'Patient zero' in cyberattack on UN aviation agency was senior official's son, email reveals

A United Nations whistleblower has revealed that forensic investigators looking into the most serious cyberattack in the history of the Montreal-based International Civil Aviation Organization (ICAO) traced the source of the breach to the laptop of the ICAO council president's son.

Almost five months after CBC News reported an attempt by four members of ICAO's information technology team to cover up its mishandling of the cyberattack, Vincent Smith — ICAO's director of the bureau of administration and services — is going public with accusations of misconduct against ICAO Secretary General Fang Liu and the agency's council president, Olumuyiwa Benard Aliu.

Smith has told CBC News he's been warned he's committing career suicide by coming forward, but he sees it as a duty.

"There's smoke here, and nothing is being done," Smith said in an interview. "I care about the organization.

"I have to be true to my conscience."

ICAO is the UN body that sets the standards for civil aviation around the world. As ICAO is a gateway to just about every airline, airport and government agency in aviation, the 2016 attack compromised the agency and its global partners and left the personal data of some 2,000 ICAO users and staff members vulnerable.

• Montreal-based UN aviation agency tried to cover up 2016 cyberattack, documents show

In several reports Smith wrote and addressed to ICAO's 36-member state council and its ethics office in June and July, obtained by CBC through a confidential source, he details the allegations and reveals how and when the cyberspies first infiltrated the ICAO network.

Smith writes that he was told in a Feb. 25 email from ICAO's chief information security officer, Si Nguyen Vo, that the laptop of a former ICAO IT officer, Maxim Aliu, was infected while he was on a trip to the agency's regional office in Beijing in 2010.

'Patient zero'

Maxim Aliu is the son of ICAO's current council president, Olumuyiwa Benard Aliu, who was Nigeria's representative on the council in 2010.

Vo's email, obtained by CBC not from Smith, but through a confidential source, refers to Maxim Aliu as "patient zero." It describes how, through the IT officer's laptop, the cyberespionage group known as Emissary Panda infected the ICAO network.

Emissary Panda is a sophisticated and stealthy group with ties to the Chinese government.

• What is Emissary Panda, and how does it hack its targets?

A UN forensic report found that Maxim Aliu had domain administrator status between April 2012 and January 2015, Smith wrote. Domain administrator and system administrator accounts were all believed to have been compromised in the attack, allowing the hackers access to ICAO emails and passwords.

While trying to create a timeline of the 2016 attack, Vo wrote an email to Smith in which he mentioned "several" other breaches, including at least one that involved mutual funds.

Vo also described his discovery that a security file was somehow erased between November 2018 and January 2019, wiping clean all information on the breaches, including procedures, standards, action plans and the history of the attacks.

In a statement to CBC News, ICAO communications officer William Raillant-Clark denied there was any "patient zero."

He said a report in 2017 from the UN's International Computing Centre "did not ascribe responsibility for the security breach to a specific individual or device."

'Toxic and hostile' workplace

Beyond the Emissary Panda attack and its handling, it is the culture of ICAO that most concerns Smith.

In his reports, Smith describes ICAO under Liu's leadership as "toxic and hostile," characterized by "cronyism" and "favouritism."

It "not only created a culture of impunity and exonerated alleged offenders of wrongdoing without an investigation, it also added to the cult of personality, deference and personal loyalty to the secretary general from those exonerated, including some in my bureau," Smith wrote.

Smith first raised a red flag internally in December 2016, lodging a formal complaint with ICAO alleging that the four IT team members linked to the cyberattack coverup had "acted with intent to disguise the source, nature and impact of a breach of the ICAO network."

He writes that "none of the alleged obstructors during the 2016-2017 cyber-incident have been investigated," yet he is "still their supervisor without any real authority over them."

He accuses Liu of going against a recommendation from the UN Office of Internal Oversight Services to investigate the four IT staff.

Speaking out about the culture made him a target of "harassment, bullying and retaliation" by the very IT team members linked to the coverup and their boss, Smith wrote. He said by failing to investigate the team, the staff, whom Smith supervised, were emboldened to alienate him.

"I was now seen as a disloyal and untrustworthy enemy," Smith wrote. He said the experience has taken a toll on his health. He has been on medical leave since March 26.

More stressful than a war zone?

Smith would not speak to CBC News about the specifics of his reports or about any individuals involved, saying the reports speak for themselves. However, he did have more to say about the culture at ICAO.

Smith has a long history with the United Nations, having worked for more than two decades on several peacekeeping operations in such hot zones as Afghanistan, Somalia, Haiti and Liberia.

None of those stressful situations made him sick like the poisonous culture he experienced at ICAO, he told CBC News.

"In all my previous UN hardship duty stations, I always knew that even at times of great personal danger, that the culture of the UN was to fully support its staff in the ethical implementation of the mandate and for the greater good of those that the UN serves," Smith said in an email.

"Sadly, my experience at ICAO has been very different and falls short of the standards required of a UN agency. It is also very unfortunate that any staff member striving to adhere to the standards required of an international civil servant is first ignored, then resisted and subsequently attacked."

In his written reports, Smith also criticizes ICAO for suppressing information and being oblivious to the potential risks that the hack posed to individual Canadians.

He cites the CBC report on the cyberattack, which revealed that the hackers had access to the personnel records of past and current employees, the medical records of those who had used ICAO's health clinic, financial transaction records, and the personal information of anyone who had visited the ICAO building or registered on an ICAO website.

At the time, ICAO denied that.

The agency's communications chief, Anthony Philbin, issued a statement following CBC's report, reassuring the public that "ICAO maintains no type of financial or other private information which could possibly pose risks to individual Canadians."

However, in his reports, Smith writes that ICAO does, in fact, keep personnel records of individual employees, including social insurance numbers, passport numbers, financial accounts and other data.

'No revelation of any damages or threats': ICAO

Responding to these latest allegations from Smith, Raillant-Clark said there has been "no revelation of any damages or threats incurred by any ICAO personnel due to past cyber vulnerabilities we experienced."

As for how ICAO is dealing with its past vulnerabilities, the association says it made "comprehensive efforts" to upgrade its information security systems and later invited UN and other external experts to assess its progress.

Smith is demanding a full and independent investigation into the conduct of Liu, as well as that of ICAO council president Olumuyiwa Benard Aliu, in connection with the breaches. He has asked that both of those top officials recuse themselves from that investigation.

The council president is in a position of conflict of interest, Smith writes in his report, as it was his son's laptop that was the source of the hack. He said ICAO's employment of father and son also violated the agency's nepotism rules.

In ICAO's statement to CBC News, Raillant-Clark said, "The organization is in receipt of various allegations relating to the 2016 cybersecurity incident and is in the process of examining them. It is therefore, inappropriate to comment on these matters."

Smith has requested protection from retaliation for reporting the alleged misconduct under ICAO's new whistleblower policy, adopted June 20 — five months after CBC News broke the cyberattack story, with the help of confidential sources.

That news report was followed by a public rebuke in May from the U.S. ambassador to ICAO, Thomas Carter, who said some members of the ICAO secretariat "were more interested in finding the leaker than giving the council an accurate portrayal of what actually happened."