In a recent cyber-attack, a prominent threat group identified as BianLian has reportedly compromised one of the most significant NGOs on the globe, making off with an alarming 7TB of data. This data encompasses a range of sensitive information, including financial records, medical details, HR files, and personal email communications.
While the BianLian group did not openly identify the NGO in their claims, the descriptions provided align closely with the profile of Save the Children International. With a prominent presence in 116 countries, a staff of approximately 25,000, and annual revenue of $2.8 billion, Save the Children International has been a beacon of hope, claiming to have aided over a billion children since its inception in 1919.
The breach first came to light through threat researcher Bret Callow and malware source code archive, VX-Underground. The latter group sharply criticized the malicious actions of BianLian, suggesting the group “needs to be punched in the face.” This sentiment is strongly shared by many who are aware of the incident.
In the world of cybercrime, while there have been occasional instances of criminal outfits expressing remorse—like the LockBit group apologizing for their assault on a Toronto-based children’s hospital—the overwhelming majority of these threat actors are devoid of morals. Their primary objective is financial gain, even if it comes at the cost of harming innocent victims.
Understanding BianLian
The name “Bian lian” traces its roots to a Chinese ‘face-changing’ tradition linked to the Sichuan opera. Mirroring this concept, the BianLian threat group has undergone multiple transformations since its first emergence. Beginning as an Android banking trojan in 2019, the group transitioned to ransomware activities in 2022 and has recently adopted extortion techniques.
Despite its Chinese moniker, there is no conclusive evidence suggesting that BianLian operates out of China. Some speculations by VX-Underground hint at a Russian connection, but these remain unverified. As it stands, the group’s origin remains a mystery.
Save the Children International Responds
In the aftermath of the attack, Save the Children International has released a statement, confirming the breach while emphasizing the lack of operational disruptions. The organization stated, “Save the Children International recently experienced an IT incident involving unauthorized access to part of our network. We are diligently working with external experts to ascertain the extent of the impact and ensure the security and integrity of our IT systems. While we recognize that such incidents are a grim reality for many organizations, it is deeply disheartening to see an NGO dedicated to helping the vulnerable being targeted. Our investigation is in progress, and we are committed to resolving this matter. We express our gratitude to our staff and supporters for their continued trust and patience.”
As the world watches, it remains to be seen what repercussions this breach will have on the global stage and what measures will be taken to prevent future incidents of this magnitude.
