Red Cross says ‘state-sponsored’ hackers exploited unpatched vulnerability

The recent cyberattack on the International Committee of the Red Cross (ICRC), which compromised the data of more than 515,000 “highly vulnerable” people, was likely the work of state-sponsored hackers.

In an update published on Wednesday, the ICRC confirmed that the initial intrusion dates back to November 9, 2021, two months before the attack was disclosed on January 18, adding that its analysis shows that the intrusion was a “highly-sophisticated” targeted attack on its systems — and not an attack on third-party contractor systems as the ICRC first said.

The ICRC said it knows that the attack was targeted “because the attackers created code designed solely for execution on the concerned ICRC servers.” According to the update, the malware used by the attacker was designed to target specific servers within the ICRC’s infrastructure.

Hackers gained access to the ICRC’s network by exploiting a known but unpatched critical-rated vulnerability in a single sign-on tool developed by Zoho, which makes web-based office services. The vulnerability was the subject of an advisory from the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in September, which was given a CVSS severity score of 9.8 out of 10.

By exploiting this flaw, the unnamed state-sponsored hackers then placed web shells and carried out post-exploitation activities, like compromising administrator credentials, moving throughout the network, and exfiltrating registry and domain files, according to the ICRC.

“Once inside our network, the hackers were able to deploy offensive security tools which allowed them to disguise themselves as legitimate users or administrators. This in turn allowed them to access the data, despite this data being encrypted,” the ICRC said. The Red Cross added that it has no conclusive evidence that the data stolen in the attack has been published or is being traded, nor was a ransom demand made, but said it’s contacting those whose sensitive information may have been accessed.

The ICRC says its anti-malware tools on the targeted servers were active at the time of the attack and blocked some of the malicious files used by the attackers, but that most of the files deployed were “specifically crafted to bypass” its anti-malware protections.

These tools, the ICRC notes, are typically used by advanced persistent threat (APT) groups, or state-backed attackers, but the Red Cross said it has not yet formally attributed the attack to any particular organization. A Palo Alto Networks report from November 2021 linked exploitation of the same vulnerability to a Chinese state-sponsored group, known as APT27.

As a result of the cyberattack, the Red Cross said it’s had to resort to using spreadsheets to carry out its vital work, which includes reuniting family members separated by conflict or disaster.

“It is our hope that this attack on vulnerable people’s data serves as a catalyst for change,” Robert Mardini, the director-general of the ICRC, said in a statement. “We will now strengthen our engagement with states and non-state actors to explicitly demand that the protection of the Red Cross and Red Crescent Movement’s humanitarian mission extends to our data assets and infrastructure.

“We believe it is critical to have a firm consensus — in words and actions — that humanitarian data must never be attacked.”