United Nations agency investigates ransomware attack, data theft

​The United Nations Development Programme (UNDP) is investigating a cyberattack after threat actors breached its IT systems to steal human resources data.

UNDP, the UN's global development network, works in over 170 countries and territories and relies on donations from UN member states and private sector/multilateral organizations to help eradicate poverty and fight inequality and exclusion.

In a statement published Tuesday, the organization revealed that the attackers hacked into local IT infrastructure in UN City, Copenhagen, in late March.

"On March 27, UNDP received a threat intelligence notification that a data-extortion actor had stolen data which included certain human resources and procurement information," the UN agency disclosed.

"Actions were immediately taken to identify a potential source and contain the affected server as well as to determine the specifics of the exposed data and who was impacted."

UNDP is now investigating the nature and scope of the incident and assessing the attack's impact on individuals whose information was stolen.

It also alerted and is now working with those affected by the breach so they can protect their personal information from misuse.

Claimed by 8Base

While the UN agency has yet to link the attack to a specific threat group, the 8Base ransomware gang added a new UNDP entry to its dark web data leak website on March 27.

The attackers say that the documents their operators managed to exfiltrate during the breach contain large amounts of sensitive information.

UNDP entry on 8Base's leak site (BleepingComputer)

​The files they temporarily leaked via a now-expired link allegedly include "a huge amount of confidential information," personal data, accounting data, certificates, employment contracts, confidentiality agreements, invoices, receipts, and more.

8Base emerged in March 2022, and their activity spiked in June 2023 after they started attacking companies across a broader range of industry verticals and switching to double extortion.

The gang launched its data leak site in May 2023, with the extortion group claiming to be "honest and simple" pen testers targeting "companies that have neglected the privacy and importance of the data of their employees and customers."

So far, this ransomware group has listed over 350 victims on its site, announcing up to six victims at once on some days. 8Base uses a customized version of Phobos ransomware, a malware that first surfaced in 2019 and shares many code similarities with Dharma ransomware.

The United Nations Environmental Programme (UNEP) also disclosed a data breach in January 2021 after over 100,000 employee records containing personally identifiable information (PII) were exposed online.

UN networks in Geneva and Vienna were also breached in July 2019 via a Sharepoint vulnerability, exposing staff records, health insurance, and commercial contract data in what a UN official described as a "major meltdown."