In early January of this year, the International Committee of the Red Cross (ICRC) revealed that it had been the target of a sophisticated cybersecurity attack. This attack led to a data breach impacting over 515,000 people who had received aid and services from at least 60 different Red Cross and Red Crescent National Societies worldwide. According to a statement from the ICRC on Jan. 19, these are "highly vulnerable people," including those who are missing or in detention and many who were separated from families due to conflict, disasters or migration. While there's no indication that this compromised data has been used or shared publicly, the hackers responsible for the attack still remain unidentified.
Discovering the attack
After a thorough investigation into the causes, extent and impact of this cyberattack, the ICRC published an update on Feb. 16, detailing everything it knows so far. According to the post, the breach was detected by one of the humanitarian organization's contracted specialist cybersecurity companies, which uncovered an anomaly on servers storing data for the Restoring Family Links services. The Red Cross and Red Crescent network run this program with the explicit purpose of reuniting families that have been separated due to war, natural disasters, migration or detention. However, due to the attack, the ICRC was forced to shut down the systems supporting the Restoring Family Links program.
"Every day, the Red Cross Red Crescent Movement helps reunite on average 12 missing people with their families. That's a dozen joyful family reunifications every day. Cyber-attacks like this jeopardize that essential work," said Robert Mardini, the organization's director-general.
After detecting the anomaly, the ICRC immediately conducted a deep data dive and, on Jan. 18, determined that hackers had compromised its servers on Nov. 9, 2021. These cybercriminals had full access to all of the Restoring Family Links data, including personal information such as names, locations and other contact information. For many, the biggest concern now is that those bad actors could potentially use the stolen data to bring further harm to victims.
"Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering," said Mardini, appealing to the hackers, "The real people, the real families behind the information you now have are among the world's least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data."
The details of the attack
According to the ICRC's update, the hackers were able to access the organization's systems by exploiting the Zoho bug, an unpatched critical vulnerability in an authentication module. The Zoho bug, or CVE-2021-40539 as it's officially called, enables malicious cybercriminals to place web shells that compromise credentials and dive deeper into the network to exfiltrate sensitive data. When the hackers got inside the ICRC's network, they deployed offensive security tools that disguised themselves and their activity from detection methods.
As of the latest updates, the ICRC has not made contact with the hackers and it remains uncertain who was responsible for the attack. It is also unknown whether the breach stemmed from a small group of individuals, terrorists or nation-state hackers, and the ICRC refuses to speculate. Instead, it offered to speak directly and confidentially with the threat actor(s) to communicate the significance of humanitarian action and reiterate its plea to not use the stolen data.
Aftermath and impacts
While there is little information on what happened to the stolen data, the ICRC presumes that it has already been copied and exported. However, nothing was deleted during the breach, allowing the organization to set up interim systems and continue its important humanitarian work. So far, there is no conclusive evidence that the information has been leaked to the public or traded on the dark web, and the ICRC's cybersecurity team is looking into any reports of such activity.
In conjunction with the Red Cross and Red Crescent National Societies, the ICRC is also sending delegations on the ground to inform victims of the data breach, either in person or through phone calls, public announcements, letters, etc. This is a complicated, time-consuming task that, in some cases, requires traveling to remote communities. The organization is also using workaround solutions to continue reuniting missing persons with their families until it rebuilds the online environment for the Central Tracing Agency.
How to protect your organization's data from security breaches
Whether you work for a humanitarian organization or a for-profit company, cybersecurity is an essential part of any organization. Protecting your sensitive information can be difficult, especially on legacy systems running obsolete or outdated emulation software. That's why Inventu offers a powerful terminal emulation tool that can help boost your organization's cybersecurity and prevent unfortunate data breaches.