Red Cross attributes server breach to nation-state actor

The breached data hasn't shown up on the dark web, so far.
Red Cross
An aid convoy from the International Committee of the Red Cross arrives in Syria's northern region of Afrin on March 1, 2018 (AHMAD SHAFIE BILAL / AFP via Getty Images)

The International Committee of the Red Cross has concluded that a nation-state hacker was behind a cyberattack on its servers discovered last month.

A forensic analysis of the attack revealed the use of tools designed specifically to go after ICRC servers, the organization said Wednesday.

“This was a sophisticated attack — a criminal act — breaching sensitive humanitarian data,” ICRC Director-General Robert Mardini said. “We know that the attack was targeted because the attackers created code designed solely for execution on the concerned ICRC servers, a technique we believe was designed to shield the hackers’ activities from detection and subsequent forensic investigations.”

Separate from Mardini’s statement, the organization released a summary of the technical findings by an unnamed “specialist cyber security company.” The forensic report does not attribute the attack to any specific advanced persistent threat (APT) group, and ICRC declined to speculate on the culprit.


“[M]ost of the malicious files deployed were specifically crafted to bypass our anti-malware solutions, and it was only when we installed advanced endpoint detection and response (EDR) agents as part of our planned enhancement programme that this intrusion was detected,” the organization said.

The ICRC says the hackers have not made contact.

The attack compromised the personal data of more than half a million individuals helped by ICRC’s program, which reunites families separated by conflict, disaster or migrations. Personal data included names, locations, and contact information of individuals served by the group as well as login information for staff and volunteers.

Forensic analysis shows that the breach, which was discovered on Jan. 18, occurred on Nov. 9, 2021.

Hackers were able to get into the system by exploiting an unpatched vulnerability in the password reset management system Zoho ManageEngine ADSelfService Plus, which allowed them to place web shells that provided further access to move within the systems and exfiltrate data, the ICRC. Microsoft warned in November that Chinese-based hackers were using the vulnerability to target victims in the U.S. defense industrial base, higher education, consulting services and information technology sectors.


The ICRC analysis presumes that hackers were able to copy or export data, but none of that information has shown up on the dark web yet.

“We are confident in our initial analysis that no data was deleted in the breach,” the report notes. “This is important because it is allowing us to set up interim systems to get back to work reconnecting loved ones.”

The attack on the human rights organization drew a rebuke from the U.S. State Department, which called on other nations to condemn attacks on humanitarian data.

Mardini said the organization has continued operations of its location program “albeit at minimal service levels, through low-tech solutions (using simple spreadsheets, for example), while we work toward resuming full service with enhanced security features.”

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts