More

    Nation state or state-sponsored group behind ICRC cyber-attack?

    Civil societyNation state or state-sponsored group behind ICRC cyber-attack?
    - Advertisment -

    Nation state or state-sponsored group behind ICRC cyber-attack?

    A month has passed since the International Committee of the Red Cross (ICRC) determined that servers hosting personal data belonging to more than 515,000 people worldwide had been hacked.

    The International Committee of the Red Cross today shared an open letter penned by its director general, Robert Mardini. The ICRC boss said that the organisation has been working to understand how this attack happened, its ramifications, how the organisation can improve its security systems, and how to communicate the facts to the people whom ICRC assists.

    Nearly a month since the International Committee of the Red Cross (ICRC) determined that servers hosting personal data belonging to more than 515,000 people worldwide had been hacked, ICRC has shared some details on what happened and how hackers got access to confidential data, particularly concerning its ‘Restoring Family Links’ programme.

    According to the ICRC, the hackers made use of considerable resources to access its systems and used tactics that most detection tools would not have picked up.

    - Advertisement -

    Related: Sophisticated cyber-attack targets Red Cross data on 500,000 people

    ICRC says that the attackers used a very specific set of advanced hacking tools designed for offensive security. These tools are primarily used by advanced persistent threat groups, are not available publicly and therefore out of reach to other actors. An advanced persistent threat group is typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

    Hackers deployed offensive security tools

    The ICRC says that the attackers used sophisticated obfuscation techniques to hide and protect their malicious programs – techniques that require a high level of skills only available to a limited number of actors.

    “We determined the attack to be targeted because the attackers created a piece of code designed purely for execution on the targeted ICRC servers. The tools used by the attacker explicitly referred to a unique identifier on the targeted servers (its MAC address),” a statement released by the humanitarian group says.

    Though installed anti-malware tools were active and did detect and block some of the files used by the attackers, yet most of the malicious files deployed were specifically crafted to bypass the anti-malware solutions. The intrusion was detected only when ICRC installed advanced endpoint detection and response agents as part of a planned enhancement programme.

    An anomaly was detected in the system within 70 days of the breach occurring, leading experts to initiate a deep dive. On 18 January, ICRC’s technical team determined that servers had been compromised. “Our analysis shows that the breach occurred on 9 November 2021.”

    Related: ICRC still clueless on data breach 

    The hackers were able to enter the network and access its systems by exploiting an unpatched critical vulnerability that allows malicious cyber actors to place web shells and conduct post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.

    “Once inside our network, the hackers were able to deploy offensive security tools which allowed them to disguise themselves as legitimate users or administrators,” says ICRC in its statement, adding, “This in turn allowed them to access the data, despite this data being encrypted.”

    Willing to communicate

    Elaborating on What went wrong with its defences, the ICRC statement says, “Annually, we implement tens of thousands of patches across all our systems. The timely application of critical patches is essential to our cybersecurity, but unfortunately, we did not apply this patch in time before the attack took place.”

    Candidly, ICRC says that it cannot ascertain who was behind the attack or why it was carried out and that it has not had any contact with the hackers and neither has any ransom ask been made.

    “In line with our standing practice to engage with any actor who can facilitate or impede our humanitarian work, we are willing to communicate directly and confidentially with whoever may be responsible for this operation to impress upon them the need to respect our humanitarian action,” it says, reiterating its call to the hackers not to share, sell, leak or otherwise use this data.

    ICRC says that it presumes that data sets copied and exported, knowing that the hackers were inside the systems and therefore had the capacity to copy and export it. But the organisation is certain at the moment that none of the data was deleted.

    ICRC says that it does not have any conclusive evidence of the data being made available to others, including on the dark web.

    - Advertisement -

    LEAVE A REPLY

    Please enter your comment!
    Please enter your name here

    Latest news

    NDDB to Execute Upgradation of Biocontainment Facility

    NDDB has executed projects of several bio-containment labs and associated infrastructure in livestock health sector across the country in...

    UN’s Development Goals: Rich Nations Lead While World’s Poor Lag Far Behind

    According to the ninth edition of the Sustainable Development Report released by the UN Sustainable Development Solutions Network, none...

    UNICEF-Backed Report Says Pollution Killed 1.69 Lakh Children in India in 2021

    The State of Global Air report published in partnership with the UN Children’s Fund (UNICEF) warns on Wednesday that...

    A New Way to Spot Life-threatening Infections in Cancer Patients

    Leuko, founded by a research team at MIT, is giving doctors a noninvasive way to monitor cancer patients’ health...
    - Advertisement -

    Water Shortages Feared as Hindu Kush Himalaya Sees Second-Lowest Snow Persistence on Record

    In the Ganges River Basin, there has been significant fluctuations in the past twenty-two years. Prior to 2024, the...

    PM Releases Seventeenth PM-KISAN Instalment of Rs. 20,000 Crores

    The prime minister lauded the use of technology in taking the benefits to the deserved beneficiaries and also credited...

    Must read

    NDDB to Execute Upgradation of Biocontainment Facility

    NDDB has executed projects of several bio-containment labs and...

    UN’s Development Goals: Rich Nations Lead While World’s Poor Lag Far Behind

    According to the ninth edition of the Sustainable Development...
    - Advertisement -

    More from the sectionRELATED
    Recommended to you