In a recent cyber-attack, a prominent threat group identified as BianLian has reportedly compromised one of the most significant NGOs on the globe, making off with an alarming 7TB of data. This data encompasses a range of sensitive information, including financial records, medical details, HR files, and personal email communications.
While the BianLian group did not openly identify the NGO in their claims, the descriptions provided align closely with the profile of Save the Children International. With a prominent presence in 116 countries, a staff of approximately 25,000, and annual revenue of $2.8 billion, Save the Children International has been a beacon of hope, claiming to have aided over a billion children since its inception in 1919.
The breach first came to light through threat researcher Bret Callow and malware source code archive, VX-Underground. The latter group sharply criticized the malicious actions of BianLian, suggesting the group “needs to be punched in the face.” This sentiment is strongly shared by many who are aware of the incident.
In the world of cybercrime, while there have been occasional instances of criminal outfits expressing remorse—like the LockBit group apologizing for their assault on a Toronto-based children’s hospital—the overwhelming majority of these threat actors are devoid of morals. Their primary objective is financial gain, even if it comes at the cost of harming innocent victims.
Understanding BianLian
The name “Bian lian” traces its roots to a Chinese ‘face-changing’ tradition linked to the Sichuan opera. Mirroring this concept, the BianLian threat group has undergone multiple transformations since its first emergence. Beginning as an Android banking trojan in 2019, the group transitioned to ransomware activities in 2022 and has recently adopted extortion techniques.
Despite its Chinese moniker, there is no conclusive evidence suggesting that BianLian operates out of China. Some speculations by VX-Underground hint at a Russian connection, but these remain unverified. As it stands, the group’s origin remains a mystery.
Save the Children International Responds
In the aftermath of the attack, Save the Children International has released a statement, confirming the breach while emphasizing the lack of operational disruptions. The organization stated, “Save the Children International recently experienced an IT incident involving unauthorized access to part of our network. We are diligently working with external experts to ascertain the extent of the impact and ensure the security and integrity of our IT systems. While we recognize that such incidents are a grim reality for many organizations, it is deeply disheartening to see an NGO dedicated to helping the vulnerable being targeted. Our investigation is in progress, and we are committed to resolving this matter. We express our gratitude to our staff and supporters for their continued trust and patience.”
As the world watches, it remains to be seen what repercussions this breach will have on the global stage and what measures will be taken to prevent future incidents of this magnitude.
“Cybersecurity is increasingly complex, in part, due to the interconnected way in which business now operates. This latest attack on Save the Children illustrates that no organisation is immune to the efforts of cyber-criminal gangs. The complex, interconnected IT systems that form the backbone of all organizations today means it can be more difficult to isolate an issue, which can lead to widespread impact. Even well-resourced enterprises deal with disparate tools, siloed teams and data, and delayed response. Cybersecurity must become more collaborative to get ahead of threats that interrupt business continuity.”
“Unfortunately, time and time again we see NGOs, hospitals and critical infrastructures being targeted by cybercriminals, with 30% of all UK charities suffering an attack in 2022 alone. Not only do they tend not to have the security budgets that big tech organisations have, but they are also more likely to rely on staff using Bring-Your-Own-Devices (BYOD) which are less likely to be secure. Additionally, the attacks provide a lot of much-desired publicity for these criminals. After all, cybercriminals love to show off with many driven by fame as well as financial incentives.”
“While NGOs, like Save The Children, might not have the depth and strength of the cybersecurity posture of a large enterprise, they can always rely on the goodwill of ethical hackers to help them close any security weaknesses. Having a clear route or vulnerability disclosure policy to enable any member of the public to report a vulnerability will enable the ethical hacking community to effectively support security efforts. Unlike these cybercriminals, ethical hackers are driven to do good in the world, and already actively support charitable causes with things like HackerOne’s #hackforgood initiative that allows them to donate a portion of their bounties to charity. By taking an outsider’s mindset when it comes to security, hackers help organisations see where they could be vulnerable to an outside attack, and will report those vulnerabilities even when bounties aren’t offered, as shown by the 45,000+ vulnerabilities reported to the DoD’s VDP program, which doesn’t offer financial rewards.”