UNDP confirms ransomware attack

Personal data of past and current personnel and procurement information were compromised.

Ransomware concept - Computer Keyboard with red RANSOMWARE. Hacked virus hijacked cyber attack

The United Nations Development Programme (UNDP) confirmed that it had fallen victim to a ransomware attack targeting the UNDP’s IT infrastructure in Copenhagen.

According to the agency, a locally hosted server was breached, resulting in data theft. The compromised information included personally identifiable details of current and former personnel, as well as procurement data concerning certain suppliers and contractors.

UNDP has taken steps to notify affected individuals and entities with current contact information, promising ongoing updates as more information surfaces. Notably, there is no evidence yet of the stolen data being misused.

Regarding the ransom demand, UNDP clarified that they refuse to negotiate with threat actors and have no intention of paying any ransom.

This incident follows a claim made two weeks earlier by the 8Base ransomware group, which asserted responsibility for the attack on UNDP and threatened to expose undisclosed data from the organization’s systems. Subsequently, data purportedly taken was disclosed on 3 April.

The organization first became aware of the threat when notified on 27 March about data theft involving human resources and procurement information. UNDP emphasised that investigations are ongoing.

The attack on UNDP aligns with a broader trend of international humanitarian organizations facing cyber threats, including state-sponsored hacking and ransomware assaults. Previously, groups such as the International Committee of the Red Cross and Amnesty International have been targeted by state-affiliated entities allegedly connected to China.

While the 8Base ransomware group is relatively new, experts speculate that it comprises skilled hackers. Despite a VMware report in 2023 suggesting links to other ransomware operations, some experts argue that these connections might be a result of 8Base replicating ransom notes and website designs from other groups.