A month has passed since the International Committee of the Red Cross (ICRC) determined that servers hosting personal data belonging to more than 515,000 people worldwide had been hacked.

The International Committee of the Red Cross today shared an open letter penned by its director general, Robert Mardini. The ICRC boss said that the organisation has been working to understand how this attack happened, its ramifications, how the organisation can improve its security systems, and how to communicate the facts to the people whom ICRC assists.

Nearly a month since the International Committee of the Red Cross (ICRC) determined that servers hosting personal data belonging to more than 515,000 people worldwide had been hacked, ICRC has shared some details on what happened and how hackers got access to confidential data, particularly concerning its ‘Restoring Family Links’ programme.

According to the ICRC, the hackers made use of considerable resources to access its systems and used tactics that most detection tools would not have picked up.

Related: Sophisticated cyber-attack targets Red Cross data on 500,000 people

ICRC says that the attackers used a very specific set of advanced hacking tools designed for offensive security. These tools are primarily used by advanced persistent threat groups, are not available publicly and therefore out of reach to other actors. An advanced persistent threat group is typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

Hackers deployed offensive security tools

The ICRC says that the attackers used sophisticated obfuscation techniques to hide and protect their malicious programs – techniques that require a high level of skills only available to a limited number of actors.

“We determined the attack to be targeted because the attackers created a piece of code designed purely for execution on the targeted ICRC servers. The tools used by the attacker explicitly referred to a unique identifier on the targeted servers (its MAC address),” a statement released by the humanitarian group says.

Though installed anti-malware tools were active and did detect and block some of the files used by the attackers, yet most of the malicious files deployed were specifically crafted to bypass the anti-malware solutions. The intrusion was detected only when ICRC installed advanced endpoint detection and response agents as part of a planned enhancement programme.

An anomaly was detected in the system within 70 days of the breach occurring, leading experts to initiate a deep dive. On 18 January, ICRC’s technical team determined that servers had been compromised. “Our analysis shows that the breach occurred on 9 November 2021.”

Related: ICRC still clueless on data breach 

The hackers were able to enter the network and access its systems by exploiting an unpatched critical vulnerability that allows malicious cyber actors to place web shells and conduct post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.

“Once inside our network, the hackers were able to deploy offensive security tools which allowed them to disguise themselves as legitimate users or administrators,” says ICRC in its statement, adding, “This in turn allowed them to access the data, despite this data being encrypted.”

Willing to communicate

Elaborating on What went wrong with its defences, the ICRC statement says, “Annually, we implement tens of thousands of patches across all our systems. The timely application of critical patches is essential to our cybersecurity, but unfortunately, we did not apply this patch in time before the attack took place.”

Candidly, ICRC says that it cannot ascertain who was behind the attack or why it was carried out and that it has not had any contact with the hackers and neither has any ransom ask been made.

“In line with our standing practice to engage with any actor who can facilitate or impede our humanitarian work, we are willing to communicate directly and confidentially with whoever may be responsible for this operation to impress upon them the need to respect our humanitarian action,” it says, reiterating its call to the hackers not to share, sell, leak or otherwise use this data.

ICRC says that it presumes that data sets copied and exported, knowing that the hackers were inside the systems and therefore had the capacity to copy and export it. But the organisation is certain at the moment that none of the data was deleted.

ICRC says that it does not have any conclusive evidence of the data being made available to others, including on the dark web.