network [118875]. |
| Non-software Causes | 1. The failure incident at the United Nations was caused by hackers infiltrating the computer networks and accessing data through an employee's stolen login credentials sold on the dark web [118495, 118875, 118825]. 2. The breach was facilitated by the lack of two-factor authentication on the account used by the hackers to access the UN's network [118875]. |
| Impacts | 1. The hackers were able to gather data from the United Nations' internal system, including valuable insight into government and humanitarian work across the globe [118495, 118875]. 2. The breach exposed vulnerabilities in the UN's infrastructure, highlighting the threats posed by cyberattacks and the need for improved cybersecurity measures [118875, 118825]. 3. The incident raised concerns about potential extortion or data theft by intruders who gained access to the UN's project management software [118825]. 4. The breach led to the compromise of a large number of UN employee accounts, potentially allowing remote access to their systems for monitoring or data collection [118875]. 5. The UN had to respond to further attacks that were detected and linked to the initial breach, indicating ongoing cybersecurity challenges faced by the organization [118875]. |
| Preventions | 1. Implementing two-factor authentication for login credentials could have prevented the software failure incident at the United Nations [Article 118875]. 2. Enhancing cybersecurity measures and monitoring for unauthorized access to sensitive systems could have helped prevent the breach [Article 118495]. 3. Regularly updating and patching software vulnerabilities to prevent exploitation by hackers [Article 118825]. |
| Fixes | 1. Implementing two-factor authentication for all user accounts accessing the software system [Article 118875]. 2. Enhancing cybersecurity measures and monitoring to detect and respond to breaches promptly [Article 118495, Article 118875, Article 118825]. 3. Conducting regular security audits and assessments to identify vulnerabilities and address them proactively [Article 118495, Article 118875, Article 118825]. 4. Increasing awareness and training for employees on cybersecurity best practices to prevent social engineering attacks like phishing [Article 118495, Article 118875]. 5. Collaborating with cybersecurity firms and experts to stay informed about potential threats and breaches in real-time [Article 118495, Article 118875, Article 118825]. | References | 1. Cybersecurity firm Resecurity [Article 118495, Article 118875] 2. Bloomberg News [Article 118495, Article 118875] 3. UN spokesperson Stéphane Dujarric [Article 118875] 4. California-based cybersecurity firm Resecurity [Article 118825] 5. Alex Holden, founder of Hold Security [Article 118825] |
| Category | Option | Rationale |
|---|---|---|
| Recurring | one_organization, multiple_organization | (a) The software failure incident has happened again at one_organization: The United Nations experienced a software failure incident related to hackers breaching their computer networks and accessing data through their project management software Umoja. This incident is not the first time the UN has been targeted by cyberattacks. In 2019, dozens of UN servers were breached by unknown actors, including some at the UN human rights office [118495]. Additionally, in January 2020, unidentified hackers targeted UN offices in Geneva and Vienna with a cyberattack [118825]. (b) The software failure incident has happened again at multiple_organization: The incident involving hackers selling access to login credentials for software used by the UN is not isolated. Cybercriminal forums have been selling access to various organizations' systems, including the UN, for financial gain. The UN credentials were being sold in combination with dozens of usernames and passwords to various organizations for just $1,000 [118495]. This trend of cybercriminals targeting organizations for stolen data and access is not unique to the UN. For example, in 2018, Dutch and British law enforcement stopped Russian hackers from gaining access to the Organization for the Prohibition of Chemical Weapons, which frequently cooperates with the United Nations [118495]. |
| Phase (Design/Operation) | design, operation | (a) The software failure incident related to the design phase can be seen in the articles where hackers infiltrated the United Nations' computer networks by accessing data through the organization's project management software Umoja. The hackers gained entry by purchasing employee login credentials from the dark web, indicating a failure in the design of the system's security measures [118495, 118875, 118825]. (b) The software failure incident related to the operation phase can be observed in the articles where the UN confirmed that unknown attackers breached parts of its infrastructure in April 2021. This breach occurred due to the operation or misuse of the system, as hackers were able to dive deeper into the UN's network and remain active until early August, indicating operational vulnerabilities [118875, 118825]. |
| Boundary (Internal/External) | within_system, outside_system | (a) within_system: The software failure incident at the United Nations was primarily due to contributing factors that originated from within the system. The hackers infiltrated the UN's computer networks by targeting the organization's proprietary project management software, Umoja, and gaining entry using purchased employee login credentials from the dark web [118495, 118875]. The attackers were able to access data within the UN's infrastructure and compromise a large number of employee accounts, indicating that the breach originated from within the system itself. (b) outside_system: The software failure incident at the United Nations also had contributing factors that originated from outside the system. The hackers who breached the UN's computer networks purchased employee login credentials from the dark web, indicating an external source of the breach [118495, 118875]. Additionally, cybersecurity experts warned that cybercriminal forums were selling access to login credentials for software used by the UN, highlighting external threats to the organization's systems [118825]. |
| Nature (Human/Non-human) | non-human_actions, human_actions | (a) The software failure incident occurring due to non-human actions: - The software failure incident at the United Nations was primarily due to hackers infiltrating the computer networks and accessing data through the organization's project management software Umoja [118495, 118875, 118825]. - Hackers gained access to the UN system and remained active in the network for an extended period, potentially obtaining valuable information without direct human involvement in causing the failure [118495, 118875, 118825]. (b) The software failure incident occurring due to human actions: - The failure was also attributed to human actions, specifically the purchase of employee login credentials from the dark web, which allowed hackers to gain entry into the UN's network [118495, 118875, 118825]. - The lack of two-factor authentication on the account used by hackers to breach the UN's network was highlighted as a basic security practice that was not implemented, contributing to the incident [118875]. |
| Dimension (Hardware/Software) | software | (a) The articles do not provide information about the software failure incident occurring due to hardware-related factors. (b) The software failure incident reported in the articles was due to contributing factors that originate in software. The incident involved hackers infiltrating the computer networks of the United Nations by accessing data through the organization's project management software Umoja [118495, 118875, 118825]. The hackers gained entry by purchasing employee log-in credentials from the dark web, allowing them to access and navigate the U.N.'s network. This breach highlighted vulnerabilities in the software system used by the U.N., leading to concerns about cyberespionage and the need for improved cybersecurity measures. |
| Objective (Malicious/Non-malicious) | malicious | (a) The software failure incident related to the United Nations' internal system being breached by hackers was malicious in nature. The hackers infiltrated the system with the intent to gather data and compromise a large number of UN employee accounts for intelligence gathering purposes [118495, 118875, 118825]. (b) The software failure incident was non-malicious in the sense that the breach was not caused by unintentional factors or system errors, but rather by deliberate actions of hackers who purchased employee login credentials from the dark web to gain unauthorized access to the UN's project management software [118495, 118875, 118825]. |
| Intent (Poor/Accidental Decisions) | poor_decisions | (a) The intent of the software failure incident: - The software failure incident involving the United Nations' internal system being hacked was primarily due to poor decisions, specifically the lack of two-factor authentication for the login credentials used to access the organization's project management software Umoja. This lack of basic security practice allowed hackers to gain unauthorized access to the system [Article 118875]. - Hackers were able to breach the United Nations' infrastructure by purchasing employee login credentials from the dark web, indicating a poor decision in terms of credential management and security practices [Article 118495]. - The hackers' intent was to compromise a large number of UN employee accounts to access their systems and collect specific data, highlighting the poor decision of not having robust security measures in place to prevent such intrusions [Article 118875]. |
| Capability (Incompetence/Accidental) | development_incompetence | (a) The software failure incident occurring due to development incompetence: - The software failure incident at the United Nations was attributed to hackers infiltrating the computer networks by purchasing employee login credentials from the dark web, indicating a failure due to lack of professional competence in maintaining secure access controls [118495, 118875]. - The account that hackers used to break into the U.N.'s network did not have two-factor authentication activated, which is considered a basic security practice, highlighting a lack of professional competence in implementing necessary security measures [118875]. (b) The software failure incident occurring accidentally: - There is no specific mention in the articles about the software failure incident at the United Nations being accidental. The incident was primarily attributed to hackers gaining unauthorized access through purchased login credentials and exploiting vulnerabilities in the system [118495, 118875]. |
| Duration | temporary | (a) The software failure incident in the United Nations' internal system due to hackers gathering data through the Umoja project management software was temporary. The hackers gained access in April and were still active in the network until early August [118495, 118875, 118825]. The breach was detected, and corrective actions were being implemented to mitigate the impact of the breach [118495, 118875]. The UN confirmed that further attacks linked to the earlier breach were detected and being responded to [118875]. The account used by hackers did not have two-factor authentication activated, indicating a lack of basic security practice [118875]. (b) The software failure incident in the United Nations' internal system was not permanent as the breach was detected, and corrective actions were being implemented to mitigate the impact of the breach [118495, 118875]. Further attacks linked to the earlier breach were also detected and being responded to [118875]. |
| Behaviour | crash, omission, timing, value, other | (a) crash: - The software failure incident related to the United Nations' internal system being hacked can be considered a crash as the system lost its state and was not performing its intended functions due to unauthorized access by hackers [118495, 118875, 118825]. (b) omission: - The software failure incident can also be categorized as an omission as the system omitted to perform its intended functions by allowing hackers to gain unauthorized access and extract data from the system [118495, 118875, 118825]. (c) timing: - The timing of the software failure incident can be seen in the fact that the hackers remained active in the UN network for an extended period, from April to early August, indicating that the system failed in terms of timing by allowing unauthorized access for an extended duration [118495, 118875, 118825]. (d) value: - The software failure incident can be related to a failure in terms of value as the hackers were able to extract valuable information from the UN's project management software, compromising sensitive data and potentially impacting the organization's operations and security [118495, 118875, 118825]. (e) byzantine: - The software failure incident does not exhibit characteristics of a byzantine failure as there is no mention of inconsistent responses or interactions within the system in the articles. (f) other: - The software failure incident can also be described as a security breach or a cyberattack, where the system failed to protect itself from unauthorized access and data extraction by malicious actors [118495, 118875, 118825]. |
| Layer | Option | Rationale |
|---|---|---|
| Perception | None | None |
| Communication | None | None |
| Application | None | None |
| Category | Option | Rationale |
|---|---|---|
| Consequence | property, theoretical_consequence | (d) property: People's material goods, money, or data was impacted due to the software failure The software failure incident involving hackers gaining access to the United Nations' internal system through the Umoja project management software resulted in the theft of valuable data. The hackers were able to gather data from the UN system, including sensitive information, by exploiting the compromised credentials sold on the dark web [118495, 118875, 118825]. This breach led to the unauthorized access and potential theft of data, impacting the security and confidentiality of the organization's information. |
| Domain | information, government | (a) The failed system was related to the industry of information, specifically in supporting the United Nations' internal operations and project management. The hackers targeted the UN's project management software Umoja, which provided valuable insight into government and humanitarian work across the globe [Article 118495, Article 118875, Article 118825]. (l) The failed system was also related to the government industry as the United Nations, an international governmental organization, was the target of the cyberattack. The UN's infrastructure was breached, and the hackers gained access to sensitive data within the organization [Article 118495, Article 118875, Article 118825]. |
Article ID: 118495
Article ID: 118875
Article ID: 118825