Update: 'This Was a Targeted Attack,' Says Red CrossOrganization Asks Attackers to Not 'Share, Sell or Leak' Stolen Data
Data on more than 515,000 highly vulnerable people has been compromised as the result of a supply chain cyberattack, the International Committee of the Red Cross has disclosed.
While the ICRC declined to name the partner that was hacked, Crystal Wells, media and editorial manager of the ICRC, tells Information Security Media Group: "The external supplier is hosting our servers. We manage the data and applications on these servers. This was a targeted attack on our servers, which are being hosted by our partner." The ICRC has previously described the partner as an external company in Switzerland.
There is no specific information yet about the attacker or their motivation, but Wells confirms that ransomware was not used in the cyberattack. She described the timeline of the attack, telling ISMG: "After the completion of our initial analysis, we can see that the first breach occurred on the Nov. 9, 2021. We learned of the breach on Jan. 18, and we have had a team of people working around the clock ever since to understand and respond to the attack.
"We have suspended all access to the compromised systems to mitigate the immediate impact of this attack. We are now in the process of identifying short-term solutions to enable Red Cross and Red Crescent teams worldwide to continue providing humanitarian services for the people impacted by this breach."
While Wells did not name who the ICRC is working with, she confirms that the organization has partnered with "highly specialized firms to help us with this" and says the ICRC is "in contact with the competent national authorities."
Wells confirms that the hack compromised personal data - such as names, locations and contact information - of more than 500,000 people. She tells ISMG: "The people affected include missing people and their families, unaccompanied or separated children, detainees and other people receiving services from the Red Cross and Red Crescent Movement. Login information for about 2,000 Red Cross and Red Crescent staff and volunteers who work on these programs and use these systems has also been compromised. No other information at the ICRC was compromised due to the segmentation of the systems."
The compromised data originated from at least 60 Red Cross and Red Crescent National Societies around the world, according to the ICRC.
The ICRC says there is not yet any indication that the compromised information has been leaked or shared publicly, however its humanitarian activities are already being affected. Wells tells ISMG: "Every day, the Red Cross and Red Crescent Movement helps reunite 12 people with their families. Our ability to do that work as a Red Cross and Red Crescent Movement is seriously impacted by this cyberattack. As a result of the breach, we have been forced to take the data-hosting systems in question offline, severely limiting the humanitarian services we can offer to the over half a million people affected."
The organization has appealed to the unidentified attackers to not misuse the data, as it would cause additional stress to vulnerable victims.
As we are working to understand the scope of this cyber-attack, we call on those responsible to walk away.— ICRC (@ICRC) January 19, 2022
Do not cause more harm and suffering to highly vulnerable people by sharing, selling or using their data.
Echoing the sentiment, Robert Mardini, director general of the ICRC, says that he's "appalled and perplexed" that humanitarian information would be targeted and compromised as "this cyberattack puts vulnerable people, those already in need of humanitarian services, at further risk."
We @ICRC are appalled by this grave #humanitariandata breach that puts at risk more than 500,000 already vulnerable people. We call on the perpetrators not to misuse the highly sensitive information now in their hands. https://t.co/8yPdV4kxfc— Robert Mardini (@RMardiniICRC) January 19, 2022
Appealing to the threat actors, Mardini says: "Your actions could potentially cause yet more harm and pain to those who have already endured untold suffering. The real people, the real families behind the information you now have are among the world's least powerful. Please do the right thing. Do not share, sell, leak or otherwise use this data."
Cyberattacks have unfortunately become an occupational hazard for charity and relief organizations, says Brian Higgins, security specialist at cybersecurity company Comparitech.
"The vital nature of the data they possess, along with the extreme vulnerability of the individuals they help, is a highly attractive target for certain groups of cybercriminals," he tells ISMG.
"In the absence of any clear idea of motivation at this stage, the Red Cross is clearly doing everything they reasonably can to respond," he says.
In fact, the organization itself advocates data protection in a handbook last revised in June 2020.
The handbook is a part of the Brussels Privacy Hub and ICRC’s Data Protection in Humanitarian Action project and includes views from data protection authorities from France, Belgium, the Netherlands, Spain and Switzerland.
It aims to help staffers of humanitarian organizations involved in processing personal data, particularly those in charge of advising and applying data protection standards. It also advises on compliance with personal data protection standards, raises awareness, and provides specific guidance on the interpretation of data protection principles in the context of humanitarian action, particularly when new technologies are employed.
The handbook also talks about the data protection - including retention, processing and sharing of data - with respect to third parties.
Terming the news "disastrous, Marietje Schaake, senior advisor at the Eurasia Group and international policy director at Stanford's Cyber Policy Center, says that "the world’s most vulnerable - refugees and people in need - have cynically had their data stolen as the ICRC's systems were attacked. The need for stronger prevention and for accountability is growing with every cyberattack."
At a time when third-party and supply chain organizations are vital elements of doing business, it is nearly impossible to implement consistent security protocols and defenses across an entire enterprise, Comparitech's Higgins says. "Attackers will always find a weak link in the chain and exploit it," he adds.
Industry and businesses can do little about software vulnerabilities, other than apply patches after they have become known, and potentially exploited, and stop data loss or systems being held to ransom, says John Goodacre, director of UKRI’s Digital Security by Design platform.
"This latest cyberattack again amplifies the need that everyone must maintain the best cyber practices and ensure all software is fully patched to reduce the risk that any vulnerability is exposed to exploitation," he tells ISMG.
Industry commentators reacted with despair at the attackers, but not surprise. While most empathized with the difficulties faced in securing nonprofit organizations, it was noted that obfuscating or encrypting data could have minimized its misuse. Sam Curry, chief security officer at Cybereason, tells Information Security Media Group: “The attackers that carried out the cyberattack on the Red Cross either hit them accidentally, which I don’t believe, or they are performing the coldest calculus with lives intentionally. Frankly, knowing that there are low-life cybercriminals behind this, that have likely attacked with a cold calculus, is maddening.
"The nonprofit world may not have margins, but they are accountable to donors and backers for spending as high a percent as possible of their funds on the mission. It’s fair to say though that security at a nonprofit is playing the cyber game on the hardest difficulty level."
Contempt for the attackers was echoed by Trevor Morgan, product manager at Comforte AG, who said: "From time to time, a cyberattack demonstrates the utter lack of compassion that hackers possess. Reports of a sophisticated attack targeting the International Committee of the Red Cross - a global humanitarian organization providing much-needed assistance to the victims of conflict and violence - make a compassionate person recoil at a flagrant instance of kicking people when they’re already down and out. Of course, the third-party business which stores the ICRC’s data bears responsibility for adequately storing and protecting sensitive information, so we can only hope that the personal data of those who are already suffering cannot or will not be leveraged by the guilty threat actors. Data-centric security in the form of strong encryption, tokenization and format-preserving encryption can ensure that even in situations like this one, threat actors can’t profit from the information they steal, even if they are able to get their hands directly on it, by obfuscating the true meaning of sensitive data elements."
As with attacks on health systems, Javvad Malik, lead security awareness advocate at KnowBe4, describes the attack as a reminder that today's cybersecurity discipline is different from what it was 20 years ago. "No longer is it about protecting data but protecting lives. It's quite concerning how sensitive the data is that has been exposed, and one hopes the information doesn't appear on forums or for sale."
Jamie Akhtar, CEO and co-founder of CyberSmart, points out that once again, "We’re discussing an attack that started in the organization’s supply chain. Indirect attacks on large organizations are fast becoming a favored tactic of cybercriminals; it’s often much easier to breach a supplier or subsidiary first. So we urge businesses big and small to start conversations with your supply chain. Share security practices, be transparent and keep lines of communication open. It might just be the difference between successfully avoiding a breach or not."