ICAO’s Cybersecurity Cover-up
Back in June, we wrote about the cyber-attack on ICAO’s internal network by Emissary Panda, a Chinese government-connected hacking collective. We also addressed the hack’s subsequent breaches and ICAO’s embarrassing cover-up attempt. CBC (Canadian Broadcasting Corporation) uncovered the scandal, and on July 25th, released new information, directly from the whistleblower, ICAO’s director of the bureau of administration and services, Vincent Smith, who has publicly come forward.
Smith had originally filed an internal complaint in late 2016, immediately following the attack. The complaint was directed at the IT team, who had reported to their supervisor, James Wan, who then reassured Secretary General Liu that, “the entire cyber-security incident was a minor one….” Smith stated that the IT crew “acted with intent to disguise the source, nature and impact of a breach of the ICAO network.” Yet, none of the IT crew has been investigated, all four still hold their posts, along with Wan. Since then, Smith has also accused Liu of acting in direct contravention of the UN Internal Oversight Services, who requested an investigation into the IT crew members.
Aside from the Secretary General, Smith also targeted Olumuyiwa Benard Aliu, ICAO’s council president. Here is where the call for a cover-up makes more sense. Back in 2010, Aliu was the Nigerian representative on the council. His son, Maxim Aliu, was an ICAO IT officer, and while on a trip to Beijing in 2010, Emissary Panda infected Maxim’s laptop. Maxim had domain admin status up until January 2015. ICAO’s chief INFOSEC officer, Si Nguyen Vo, pointed out that between the 2010 breach and the 2016 attack, ICAO suffered a number of substantial breaches, beyond the one initially reported by CBC, including one involving mutual funds.
Additionally, the hackers gained access to “the personnel records of past and current employees, the medical records of those who had used ICAO’s health clinic, financial transaction records, and the personal information of anyone who had visited the ICAO building or registered on an IACO website.” A member of the ICAO’s Nordic Delegation had received a suspicious e-mail, and that someone had sent e-mails from her breached account, posing as her. James Wan directed her to delete the e-mail and didn’t conduct any follow-up investigation. Perhaps most notably, “within 30 minutes of the hack on ICAO, at least one of the UN agency’s 192 member states, Turkey, had been compromised.” Here, Emissary Panda also established a watering-hole hack on Turkey’s treasury board website.
ICAO’s internal and external handling of the December 2016 hack have been a fiasco, and marred the image and credibility of the agency who claims to provide “support of a safe, efficient, secure, economically sustainable and environmentally responsible civil aviation sector.”
Students of history will know that it is not the crime, it is the cover-up, that eventually gets you.