The International Civil Aviation Organization (ICAO), the UN body tasked with setting up worldwide standards in aviation, suffered a cybersecurity breach in 2016 that infected several servers and compromised privileged user accounts. The agency's security team went out of its way to cover up and obstruct the ensuing investigation, internal documents obtained by CBC revealed.
The documents show that the agency's network was full of security holes no one had bothered to flag before the attack. Even in the days after the attack, agency officials maintained their habit of not replying to emails or replying after delays of several days — which is unacceptable in a situation where speed is of the essence.
It is uncertain who exactly attacked the international agency, but the CBC report says the attacker could have belonged to an espionage group named Emissary Panda, which allegedly has ties to the Chinese government.
But for the purposes of cyberespionage, "ICAO would be a natural choice" as a target, José Fernandez, a cybersecurity expert and professor at Polytechnique Montréal, told reporters. "They would have been a one-stop shop for hacking everybody else in the aerospace industry."
After discovering the attack, four members of ICAO's information and communications technology department (ICT), led by James Wan, were dispatched to plug the hole. A UN-affiliated IT agency also got involved into the investigation.
The ICT team reportedly dismissed the UN agency's expertise, handed the UN team old and unusuable data, and simply did not bother to reply to emails for days, CBC reports. It was not until the next month that ICAO agreed to fly in one UN analyst, and even then it took three days of repeated requests to grant him access to the data logs.
What the analyst discovered was shocking: what was believed to be a single incident had in actuality spread to several servers, including ICAO's email server, which meant more than 2,000 ICAO users' passwords were compromised. It also meant the hacker could have accessed personnel records of past and current employees, medical records of those who had used ICAO's health clinic, financial transaction records and the personal information of anyone who had visited the ICAO building or registered on an ICAO website, CBC says.
"He ought to have known that through his actions, he recklessly compromised the security of confidential data," read one of the documents obtained by CBC.
At the same time, UN IT analysts decrypted the same file independently and made an alarming discovery: one of the ICT team members' superuser accounts had been tied to the attack. What this meant is that either the ICT member was himself part of the attack, or his account had been been compromised by the hacker.
It doesn't stop there, though: this exact superuser had been tasked with validating the UN team's forensic work! And — you could have guessed it by this point — the team member deemed the UN's malware discoveries "false positives," meaning there was no malware to find in the first place.
Based on this user's report, Wan reported to his ICAO superiors that the entire incident was a minor one and that UN analysts were making too much of it.
By the end of the year, the agency brought in an independent security team, SecureWorks, to fix what ICT could not. However, the team complained that Wan had "engaged in a pattern of obstruction, deception, insubordination and incompetence in his handling of the ongoing cybersecurity response."
SecureWorks determined the agency's security problems dated back at least three years before the hack.
According to the documents obtained by CBC, Wan stayed home on three different occasions during the breach investigation, without giving ICAO information security officers the authority to act. Whenever he was sent emails with urgent requests, he either replied with a delay of three days or never replied at all.
"On Jan. 12, when [Wan] was asked in an email to approve a long-term action plan to improve ICAO cybersecurity that had been developed by the New York IT analysts and SecureWorks, Wan never replied," CBC report reads.
Wan took emergency leave, and the plan was never approved, the report says.
Despite all of these issues, neither the four ICT members nor Wan himself were fired from ICAO. A confidential source told CBC there "was pressure from higher up the United Nations chain to return them to work, where they are to this day."