March 3, 2022
IntelBrief: Cyber Attack on ICRC Jeopardizes Vast Personal Data
Bottom Line Up Front
- The elevated disinformation and cyber threats tied to the Russian invasion of Ukraine emphasize the significant risks across a range of sectors, including to the humanitarian sector and those it serves.
- On January 18, the International Committee of the Red Cross (ICRC) reported a large-scale breach of their servers, involving the personal data of over 515,000 people.
- The compromised Restoring Family Links services data included personal information such as names, locations, and contact information for missing people and their families, detainees, and others.
- The scale, complexity, and targeted nature of the breach indicate a sophisticated attacker, potentially a state or state-sponsored group.
The elevated disinformation and cyber threats tied to the Russian invasion of Ukraine emphasize the significant risks across a range of sectors, including to the humanitarian sector and those it serves. One significant recent case of a cyber attack on the humanitarian sector took place on January 18, when the International Committee of the Red Cross (ICRC) reported a large-scale breach of their servers, involving the personal data of over 515,000 people. By exploiting an unpatched critical vulnerability, hackers gained access to the global Red Cross and Red Crescent Movement's Restoring Family Links services encrypted data across at least 60 affiliates globally. ICRC’s analysis concluded that the breach occurred on November 9, 2021, allowing the hackers covert access for an extended period before detection in January, at which time the compromised servers were taken offline. This breach poses grave risks—both immediately to the individuals whose information was compromised, and with long-term for implications on data security in the humanitarian sector.
Given that the Restoring Family Links services involve reuniting families and locating missing persons, the compromised data included personal information such as names, locations, and contact information for missing people and their families, detainees, and others. Thus far, there is no indication of the data being published or traded online, including on the dark web; nonetheless, this remains a dangerous possibility. There is the chance that this could have already taken place undetected. The ICRC reports that thus far it has not been contacted by the hackers. The unpatched critical vulnerability exploited had been identified as a potential vulnerability for myriad institutions by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in an alert in September. ICRC has taken a proactive approach to accountability for the incident, reaching out to those on the ground whose personal information may have been compromised via phone calls, field visits, and more.
The scale, complexity, and targeted nature of the breach indicate a sophisticated attacker. ICRC has specified the “use of considerable resources to access [ICRC] systems and… tactics that most detection tools would not have picked up.” The hackers used offensive security tools, typically employed by advanced persistent threat (APT) groups, which ICRC defined as “a stealthy threat actor, typically a nation state or state-sponsored group.” Furthermore, particular code was created to target ICRC servers, confirming the focus of the attack to extract such confidential information. Given the specific nature of the data breached, the possibility of the attack being perpetrated by a state actor poses severe danger, as such location or contact information could be used to target individuals who may fear persecution by governments or non-state actors for their political beliefs or identity. Beyond immediate implications, ICRC’s head of data protection, Massimo Marelli, shared his concern for the impact of the breach on trust with people in need and stakeholders critical to the delivery of aid, noting that “it erodes the capacity for a humanitarian organization to operate in the first place.”
This breach—one of the largest ever against a humanitarian organization—is foreboding for the aid sector, especially given the heightened disinformation and cyber threat environment tied to the Russia-Ukraine conflict. Two other high-profile cyber-attacks in 2021 against the United Nations and the U.S. Agency for International Development (USAID) similarly demonstrated the risk level of the cyber threat against such organizations, even with large-scale infrastructure and resources. Zara Rahman, acting executive director at The Engine Room, noted the broader implications, given ICRC’s relatively strong cyber security practices relative to the rest of the sector: “If this can happen to [ICRC], it can definitely happen to other agencies—and it might well have happened, but we don’t know about it.” Such personal beneficiary data could be hacked by an array of actors—criminals, terrorists, or authoritarian regimes—to target and harm individuals for objectives ranging from financial to political. Particularly as the aid sector also expands its innovative, or sometimes donor-driven, use of technology to include the collection of biometric data and applications of artificial intelligence (AI), these concerns will only grow. Such considerations also call into question how humanitarian actors employ principles of data minimization to counter such risks, and complementarily, principles for responsible data collection. The persistent risks that cyber threats pose to the humanitarian sector—and, more importantly, to those it serves, already persevering through vulnerable circumstances—require more significant attention and partnership to ensure effective data security practices and corresponding financial support.