Ransomware Attack on the International Committee of the Red Cross

An unknown ransomware gang has attacked the International Committee of the Red Cross (ICRC). The ICRC first disclosed the incident on January 18th, 2022, reporting that the attackers had stolen data relating to the organization’s Restoring Family Links program, which assists people separated from their families due to conflict, migration, or disaster, reunites missing persons with their families, and helps people in detention.

February Update on the Attack

On February 16th, the ICRC released an update, reporting that the attackers made use of “considerable resources” to access its systems and steal the sensitive data of more than 515,000 vulnerable people. The group reportedly used advanced hacking tools designed for offensive security that are typically employed by nation-state-backed advanced persistent threat (APT) groups, as well as sophisticated obfuscation techniques.

Investigation Findings

An investigation into the incident has revealed that the attack was highly targeted, leveraging code that had been purpose-written for execution on ICRC’s servers and using tools that explicitly referred to the unique MAC addresses of targeted servers. While the ICRC’s anti-malware tools did detect and block parts of the attack, they missed several malicious files that were specifically designed to bypass its defenses. ICRC only discovered these malicious files after installing new endpoint detection and response (EDR) tools.

Access Through Unpatched Vulnerability

The attackers accessed ICRC’s systems through a critical unpatched vulnerability tracked as CVE-2021-40539. “The patching process is an extensive activity for any large enterprise. Annually, we implement tens of thousands of patches across all our systems. The timely application of critical patches is essential to our cyber security, but unfortunately, we did not apply this patch in time before the attack took place,” said the ICRC.