Exclusive: ICRC says cyberattack was 'state-like' in nature

A cyberattack affecting the International Committee of the Red Cross was so sophisticated it fits the profile of a state or “state-like” hacker, according to the organization’s head of data protection, Massimo Marelli.

The hack, which occurred last year on Nov. 9 and was discovered on Jan. 18, deliberately targeted ICRC servers that held information on more than 500,000 people using family reunification services, according to the organization.

The identity of the hackers is unknown, according to Marelli, who said that numerous questions remain over the cyberattack — described as one of the largest ever on a humanitarian organization — including its motive and what happened to the data accessed.

Speaking to Devex, Marelli said he was “told from the people who are doing the forensics analysis that it was a highly sophisticated and targeted operation.”

Asked if that meant it was conducted by a state, Marelli replied: “It’s sufficiently sophisticated that it’s compatible with that or state-like. … It was a highly sophisticated and targeted operation.”

The nature of the hack meant that it “could amount to something that is against the letter and spirit of international humanitarian law,” said Marelli, adding that the Central Tracing Agency it targeted is protected under the Geneva Conventions. “It has to be clear to everybody that what has happened is not acceptable,” he added.

But ICRC is fearful of getting “dragged into … a political exercise,” said Marelli, warning against drawing conclusions from the investigation’s findings so far. “So many things ... are unanswered," he said, noting that "the risk is really to speculate and go to easy conclusions.”

The attack was not on ICRC, Marelli added, but on the “really vulnerable people” whose data was held. The organization’s concern is to “make sure that no harm is being done with the data” and “that whoever has access to the information has a clear understanding of what that information is,” he said.

In the U.S., senior government officials have publicly condemned the hack.

“The information it [ICRC] acquires and uses is critical to fulfilling its functions to provide medical services and humanitarian protection and assistance — functions that all states have pledged to support in instruments such as the Geneva Conventions,” read a statement by Ned Price, a spokesperson for the State Department.

“Targeting the Red Cross and Red Crescent Movement’s sensitive and confidential data is a dangerous development,” Price added. “It has real consequences: this cyber incident has harmed the global humanitarian network’s ability to locate missing people and reconnect families. This is why it is so vital that humanitarian data be respected and only used for intended purposes.”

“Those responsible should be held accountable,” Price tweeted this week. Retweeting him, U.S. Agency for International Development chief Samantha Power called for “accountability for the perpetrators.”

The digital forensics investigation into the hack is incomplete. Marelli stressed that the perpetrators had not been identified and that doing so would be “very, very difficult”. But he also suggested that ICRC would not make the identity of the hackers public.

“It’s an area that is very sensitive, in the sense that we wouldn't want the findings to be exploited for political reasons,” Marelli said, calling attribution “not necessarily conducive to our capacity to operate in a neutral, impartial, and independent manner.”

The hack’s exposure of personal data and the accompanying compromise of trust have potentially undermined the “capacity of impartial humanitarian organizations to operate,” according to Marelli.

“Something like what has happened can severely harm the trust relationship that a humanitarian organization needs with stakeholders, like parties to [a] conflict, who are present in that conflict area, and affected communities. Basically, it erodes the capacity for a humanitarian organization to operate in the first place,” he said.

The hack has led to renewed questions over whether humanitarian organizations should be collecting certain kinds of personal data, often about people who are at risk of persecution or otherwise vulnerable.

Marelli noted that data security has its limits. “There’s only so much you can put into security at some point. The only thing that can prevent [a humanitarian data breach] is a common acceptance that this is just not to be done. It needs to be clear there’s no ‘gray zone’ in this area,” he said, meaning that there should be a clear, black-and-white difference between what’s right and wrong.

“ICRC have among the strongest data protection policies and practices in the whole sector. If this can happen to them, it can definitely happen to other agencies — and it might well have happened, but we don’t know about it,” said Zara Rahman, the acting executive director at The Engine Room — a group working to support the use of data in civil society — in a video released by The New Humanitarian.

But ICRC’s response to the hack has also been praised by digital experts, including Rahman. This is because it was swiftly disclosed and because the organization has devoted significant resources to informing the people whose data was compromised.

ICRC authored a handbook on data protection that Marelli said the organization has been following — even visiting some remote places to alert people of the leak so they can take security precautions, if necessary.

Update Feb. 7, 2022: This article has been updated to clarify Marelli’s comments on the “gray zone.”