Save the Children International hit with cyberattack, but says operations weren’t impacted

The global charity organization Save the Children International confirmed that it was recently hit with a cyberattack after a ransomware group claimed to have breached the organization’s systems.

A spokesperson for the charity — which has been providing aid to children in developing countries for more than a century — said the hackers gained unauthorized access to parts of their network but did not say when the attack occurred. The organization has about 1,300 employees across 100 countries, and provided assistance to 118 million children in 116 countries in 2022.

“There has been no operational disruption and the organization continues to function as normal to build a better future for children across the world. We are working hard with external specialists to understand what happened and what data was impacted so we can take all the appropriate next steps,” the spokesperson told Recorded Future News.

“This process is complex and takes time, but remains our absolute priority. Our systems are also secured, and we are confident in the ongoing integrity of our IT infrastructure. These types of incidents are a reality that all organizations face, but it is disappointing that Save the Children, whose core purpose is to help those most in need, is also subject to such unwarranted activity.”

The spokesperson added that the investigation is ongoing and that they are working with law enforcement agencies, pledging that the organization “will get to the bottom of this.”

The attack came to light after the BianLian hacker gang boasted of stealing 6.8 TB of data from the organization, including personal information, financial data, healthcare files and emails.

BianLian has targeted the healthcare, education, insurance and media industries since at least December 2021. Little is known about where the group is based but they made waves in March with an attack on a Spanish amusement park giant.

The gang shifted away from ransomware attacks after cybersecurity firm Avast released a decryptor in January that allowed victims to unlock their data without paying a ransom.

The group, however, was spotlighted by the FBI, Cybersecurity and Infrastructure Security Agency (CISA), and Australian Cyber Security Centre (ACSC) in May after targeting multiple U.S. critical infrastructure sectors since June 2022.

The hackers also targeted critical infrastructure in Australia alongside several other industries, using valid Remote Desktop Protocol (RDP) credentials, open-source tools and more to exfiltrate data and extort money out of victims.

“BianLian group originally employed a double-extortion model in which they encrypted victims’ systems after exfiltrating the data; however, around January 2023, they shifted to primarily exfiltration-based extortion,” the agencies said.

“FBI, CISA, and ACSC encourage critical infrastructure organizations and small- and medium-sized organizations to implement the recommendations in the Mitigations section of this advisory to reduce the likelihood and impact of BianLian and other ransomware incidents.”

Save the Children previously dealt with a breach in July 2020 that was caused by an attack on one of its software vendors, Blackbaud. The hackers stole information on the charity’s supporters, including names, contact data and details about their donations to Save the Children.

Save the Children is just the latest major charity to face cyberattacks in the last year after both Amnesty International and the Red Cross suffered breaches. The Norwegian Refugee Council and The International Centre for Migration Policy Development have also faced attacks.