this is the case study :

Cyber-attack on ICRC

In January 2022, we determined that the personal data of more than 515,000 people worldwide were accessed by hackers. They did so through a cyber-attack on the servers used to store the information that Red Cross and Red Crescent Societies worldwide and our team have collected to help people affected by armed conflict, natural disasters, and migration.

These servers held the personal data that people have provided to us to help them find and reconnect with their families, learn what happened to missing relatives, and ensure dignity for those who have died without their loved ones by their side. We want to stress that not everyone who has engaged with these services and has shared information with us was affected.

What should I do if I think my data might have been accessed in the cyber-attack?

If you haven't heard from us and are concerned, we encourage you to reach out to your local Red Cross office in your country. We know you entrusted us with personal information and details about often traumatic events in your lives. This is not a responsibility we take lightly. We will work hard to maintain your trust to continue serving you.

Are our systems back online?

Yes. The systems are now back online, which is critically important to resume work. They have been relaunched with security enhancements, including a new two-factor authentication process and an advanced threat detection solution. The applications and systems went back online only after successful penetration tests. We continue to monitor our systems closely and make relevant security enhancements.

How are you informing people who were affected?

We have been working with Red Cross and Red Crescent National Societies and our ICRC delegations on the ground to inform individuals and families whose data was breached. This process is complex and ongoing, with each case being managed based on individual risk assessments. Some of this is done through phone calls, hotlines, public announcements, letters and in some cases, it requires teams to travel to remote communities to inform people in person. We are making every effort to contact people who can be difficult to reach, such as migrants. Most of the people we have informed want us to continue to work to find their relatives. We know the emotional toll a missing family member takes on a person. We will continue to do everything we can to help them find the answers they deserve.

What made this attack highly sophisticated and targeted?

The hackers used considerable resources to access our systems and used tactics that most detection tools would not have picked up. The following information demonstrates the sophisticated and targeted nature of the attack:

The attackers used a specific set of advanced hacking tools designed for offensive security. Advanced Persistent Threat groups primarily use these tools, which are not publicly available and therefore out of reach to other actors.

The attackers used sophisticated obfuscation techniques to hide and protect their malicious programs. This requires a high level of skills only available to a limited number of actors.

We determined the attack to be targeted because the attackers created a piece of code designed purely for execution on the targeted ICRC servers. The tools used by the attacker explicitly referred to a unique identifier on the targeted servers (its MAC address).

The anti-malware tools we had installed on the targeted servers were active and did detect and block some of the files used by the attackers. But most of the malicious files deployed were specifically crafted to bypass our anti-malware solutions. It was only when we installed Advanced Endpoint Detection and Response (EDR) agents as part of our planned enhancement program that this intrusion was detected.

When did we find out about this attack?

A specialist cyber security company hired by ICRC to support in protecting our systems detected an anomaly on ICRC servers that contained information relating to the global Red Cross and Red Crescent Movement's Restoring Family Links services. We then did a deep data dive and determined on the 18^th of January that hackers had been inside these systems and had access to data.

How long were the hackers inside our systems?

In this case, we detected an anomaly in our system within 70 days of the breach and immediately initiated a deep dive. On that basis, we could determine on 18^th of January that our servers had been compromised. Our analysis shows that the breach occurred on 9^th of November 2021.

A breach this large and complex typically takes time to detect. For example, we understand that the average time to identify a data breach is 212 days.

How did the hackers get into our systems?

The hackers were able to enter our network and access our systems by exploiting an unpatched critical vulnerability in an authentication module (CVE-2021-40539). This vulnerability allows malicious cyber actors to place web shells and conduct post-exploitation activities such as compromising administrator credentials, conducting lateral movement, and exfiltrating registry hives and Active Directory files. Once inside our network, the hackers were able to deploy offensive security tools, which allowed them to disguise themselves as legitimate users or administrators. This allowed them to access the data, despite it being encrypted.

What went wrong with our defenses?

The patching process is an extensive activity for any large enterprise. Annually, we implement tens of thousands of patches across all our systems. The timely application of critical patches is essential to our cybersecurity, but unfortunately, we did not apply this patch in time before the attack.

We have a multi-level cyber defense system at the ICRC that includes endpoint monitoring, scanning software and other tools. In this instance, our analysis after the attack revealed that our vulnerability management processes and tools did not stop this breach. We have made immediate changes in both areas. Furthermore, we are speeding up the activities already planned as part of our latest cyber security enhancement program launched in Feb 2021.

Who do we think is behind this attack?

We cannot ascertain who is behind this attack or why it was carried out, and we will not speculate about this. We have not had any contact with the hackers and no ransom ask has been made. In line with our standing practice to engage with any actor who can facilitate or impede our humanitarian work, we are willing to communicate directly and confidentially with whoever may be responsible for this operation to impress upon them the need to respect our humanitarian action. We also reiterate our call to the hackers not to share, sell, leak, or use this data.

What information was accessed?

The breach included personal data such as names, locations, and contact information of more than 515,000 people from across the world. The people affected include missing people and their families, detainees and others receiving services from the Red Cross and Red Crescent Movement due to armed conflict, natural disasters, or migration. We do not believe it is in the best interest of the people whose data this is to share further details about who they are, where they are or where they came from.

Were data sets copied and exported?

We must presume so. We know that the hackers were inside our systems and therefore had the capacity to copy and export it. To our knowledge, the information has not been published or traded. No data was deleted in the breach. This is important because it has allowed us to relaunch our systems and get back to work reconnecting loved ones.

How confident are we that the hackers are no longer in our systems?

We took the compromised servers offline as soon as we determined they had been hacked. This incident did not affect other servers because we segment our systems and continually monitor the overall environment for any signs of malicious activity with advanced tools.

What other steps are you taking to prevent this from happening again?

The data breach highlights a growing trend in cyber operations targeted at humanitarian organizations. Data breaches risk causing severe consequences for the people those organizations serveand those already among the most vulnerable. The ICRC is now working with its Movement partners to send a call to States and other actors about the need to protect humanitarian organizations online as they do offline.

these are the 2 questions that i need to be answered :

1. List four factors that generally motivate attackers. Choose two factors and link them with our case study.

2. Explain four mistakes the ICRC made that enabled the attackers to breach their data.