Cyber Incident Victim: Save the Children International
Date:
Sep 2023
Location:
United States of America
Summary
Save the Children International experienced a cyberattack by the BianLian ransomware group, which claimed theft of 6.8 terabytes of sensitive data including personal, financial, and healthcare information along with emails. The organization confirmed unauthorized network access but emphasized no operational disruptions occurred, maintaining normal functions while collaborating with external specialists and law enforcement to investigate the breach and assess data impact. BianLian, known for targeting critical infrastructure sectors, shifted from encrypting victim systems to exfiltration-based extortion tactics, leveraging valid Remote Desktop Protocol credentials and open-source tools. This incident follows prior breaches involving the charity’s third-party vendors and aligns with broader cyberattacks against humanitarian organizations globally.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
Save the Children International confirmed a cyberattack after the BianLian ransomware group claimed responsibility for breaching its systems. The attackers exfiltrated approximately 6.8 terabytes of data, including personal information, financial records, healthcare files, and emails. A spokesperson stated that unauthorized access occurred in parts of the organization’s network but did not disclose the exact timeline of the incident. The charity, which employs 1,300 staff across 100 countries and assisted 118 million children in 116 nations during 2022, reported no operational disruptions and maintained normal functions throughout the attack. External cybersecurity specialists were engaged to investigate the scope of the breach and identify compromised data, with coordination involving law enforcement agencies. The organization expressed confidence in the integrity of its secured IT infrastructure post-incident but condemned the targeting of a humanitarian entity focused on aiding vulnerable populations.
BianLian, active since at least December 2021, initially employed ransomware encryption paired with data theft but transitioned to pure exfiltration-based extortion following the release of a decryption tool by Avast in January 2023. The group historically exploited valid Remote Desktop Protocol credentials and open-source tools to infiltrate critical infrastructure sectors in the U.S. and Australia, prompting joint advisories from the FBI, CISA, and ACSC in May 2023. This incident marked Save the Children’s second known breach in three years, following a July 2020 attack on its vendor Blackbaud that exposed supporter details like names, contact information, and donation histories. The charity joins other humanitarian organizations recently targeted, including Amnesty International, the Red Cross, the Norwegian Refugee Council, and the International Centre for Migration Policy Development. The investigation remains ongoing, with Save the Children prioritizing understanding the data impact and reinforcing system defenses against future threats.