More

    Nation state or state-sponsored group behind ICRC cyber-attack?

    Civil societyNation state or state-sponsored group behind ICRC cyber-attack?
    - Advertisment -

    Nation state or state-sponsored group behind ICRC cyber-attack?

    A month has passed since the International Committee of the Red Cross (ICRC) determined that servers hosting personal data belonging to more than 515,000 people worldwide had been hacked.

    The International Committee of the Red Cross today shared an open letter penned by its director general, Robert Mardini. The ICRC boss said that the organisation has been working to understand how this attack happened, its ramifications, how the organisation can improve its security systems, and how to communicate the facts to the people whom ICRC assists.

    Nearly a month since the International Committee of the Red Cross (ICRC) determined that servers hosting personal data belonging to more than 515,000 people worldwide had been hacked, ICRC has shared some details on what happened and how hackers got access to confidential data, particularly concerning its ‘Restoring Family Links’ programme.

    According to the ICRC, the hackers made use of considerable resources to access its systems and used tactics that most detection tools would not have picked up.

    - Advertisement -

    Related: Sophisticated cyber-attack targets Red Cross data on 500,000 people

    ICRC says that the attackers used a very specific set of advanced hacking tools designed for offensive security. These tools are primarily used by advanced persistent threat groups, are not available publicly and therefore out of reach to other actors. An advanced persistent threat group is typically a nation state or state-sponsored group, which gains unauthorized access to a computer network and remains undetected for an extended period. In recent times, the term may also refer to non-state-sponsored groups conducting large-scale targeted intrusions for specific goals.

    Hackers deployed offensive security tools

    The ICRC says that the attackers used sophisticated obfuscation techniques to hide and protect their malicious programs – techniques that require a high level of skills only available to a limited number of actors.

    “We determined the attack to be targeted because the attackers created a piece of code designed purely for execution on the targeted ICRC servers. The tools used by the attacker explicitly referred to a unique identifier on the targeted servers (its MAC address),” a statement released by the humanitarian group says.

    Though installed anti-malware tools were active and did detect and block some of the files used by the attackers, yet most of the malicious files deployed were specifically crafted to bypass the anti-malware solutions. The intrusion was detected only when ICRC installed advanced endpoint detection and response agents as part of a planned enhancement programme.

    An anomaly was detected in the system within 70 days of the breach occurring, leading experts to initiate a deep dive. On 18 January, ICRC’s technical team determined that servers had been compromised. “Our analysis shows that the breach occurred on 9 November 2021.”

    Related: ICRC still clueless on data breach 

    The hackers were able to enter the network and access its systems by exploiting an unpatched critical vulnerability that allows malicious cyber actors to place web shells and conduct post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files.

    “Once inside our network, the hackers were able to deploy offensive security tools which allowed them to disguise themselves as legitimate users or administrators,” says ICRC in its statement, adding, “This in turn allowed them to access the data, despite this data being encrypted.”

    Willing to communicate

    Elaborating on What went wrong with its defences, the ICRC statement says, “Annually, we implement tens of thousands of patches across all our systems. The timely application of critical patches is essential to our cybersecurity, but unfortunately, we did not apply this patch in time before the attack took place.”

    Candidly, ICRC says that it cannot ascertain who was behind the attack or why it was carried out and that it has not had any contact with the hackers and neither has any ransom ask been made.

    “In line with our standing practice to engage with any actor who can facilitate or impede our humanitarian work, we are willing to communicate directly and confidentially with whoever may be responsible for this operation to impress upon them the need to respect our humanitarian action,” it says, reiterating its call to the hackers not to share, sell, leak or otherwise use this data.

    ICRC says that it presumes that data sets copied and exported, knowing that the hackers were inside the systems and therefore had the capacity to copy and export it. But the organisation is certain at the moment that none of the data was deleted.

    ICRC says that it does not have any conclusive evidence of the data being made available to others, including on the dark web.

    - Advertisement -

    LEAVE A REPLY

    Please enter your comment!
    Please enter your name here

    Latest news

    Citizens Urge NHRC to Declare Extreme Heat a Human Rights Emergency in Delhi

    The submission, coordinated under Greenpeace India’s Delhi Rising campaign, calls on the Commission to formally recognise extreme heat as a human rights issue and push for adequate state funding of heat action plans.

    Thali Costs Climb in June on Vegetable and Fuel Price Surge, says CRISIL

    June 2026’s thali cost increases highlight the interplay of domestic weather, global supply issues, and structural factors in India’s food inflation.

    Unpaid Burden: Sri Lanka’s Women Work 8.5 Months a Year for Free

    Experts advocate treating care as essential social infrastructure. Expanding services, redistributing unpaid work through policy, and challenging norms that sideline educated women could unlock significant gains.

    Deadly Monsoon Fury: Bangladesh Battles Widespread Flooding Crisis

    This 2026 event arrives after earlier haor region floods earlier in the year, underscoring recurring pressures. Migration to urban centres and climate adaptation efforts remain critical long-term challenges.
    - Advertisement -

    Sri Lanka Targets Poverty Eradication: Aswesuma Programme Set for Phase-Out by 2030

    Launched in 2023 amid the aftermath of Sri Lanka’s unprecedented economic turmoil, Aswesuma represented a targeted overhaul of the country’s social protection system.

    Civil Society Rallies Behind Bengaluru Street Vendors: “Don’t Sacrifice Livelihoods for Footpaths”

    Street vendors embody the resilience of India’s informal economy. Their struggle highlights the need for policies that listen to the voices of the working poor rather than displacing them in the name of progress.

    Must read

    Citizens Urge NHRC to Declare Extreme Heat a Human Rights Emergency in Delhi

    The submission, coordinated under Greenpeace India’s Delhi Rising campaign, calls on the Commission to formally recognise extreme heat as a human rights issue and push for adequate state funding of heat action plans.

    Thali Costs Climb in June on Vegetable and Fuel Price Surge, says CRISIL

    June 2026’s thali cost increases highlight the interplay of domestic weather, global supply issues, and structural factors in India’s food inflation.
    - Advertisement -

    More from the sectionRELATED
    Recommended to you