Unknown attacks International Committee of the Red Cross
Incident Date:
September 11, 2021
Overview
Title
Unknown attacks International Committee of the Red Cross
Victim
International Committee of the Red Cross (ICRC)
Attacker
Unknown
Location
First Reported
September 11, 2021
Ransomware Attack on the International Committee of the Red Cross
An unknown ransomware gang has attacked the International Committee of the Red Cross (ICRC). The ICRC first disclosed the incident on January 18th, 2022, reporting that the attackers had stolen data relating to the organization’s Restoring Family Links program, which assists people separated from their families due to conflict, migration, or disaster, reunites missing persons with their families, and helps people in detention.
February Update on the Attack
On February 16th, the ICRC released an update, reporting that the attackers made use of “considerable resources” to access its systems and steal the sensitive data of more than 515,000 vulnerable people. The group reportedly used advanced hacking tools designed for offensive security that are typically employed by nation-state-backed advanced persistent threat (APT) groups, as well as sophisticated obfuscation techniques.
Investigation Findings
An investigation into the incident has revealed that the attack was highly targeted, leveraging code that had been purpose-written for execution on ICRC’s servers and using tools that explicitly referred to the unique MAC addresses of targeted servers. While the ICRC’s anti-malware tools did detect and block parts of the attack, they missed several malicious files that were specifically designed to bypass its defenses. ICRC only discovered these malicious files after installing new endpoint detection and response (EDR) tools.
Access Through Unpatched Vulnerability
The attackers accessed ICRC’s systems through a critical unpatched vulnerability tracked as CVE-2021-40539. “The patching process is an extensive activity for any large enterprise. Annually, we implement tens of thousands of patches across all our systems. The timely application of critical patches is essential to our cyber security, but unfortunately, we did not apply this patch in time before the attack took place,” said the ICRC.
Recent Ransomware Attacks
The Recent Ransomware Attacks (RRA) site acts as a watchtower, providing you with near real-time ransomware tracking of attacks, groups and their victims. Given threat actors’ overarching, lucrative success so far, ransomware attacks have become the most ubiquitous, and financially and informationally impactful cyber threat to businesses and organizations today.
The site’s data is generated based on hosting choices of real-world threat actors, and a handful of other trackers. While sanitization efforts have been taken, we cannot guarantee 100% accuracy of the data. Attack updates will be made as source data is reported by reputable sources. By viewing, accessing, or using RRA you acknowledge you are doing so at your own risk.