The International Committee of the Red Cross (ICRC) said today that the cyberattack on its computers revealed last month was a targeted attack likely orchestrated by a state-sponsored hacker gang. During the hack, the attackers acquired access to the personal information (names, addresses, and contact info) of approximately 515,000 people who are part of the “Restoring Family Links” program, which helps reconnect families separated by war, calamity, or migration.
To infiltrate the Red Cross servers, threat actors employed strategies and bespoke hacking tools “built for offensive security” and obfuscation techniques to elude detection. All of them are commonly related to advanced persistent threat (APT) organizations.
According to the Red Cross, the attackers used “code built only for execution on the targeted ICRC servers.” They used the targeted servers’ MAC addresses, demonstrating the targeted nature of the attack. Moreover, “most of the malicious files deployed were specifically crafted to bypass our anti-malware solutions, and it was only when we installed advanced endpoint detection and response (EDR) agents as part of our planned enhancement programme that this intrusion was detected.”
During the inquiry, the Red Cross revealed that the attackers could keep access to its systems for 70 days following the first breach on November 9, 2021. The attackers used a severe unpatched vulnerability (CVE-2021-40539) in Zoho’s ManageEngine ADSelfService Plus business password management product to access the network, allowing them to execute malware remotely without authentication.
The Red Cross did not identify the attack to a single threat actor, but it did warn the hackers not to share, disclose, or sell the highly sensitive information obtained during the incident. While the perpetrators of the assault have yet to be identified, at least one state-sponsored hacker outfit is known to have used the CVE-2021-40539 weakness in attacks.
Last year, the FBI and CISA published a joint advisory (1, 2) warning of APT groups using ManageEngine weaknesses to dump web shells on the networks of compromised critical infrastructure enterprises.