Red Cross Data Breach Linked to State & State Sponsored Actors  

Recently International Committee of the Red Cross (ICRC) had been Cyber Attacked, where Servers hosting personal data, belonging to more than 515,000 people worldwide was breached in a sophisticated Cyber-attack According to ICRC, the breach includes compromise of sensitive personal information of more than 515,000 people from across the world, including their names, locations, and contact information. Breached data consisted of information related to missing people and their families, detainees and other people, who are impacted due to armed conflict, natural disasters or migration.

On Wednesday ICRC issued an updated release giving further details about the incidence. According to the Red Cross, hack was state sponsored, as the attackers used very advanced hacking tools, which are used only by advanced persistent threat (APT) groups and are generally not available for public. Considerable resources were used by Hackers for accessing the Red Cross systems and tactics used by them was beyond the capabilities of many detection tools.

On 18th of January, Red Cross determined that hackers had been inside the ICRC servers & systems and had access to the information relating to the global Red Cross and Red Crescent Movement’s Restoring Family Links services. Red Cross analysis predicts that the breach occurred on 9 November 2021. Hackers exploited an unpatched critical vulnerability in an authentication module to enter the network and post entering, Hackers deployed offensive security tools. This allowed the Hackers to disguise themselves as legitimate users or administrators and allowed them to access the encrypted data.

The advanced hacking tools used in the cyber-attack are used in the offensive cyber operations and related security. Attackers used the software code which was specifically designed for execution on the ICRC servers, which was being targeted. The techniques used by Hackers required a high level of skills and are not available for public.

Tactics used by the attackers were designed to defeat and bypass the anti-malware programs used by the Redcross. Red Cross detected the Intrusion on installation of advanced program i.e Endpoint Detection and Response (EDR) agents as part of its enhancement programme.

Vulnerability related to CVE-2021-40539 i.e. password management solution of  Zoho ManageEngine ADSelfService Plus. Vulnerability has been highlighted by several organisation in the past e.g.  US Cybersecurity and Infrastructure Security Agency (CISA),  German Federal Office for the Protection of the Constitution (BfV)  Microsoft etc.

Hacked data can be used by Government and groups for causing harm to people. ICRC has appealed to the Hackers to respect its humanitarian action and not to share, sell, leak or use this data. ICRC is willing to communicate directly and confidentially to the Hacker. No ransom has been asked by the hackers.

Bureau Galactik Views

Related articles