Red Cross cyber attack the work of nation-state actors

A cyber attack on the systems of the International Committee of the Red Cross (ICRC), which resulted in the data of more than 515,000 vulnerable people being compromised, appears to have been the work of an undisclosed nation-state actor, the organisation has revealed.

The attack came to light on 18 January 2022, when the ICRC disclosed that it had been compromised. The compromised data relates to the organisation’s Restoring Family Links programme, which assists people separated from their families due to conflict, migration or disaster, reunites missing persons with their families, and helps people in detention.

In a new update published on 16 February, the ICRC said its attackers made use of “considerable resources” to access its systems using tactics, techniques and procedures that most detection tools could not have picked up. Among them were advanced hacking tools designed for offensive security that are known to be primarily used by advanced persistent threat (APT) groups with nation-state links, as well as sophisticated obfuscation techniques.

Moreover, the investigation has found that the attack was highly targeted, using a piece of code that had been written purely to be executed on the ICRC’s servers, with the tools used explicitly referring to the targeted servers’ unique MAC addresses. The ICRC’s anti-malware tools, which did detect and block parts of the attack, missed a number of malicious files that were specifically crafted to bypass its defences, and it was only after installing new endpoint detection and response (EDR) tools that it spotted them.

Initially, the ICRC had said the attackers accessed its systems through a third-party storage services provider that it contracts with, but it has now found that this was not the case. The attackers in fact accessed its systems through a critical unpatched vulnerability tracked as CVE-2021-40539. This flaw exists in Zoho ManageEngine ADSelfService Plus version 6113 and leaves it vulnerable to a REST application programming interface (API) authentication bypass leading to remote code execution (RCE).

Once inside, they were able to place web shells and conduct various post-exploitation activities, including the compromise of admin accounts, lateral movement and the exfiltration of registry hives and Active Directory files. They also, at this point, deployed offensive security tools that disguised them as legitimate users or admins, which in turn let them get at the encrypted data.

The initial compromise is now thought to have occurred on 9 November 2021, meaning the attackers were inside the ICRC’s systems for around 70 days.

“The patching process is an extensive activity for any large enterprise. Annually, we implement tens of thousands of patches across all our systems. The timely application of critical patches is essential to our cyber security, but unfortunately, we did not apply this patch in time before the attack took place,” said the ICRC.

“We have a multi-level cyber defence system at the ICRC that includes endpoint monitoring, scanning software and other tools. In this instance, our analysis after the attack revealed that our vulnerability management processes and tools did not stop this breach. We have made immediate changes in both areas.

“Furthermore, we are speeding up the activities already planned as part of our latest cyber security enhancement programme launched in February 2021 in response to constantly evolving threats.”

The ICRC declined to attribute the attack to any currently known nation-state actor, and said it would not speculate on this point.

“We have not had any contact with the hackers and no ransom ask has been made. In line with our standing practice to engage with any actor who can facilitate or impede our humanitarian work, we are willing to communicate directly and confidentially with whoever may be responsible for this operation to impress upon them the need to respect our humanitarian action. We also reiterate our call to the hackers not to share, sell, leak or otherwise use this data,” the ICRC said.

However, CVE-2021-40539 was heavily exploited by a Chinese APT in the weeks leading up to the attack, as per Palo Alto’s Unit 42.

It does, however, presume that the data sets were copied and exported, although at this point there is no indication it has been published or traded. It is also confident that the attackers are no longer present within its systems.

The ICRC has made available a list of contact details and an FAQ for those who have been affected. “We know you entrusted us with personal information and details about often traumatic events in your lives. This is not a responsibility we take lightly. We want you to know we are doing everything we can to restore the services that we offer across the world. We will work hard to maintain your trust so we can continue to serve you,” it said.

ESET global cyber security advisor Jake Moore commented: “When it comes to cyber attacks, there is simply nowhere for organisations to hide. Criminal hackers may not have a strong moral compass, but they may also not always be aware of their targets until they become victims.

“However, when the target is data of hundreds of thousands of vulnerable people and no ransom demand is made to attempt restoration, it becomes very likely and concerning that it could be nation-state attackers looking to take advantage of weaker systems in order to extract this valuable information.

“Sadly, charities are often very slow to patch their systems and have weaker protection which often makes them easy low-hanging fruit,” he added.

Gurucul founder Saryu Nayyar added: “One can only guess the nefarious purpose for a state-sponsored attack on a charitable organisation and stealing personal data on individuals and families in need. However, it does show that no institution is off limits for malicious threat actors regardless of their ultimate intent.

“While the malware was detected via a recently installed EDR agent, the attackers were able to hide their activity and prolong their presence once inside by posing as legitimate users.

“Organisations must employ more advanced solutions and automated detection capabilities, including those that focus on user behaviours in order to more quickly escalate abnormal behaviours, communications or transactions.

“In this case, unusual activity posing as legitimate users could have been detected sooner thereby preventing as much data theft as was accomplished,” she said.