More

    Nation state or state-sponsored group behind ICRC cyber-attack?

    Civil societyNation state or state-sponsored group behind ICRC cyber-attack?
    - Advertisment -

    Nation state or state-sponsored group behind ICRC cyber-attack?

    A month has passed since the International Committee of the Red Cross (ICRC) determined that servers hosting personal data belonging to more than 515,000 people worldwide had been hacked.

    The International Committee of the Red Cross today shared an open letter penned by its director general, Robert Mardini. The ICRC boss said that the organisation has been working to understand how this attack happened, its ramifications, how the organisation can improve its security systems, and how to communicate the facts to the people whom ICRC assists.

    Nearly a month since the International Committee of the Red Cross (ICRC) determined that servers hosting personal data belonging to more than 515,000 people worldwide had been hacked, ICRC has shared some details on what happened and how hackers got access to confidential data, particularly concerning its ‘Restoring Family Links’ programme.

    According to the ICRC, the hackers made use of considerable resources to access its systems and used tactics that most detection tools would not have picked up.

    - Advertisement -

    Related: Sophisticated cyber-attack targets Red Cross data on 500,000 people

    ICRC says that the attackers used a very specific set of advanced hacking tools designed for offensive security. These tools are primarily used by advanced persistent threat groups, are not available publicly and therefore out of reach to other actors. An advanced persistent threat group is typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

    Hackers deployed offensive security tools

    The ICRC says that the attackers used sophisticated obfuscation techniques to hide and protect their malicious programs – techniques that require a high level of skills only available to a limited number of actors.

    “We determined the attack to be targeted because the attackers created a piece of code designed purely for execution on the targeted ICRC servers. The tools used by the attacker explicitly referred to a unique identifier on the targeted servers (its MAC address),” a statement released by the humanitarian group says.

    Though installed anti-malware tools were active and did detect and block some of the files used by the attackers, yet most of the malicious files deployed were specifically crafted to bypass the anti-malware solutions. The intrusion was detected only when ICRC installed advanced endpoint detection and response agents as part of a planned enhancement programme.

    An anomaly was detected in the system within 70 days of the breach occurring, leading experts to initiate a deep dive. On 18 January, ICRC’s technical team determined that servers had been compromised. “Our analysis shows that the breach occurred on 9 November 2021.”

    Related: ICRC still clueless on data breach 

    The hackers were able to enter the network and access its systems by exploiting an unpatched critical vulnerability that allows malicious cyber actors to place web shells and conduct post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.

    “Once inside our network, the hackers were able to deploy offensive security tools which allowed them to disguise themselves as legitimate users or administrators,” says ICRC in its statement, adding, “This in turn allowed them to access the data, despite this data being encrypted.”

    Willing to communicate

    Elaborating on What went wrong with its defences, the ICRC statement says, “Annually, we implement tens of thousands of patches across all our systems. The timely application of critical patches is essential to our cybersecurity, but unfortunately, we did not apply this patch in time before the attack took place.”

    Candidly, ICRC says that it cannot ascertain who was behind the attack or why it was carried out and that it has not had any contact with the hackers and neither has any ransom ask been made.

    “In line with our standing practice to engage with any actor who can facilitate or impede our humanitarian work, we are willing to communicate directly and confidentially with whoever may be responsible for this operation to impress upon them the need to respect our humanitarian action,” it says, reiterating its call to the hackers not to share, sell, leak or otherwise use this data.

    ICRC says that it presumes that data sets copied and exported, knowing that the hackers were inside the systems and therefore had the capacity to copy and export it. But the organisation is certain at the moment that none of the data was deleted.

    ICRC says that it does not have any conclusive evidence of the data being made available to others, including on the dark web.

    - Advertisement -

    LEAVE A REPLY

    Please enter your comment!
    Please enter your name here

    Latest news

    Government Marks 100 Days of Progress in Agriculture and Farmers’ Welfare

    Starting in October, the government will introduce the modern kisan chaupal – lab to land program, which will facilitate...

    Migration Patterns in Udaipur’s Adivasi Communities: A Complex Tale of Struggle, Mobility, and Identity

    Young men from these communities, burdened by poor educational outcomes and limited job prospects, view migration as a means...

    Ozone Layer on Track for Recovery, Says WMO

    According to the WMO, the ozone layer could recover to pre-1980 levels by around 2066 over the Antarctic if...

    Cabinet Approves Continuation of Schemes of Pradhan Mantri Annadata Aay SanraksHan Abhiyan

    The extension of implementation of market intervention scheme with changes will provide remunerative prices to farmers growing perishable horticulture...
    - Advertisement -

    Pradhan Mantri Janjatiya Unnat Gram Abhiyan to Empower India’s Tribal Communities

    PMJUGA focuses on providing tribal families with access to pucca housing, ensuring they have safe and secure living conditions....

    Myanmar: Over 5,000 Killed Since Military Coup, Says UN Report

    Animals such as snakes or insects or other wild animals have been introduced in order to provoke fear and...

    Must read

    Government Marks 100 Days of Progress in Agriculture and Farmers’ Welfare

    Starting in October, the government will introduce the modern...

    Migration Patterns in Udaipur’s Adivasi Communities: A Complex Tale of Struggle, Mobility, and Identity

    Young men from these communities, burdened by poor educational...
    - Advertisement -

    More from the sectionRELATED
    Recommended to you