Nation-state actor suspected behind the Red Cross attack
Advanced hacking tools and sophisticated obfuscation techniques point to an unnamed nation-state behind a cyberattack against the International Committee of the Red Cross (ICRC).
In late January, malicious hackers have compromised ICRC servers hosting personal data belonging to more than 515,000 people from all over the globe.
The ICRC issued a status update claiming it believes the attack was highly sophisticated and likely carried out by an advanced persistent threat (APT) group, typically a nation-state actor.
According to the statement, the attackers used a specific set of advanced hacking tools designed for offensive security.
“These tools are primarily used by advanced persistent threat* groups, are not available publicly and therefore out of reach to other actors,” the ICRC claims.
The attackers also used sophisticated obfuscation techniques to hide and protect their malicious programs that require a skillset only a limited number of threat actors have.
“We determined the attack to be targeted because the attackers created a piece of code designed purely for execution on the targeted ICRC servers,” reads the update.
The attackers have written the malware specifically to bypass protection tools ICRC uses to guard its servers.
Threat actors accessed Red Cross servers by exploiting a critical vulnerability (CVE-2021-40539) in an authentication module.
The flaw exists in Zoho ManageEngine ADSelfService Plus, a web-based, end-user password reset management program, and can lead to remote code execution (RCE) attacks.
“This vulnerability allows malicious cyber actors to place web shells and conduct post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files,” the ICRC claims
ICRC’s director-general Robert Mardini claims that threat actors carried out a criminal act to breach sensitive humanitarian data.
“We know that the attack was targeted because the attackers created code designed solely for execution on the concerned ICRC servers, a technique we believe was designed to shield the hackers´ activities from detection and subsequent forensic investigations,” Mardini wrote in an open letter.
The ICRC could not identify the culprits behind the attack or the attackers’ motivation. Attackers did not try to establish contact with the organization or demand a ransom payment.
“We also reiterate our call to the hackers not to share, sell, leak, or otherwise use this data,” reads the statement.
More from CyberNews:
Subscribe to our newsletter