SecurityLah - the Asian Cyber Security Show

S2E05. International Committee of Red Cross (ICRC) hacked

SecurityLah Season 2 Episode 5

Cyber penetration is now fast becoming a common occurrence. But where do we draw the line? 

In this episode, we review a recent incident involving the International Committee of Red Cross, whom had informed the world that they have been hacked. Data was stolen, internal networks were compromised. 

What's the impact? Whose affected? What's next? 

So there was a cyber attack against the Red Cross, which happened I think in January of this year, but there was an update recently on the 16th of February. So what happened was that servers hosting personal data belonging to more than 515 people worldwide were hacked. And what was involved is actually the information of our people, families who have been separated during the war and stuff like that. The Red Cross is a humanitarian organization. So I suppose one of the foremost questions which I have in my mind right now is like, how are the bad guys, why the bad guys did it and how actually do they hope to monetize it?(upbeat music)(upbeat music)- Ladies and gentlemen, welcome to Security Lah podcast season two.(upbeat music)- So anybody have any thoughts?- Particularly in this case, what could be the motive? Well, there could be different things, right? So first of all, if it's just PII, then you can sell it in the black market, you can make some money. So that is one way to monetize it. Another thing could be since there have been certain reports that indicate that this was a high targeted attack, there would probably be some reason because again, like we said, Red Cross is a humanitarian organization. They deal with a lot of high profile people also, right? So there is a possibility that there might be someone or somebody's information in those records that people might have wanted. So this is just another thing, you're just trying to find information or trying to find people. I can just think of like two possible scenarios where one, you want to monetize information. Another thing is where you would have other benefits or other motives behind it. It may not necessarily be monetizing, it could be a political reason or something of that sort. So there could be other reasons why it was highly targeted. In fact, there were certain reports that say that there were custom scripts or there was actually custom code written to exploit these vulnerabilities. So that means there was a lot of effort put into it, right?- Yeah.- So I think it may not have been just to monetize it, it was highly targeted for a reason.- Okay. So just from the website icrc.org, which is the Red Cross's official website, they describe the information that has been stolen as belonging to highly vulnerable people, including those separated from their families due to conflict, migration and disaster, missing persons and their families and people in detention. And this data comes from across 60 Red Cross and Red Cross national societies around the world. So monetize, I think your theory that it could be more than just being able to monetize the data is possible. I would love to, you know, to-- Yeah.- To find out.- Yeah, I mean, like you see, right, if people are in crisis, war-torn regions, there is the possibility that high-profile people from these regions would want to move from one border to the other, they would cross states, families would move along with them. What better way to find out who's moving where they are? I think this makes a lot more sense than just monetizing it. Yeah.- If I can add to what Nigel just said, let me give an example of what's happening right now. So we know Russia and Ukraine is in a tiff right now, and we are seeing that a lot of the soldiers, the Russian soldiers, for example, were unfortunately, you know, in Malay, we call it paksa rela, or forcefully volunteered into the military and required to fight, otherwise they face sanctions and illegal activities against them and all their family members. So as such, some of them may not feel that they want to be part of this conflict, and they say, "Okay, I'm just going to disappear, be one of the refugees that's left Ukraine." Someone must be maintaining this list as to who has been crossing the border, why they're crossing the border, maybe even real name or sometimes allies. So this data is kept by people who are handling these kind of persons, refugees or people who are running away from this situation. And sometimes some of them are high value targets. For example, they may carry very sensitive information and they may use these kinds of situations for them to abscond or disappear from whichever place that they are at. So hence the information value becomes very high. So if you're a dictator and you want to catch all those people who betrayed you, it makes more sense for you to actually have access to this kind of data because first thing you know that they have run away, they have had contact with this group, which is the Red Cross, and probably have some additional information about where they are, where they've gone to, when was the last contact. So there may be more telemetry data that we may not be aware of. I mean, the contact information is there, it's just one bit, but probably there's more information involved that we may not be privy to.- Well, since you put it that way, thank you to your, thanks to your graphic description. It's much clearer now, thank you.- So from what Doc has clearly described, it seems because the Red Cross is an international organization. So can we say that the motivation is to gain some tactical or even strategic advantage?- Definitely, because end of the day, if you want to see the clustering of people or where they are, and if you know where ICRC is operating, obviously, you know there's a whole load of people there. And if you want to capture people in a war situation and use them as your hostage, what better way than to see where's the movement of refugees and people who are stuck in a war situation. You go through these kinds of networks, people like ICRC, and then you know exactly where they are, because that's why you have such a system. The whole idea is to capture this information so that they could probably coordinate all these activities with the rest of the members, as well as with other organizations. But couldn't there have been a different target other than a humanitarian organization? If we were to look at it from a political or even an economic domain, I just feel that targeting a humanitarian organization seems a little, I don't have the right word, but I would just say at this point of time, it's not right. It doesn't sound right to me.- I guess it may boil down to what kind of data this humanitarian organization holds about these vulnerable people. What kind of data could they possibly have?- I'm reminded of a saying, all is fair in love and war. So it really doesn't matter to them. For them, any piece of information is information, because as I said earlier, if you're a dictator and you wanna know who has gone against you, crossed your path, these places or these organizations are the best place to get that information, which is why ICRC described that the compromise data contains information about quote unquote, highly vulnerable people. So these are the kind of people who may or may not have sensitive information or any other things that they may be carrying, maybe a tiny little key in their chain that activates a nuclear warhead, God knows, I'm theorizing. So please don't take it as gospel, but that can be one of the case. And again, what we see at the surface is whatever that's reported, there's probably a lot more information that's buried underneath that we are not privy to except for the official.- Yeah, I do agree with Doc on this. So like you said, there could be a lot more information that we're not privy to. And if you think of another scenario, for instance, you have, like you said, a dictator who crosses borders. And in that case, there is a possibility that this particular person and their family would have their names changed, right? And then they moved to a different country, they get resettled. So in this case, what better way to find them or track them or trace them rather than go through some of these organizations that actually maintain this kind of information.- So let me give you another example. There has been documented cases of Russian FSB agents poisoning people. So if they were to know where these people are, then this database would be something that's useful. I'm just using Russia as an example because now we are in a war, so it's just a convenient excuse. But let's go into the details of the attack. Is there anything that has been reported?- Oh, great. I wanted to get into the technicality of the report. So just like any other hacks, the attacker used a vulnerability that is very critical. It's actually CVSS Core 9.8 out of 10, which means it gives you almost complete control of the system. And they had a single sign-on tool developed by Zoho. Zoho is an application that gives you similar to something like a Microsoft Office, Office 365 type of environment. So there was an unpatched, it's a known exploit. So it's not zero-day, it's a known exploit. The bug is critically rated and they didn't patch it. So as a result, they got access. But of course, that's just the starting point of the vulnerability. From there onwards, they had web shells. So web shells are essentially shells that give access through a website. So you type in a custom URL, then you get a very simple interface where you can put in commands, you can pull out files, you can upload files. So it gives you the kind of capability for you to have a backdoor into systems. And after that, you can do more things like, for example, if there's an active directory service, you can compromise the administrator and all other credentials. You can do lateral movement. So now from that web server that you initially have access, now you could move to other computers within that network and pull out more information. So that's how the attackers move. Nothing out of the ordinary. It's a typical attack scenario where you started off from getting access into an externally available service, and then you use tools for you to jump inside the network.- So if it's a typical kind of access mechanism, then how did they succeed in the first place?- They succeeded because ICRC did not patch their single sign-on tool that was developed by Zoho. So if they had patched that, then the initial access would have been denied. So the rest of the other tools that they used to infiltrate the inside part of the network wouldn't be there because that was the door that they used to get in. So that initial door was not patched. So if they had patched that and hardened it, then chances are very less likely this hack would have been happened.- Have they been able to point to any particular agent?- ICRC has been quite quiet on this matter. However, a security vendor called Palo Alto Networks reported that most likely based on an existing attack, the same kind of vulnerability was attributed to a Chinese state sponsored group known as APT27. So they're the only one who's publicly attributing this to APT27, but there seems to be no reference of this particular attacker. ICRC has remained silent about attribution. And I guess it's more of a organizational stance because they are a humanitarian organization. I don't think it is, I can't say proper, I'd say appropriate for them to point fingers at anyone. But then again, there should be some moral grounds about attacking organizations like ICRC, hospitals or humanitarian organizations. That's my personal opinion, but then again, when you're a nation state, I guess, anyone is fair game for you. But here's the thing. It also shows that, we can always say that ICRC got hacked. Yup, okay. But if we analyze further, the very fact that they did not patch their systems should be raising huge alarms. I mean, today, anyone and everyone is a fair target to anyone, including nation states. So for example, you may be running a tiny little kopitiam somewhere in Batang Berjuntai, Selangor. And if you have a POS system and you collect credit card information and all that, or you may even have some IP-based CCTV cameras, any one of this IP connected infrastructure can be used. So for example, the Mirai botnet used CCTV, the processing power in the CCTV for them to launch a DDoS attack. We've seen a number of POS-based malware that steals credit card information, as well as you have computing power, so it can be proxy to launch other kinds of attacks. So that's why for me, for such an international organization, there should be some rigor in managing cybersecurity. Well, I think there is a popular phrase that is known to a lot of people in the cybersecurity. And we even talk about that in one of our earlier episodes. It's not a matter of if, but when, when it comes to riches and hacks like that. So to me personally, I think this is a very pessimistic and demotivating stand on matters. If we were to acknowledge this phrase, then it puts us in a defeatist mentality. It's like saying, you do the bare minimum and then you face it when it comes. Enjoying the show so far? Subscribe now so that you don't miss out on the latest episode. We are available on Spotify, Apple Podcasts, Google Podcasts, and many other platforms. Visit podcast.securitylah.asia to get the links to subscribe. I think bare minimum is no longer bare minimum. It seems because we are up against a threat group that has almost unlimited resources and no legal persecution, practically, with all the motivations to try and bring down your infrastructure. That's why I said in a few episodes ago, if you had asked me this question, say in about 10 years ago, I would even classify you to say, I fits casual hackers, you don't have to worry. You have your script kiddies and then you have casual hackers. You have a little bit of organized hacking groups. That's it. Groups like Anonymous have been doing quite an interesting job in the recent Russia-Ukraine conflict. So that probably qualifies for an episode at another time. But there were different categories of attackers, but today, if you look at all the attacks and attributions, it's always the first thing you see in the news is nation state, nation state, nation state. For example, Singapore had the issue with the OCBC phishing. They eventually attributed the attack to an organized crime group that's operating within Singapore. I think, Kat, if you remember, we were talking about-- The society.- Yeah, so we were talking about how the attacker actually knew a lot of the information and they were using it, local information that they were using it against and getting money out of people. So it's difficult for us to say, but then again, it's not just nation states. I guess everyone has to step up from, step up and step out of the bare minimum and to say we have to start looking at security a lot more seriously, because otherwise then we're gonna go back to the days of abacus and calculators and pen and paper, because I don't think people wanna do that anymore.- Yeah, you know what, Doc Nigel Prof, I'm looking at the article that Doc shared with us, and I see that the consequence of this particular data bridge to the international rate cross is different from the usual, from the business organization. Business organizations, they will have some kind of, I don't know, disaster recovery and steps to mitigate the effect of a data breach. But just reading this article, it's different, because what they're doing is, and they have this important form, right? Like for example, has the data been made available to others, including on the dark web? So they're saying that they have no conclusive evidence, information has been published or traded. And then actually what they're doing right now is they're actually scrambling to reach, yeah, they're making every effort to contact the people who can be difficult to reach, such as migrants, as a result of this data breach. So the consequence of this particular cyber attack is different for this particular humanitarian organization, whereby they're not actually rushing, and with much urgency, it seems, to contact the people who've been impacted by this breach.- So here's to give you a little bit of context about this data versus, let's say, corporate data. Say if an FSI loses information, they get charged, probably in the court, by a group of customers who's unhappy about it. The regulators may come in and slap a fine with them, and that's it, you know? But these kinds of data can be a life or death situation.- Yeah.- So the criticality is, if you ask me, way high up there, as compared to probably someone losing their credit card information.- Yes, urgency level max.- Exactly, because if you lose credit card information, fine, fraud happens every day. The banks would have the information for them to detect a fraudulent transaction, probably disable your card. I remember having an experience where I didn't know my card was cloned. The bank just contacted me and said,"Sir, your card has been cloned. We are sending you a new one." There are systems in place that's going to help you from a commercial point of view, and I would, I and everyone else, should rightfully expect that they do what they need to do. But in a humanitarian organization, there's no cyber insurance. Cyber insurance is not gonna cover humanitarian organizations because humanitarian organizations will operate in an area where cyber war will happen. And mind you, when it comes to cyber war, all clauses become null and void. All insurance clauses become null and void. So you can't use that. There's no reprive to it. Hence, to be honest, sadly, they're on their own. And when they lose something, they lose something, which is why it is critical that these kinds of organizations spend some time to ensure that there's proper cyber security rigor in place because they're dealing with extremely sensitive data. And this kind of data is a matter of life and death for not just one or two, maybe for a lot of people.- Yeah. So they recognize that there are people who are at risk and they are the top priority right now. So they're doing things like trying to get in contact with them via phone calls, hotlines, public announcements, letters, and in some cases, even traveling to remote communities to inform the people in person. So that's how urgent the, yeah. It's like urgency level is maximum as I've never seen anything like this before. So, but it is, as you pointed out, Doc.- Yeah, because- - Lives are at risk.- I am thinking there's gonna be trouble for them to actually find these people because number one, if they're in a conflict area, sometimes they may not even have mobile. For example, in the Russian Ukrainian invasion, the Russians actually destroyed mobile cell towers, which means effectively no comms. So I don't think letters are gonna reach them. They're not in their house anymore. So, I mean- - Smoke signal, smoke signal.- As funny as it sounds, I'm sorry, but that's the reality of the situation. It's gonna be difficult because these people may be moving from one place to another to avoid detection. And they may not even be using conventional communication methods to avoid being detected. So in these kinds of scenarios, it's gonna be interesting to see how they mitigate the risk. I think it's gonna be really difficult for them to mitigate this risk, but I'll be interested to see what they do and how they solve this problem.- Yeah, what do we know about the hackers who have allegedly stolen the data? You mentioned, somebody mentioned Chinese state actors, right?- Based on a report by the Record Media, which was an extension of Recorded Future, they quote that the German government mentioned that a Chinese cyber espionage group known as APT27 has been attacking them repeatedly. And they've used vulnerabilities in software such as Microsoft Exchange and Zoho Managed Engine AD Self Service Plus. So these are two softwares that are primarily located outside of the DMZ or the demilitarized zone, which is usually accessible via public internet. And in fact, the Zoho vulnerability that was exploited in RCRC is the same vulnerability that was used to breach a port of Houston Authority, I believe it was last year, according to CISA. So that was just the telltale signs of APT27. We won't go into much more details because there's a lot of APT groups out there, but we will continue tracking these groups. And if they seem to be doing a lot more work, then we'll probably cover them in one of the episodes, because to really understand an APT group, we really have to dig deep into their TTPs, tools, techniques, and procedures, understand the psychology and the mindset of how these groups operate, why they choose certain type of vulnerabilities, and who are the people that they attack. And we know that one of their victims now is Port of Houston and RCRC. And we also see from the German government that some of the German organizations have also been attacked in a similar manner. So it's something that's developing that we will keep in touch, and we will also monitor to see if this is something that we want to cover at a later stage.- I just thought of something. This humanitarian organizations, the attack is obviously very different from just any other as what Kat has shared with us. So in this context, how does the international humanitarian law factor in, I think cyber warfare techniques are subject to these humanitarian votes. Would anyone be able to share anything on this?- If you look at article five of NATO, I think there's some description about what's deemed as act of war in cyber. So, I mean, let's not even go cyber. Let's just go on a normal war, right? So there are some things that has been defined to say that you do not do these things. So for example, you do not destroy a medical facility. You do not target civilians, because a war is a conflict between two nations and the conflict should be limited to those who bear arms. So soldiers, soldiers against soldiers. Civilians should not be part of it. So these are the ones that if you ask me is an indicator of whether they've crossed the line or they're still operating within that threshold that they've been allowed to. So in this case, if you ask me, targeting ICRC is definitely something that's crossed the line. But the question is, although it's been attributed to a Chinese state actor, then is this an act of war? Because right now we know actively at the present moment, it's between Russia and Ukraine. Cyber attacks happen every day. In fact, if we just zoom in on the Russia-Ukraine situation, the cyber aspect of the war started much, much, much earlier. For example, the Sanver malware that took down the utilities, that happened around what, 2017, 2018, if I'm not mistaken. So it's been some time ago and this has been going on. So the problem is to define what is a cyber war? Do we say cyber war happens in parallel to physical or kinetic war, then it's considered cyber war? Or do we say that if a nation state attacker attacks any infrastructure, be it critical or non-critical, any country is considered an act of war? It's still very much a gray area because for example, I think in one of the episodes I gave this example where someone puts a bomb, for example, Russia sends a bomb to Ukraine, that's an act of war, very clear. Russia sends a buffer overflow attack to a server in Ukraine. Is it cyber war? I have no idea. Probably we should spend one episode debating about the definition of cyber war and cyber warfare. So for example, if I carry a laptop with Kali Linux, having all the tools to penetrate the system, am I carrying a nuclear warhead? And does that subject to me being in prison? Although I'm a security researcher.- I just think there are still many, many questions that we can look into. There are many angles when it comes to this one. And only because of the fact that this is a humanitarian organization. And a lot of those times, I think, do they even have the financial means to invest in the necessary infrastructures and trainings and so forth? And to what extent can the government protect them in the event of a breach and stuff like that? I guess that's where these kinds of organizations have to leverage on each other. You may have other institutions that are better equipped from the point of cybersecurity. And they should establish some sort of collaboration or cooperation for them to work together, help each other. As I said, whether you're a $2 mom and pop shop, or you're the Red Cross, you are fair target. It's unfortunate, but that's what the situation is right now. And if you have such infrastructure, then it is upon you to ensure that these infrastructures stay secure.- I fully agree with you. I think deterrence and mitigation controls can only go so far. At the end of the day, it's really up to the organization for them to weigh the benefits and costs and benefits and see what they can do to protect and safeguard the systems and the information that they are dealing with.- Yeah, definitely.- There are many aspects to this particular data breach that, yeah, like Prof pointed out, many questions, many aspects, because this is, I mean, how often do we come across news that a humanitarian organization has been compromised? So we just happened to come across this this year. So I'm interested to see how things develop.- Thanks for joining us this week on SecurityLah. Make sure to visit our website at securitylah.asia, where you can subscribe to the show in iTunes, Spotify, or via RSS, so you'll never miss a show.(gentle music)(upbeat music) you