It hasn’t been revealed who was behind the attack nor to whom a ransom (if any) was paid. Some security researchers believe the WastedLocker ransomware (said to be the cause of the outage) is linked to a Russia-based group of cybercriminals known as Evil Corp. The US Treasury sanctioned that organization last year, accusing it of being responsible for developing and distributing another form of malware called Dridex. The sanction “generally prohibited” US persons from “engaging in transactions” with specific companies and people linked to Evil Corp.

Arete Incident Response, which helps companies secure their networks and resolve attacks, recently suggested that WastedLocker was not conclusively the work of Evil Corp. It published a study on that topic the day after Garmin said it was attacked. Arete told Sky News it “follows all recommended and required screenings to ensure compliance with US trade sanctions laws.”

Sometime this past July, a group of hackers took advantage of a flaw in Microsoft’s SharePoint software and an unknown type of malware to gain access to dozens of servers at the UN’s Geneva and Vienna offices, as well as the Office of the United Nations High Commissioner for Human Rights (OHCHR). The three offices employ approximately 4,000 staff between them.

“The attack resulted in a compromise of core infrastructure components,” a spokesperson for the UN told The New Humanitarian. “As the exact nature and scope of the incident could not be determined, [the UN] decided not to publicly disclose the breach.”

After reading over the report, Jake Williams, a former hacker for the US government, told the Associated Press, “the intrusion definitely looks like espionage.” The hackers reportedly attempted to cover their tracks by deleting the logs that would have documented their entry into the UN’s servers. “It’s as if someone were walking in the sand, and swept up their tracks with a broom afterward,” an anonymous UN official told the publication. “There’s not even a trace of a clean-up.”

The hackers reportedly downloaded approximately 400GB of data. The servers they breached contained sensitive employee information, but it’s not clear exactly what they were able to download. The UN doesn’t know the full extent of all the damage yet. Sometime after the attack happened, it told employees to change their passwords but didn’t share full details on the situation.

This isn’t the first time the UN has failed to disclose a cyberattack. In 2016, Emissary Panda, a group with ties to the Chinese government, accessed servers from the International Civil Aviation Organization. The UN only shared information about the breach after the Canadian Broadcasting Corporation reported on it. According to The New Humanitarian, the UN’s unique diplomatic status means it doesn’t have to disclose data breaches like other government agencies in the US and EU, something that puts it at odds against cybersecurity best practices.

News of the attack also comes at a time when state-sponsored cyberattacks have seemingly become more brazen. Last week, The Guardian reported that the phone of Amazon CEO Jeff Bezos was hacked by a WhatsApp account associated with Saudi crown prince Mohammed bin Salman. A day after the report came out, the UN called for an investigation into the hacking.