Bianlian hits Save the Children, steals 7TB of data

Proving, again, that there are no good guys in cybercrime

Bianlian hits Save the Children, steals 7TB of data

A threat group has broken into one of the world's largest NGOs and stolen up to 7TB of data, including financial, health, and medical info.

The BianLian threat group claims to have compromised "the world's leading nonprofit organisation, stealing data including HR, financial, personal, medical and email correspondence.

Although the group doesn't name the NGO, it does say the victim employs around 25,000 staff, operates in 116 countries and has $2.8 billion in revenue.

Based on that description, the victim appears to be Save the Children International, which says on its website, "With 25,000 dedicated staff across 116 countries, we respond to major emergencies, deliver innovative development programmes, and ensure children's voices are heard through our campaigning to build a better future for and with children."

Save the Children claims to have helped over a billion children since its founding in 1919.

The news was first highlighted by threat researcher Bret Callow and malware source code repository VX-Underground. The latter group opined that BianLian "needs to be punched in the face."

https://twitter.com/vxunderground/status/1701309441272926369?ref\\_src=twsrc%5Etfw

We're inclined to agree.

While there have been cases of criminal gangs displaying some morals, like LockBit apologising for attacking a Toronto children's hospital this year, they are rare. Threat actors are, on the whole, not out to right wrongs: they are criminals looking to make a quick buck, and don't care who they hurt to do so.

Changing faces

Bian lian is the Chinese practice of 'face-changing', associated with the Sichuan opera. BianLian, the threat group, follows a similar pattern, first appearing as an Android banking trojan in 2019 and shifting its focus to ransomware in 2022.

The group continues to change its attack patterns to evade detection and countermeasures. Earlier this year it shifted from ransomware to full-on extortion tactics.

Despite the Chinese name, there is no indication that BianLian is based in China. VX-Underground links the group with Russia, but that is unconfirmed. The group, officially, remains stateless.

Save the Children hasn't confirmed how BianLian broke in, but has issued a statement confirming it had suffered an attack:

"Save the Children International recently experienced an IT incident involving unauthorised access to part of our network. There has been no operational disruption and the organisation continues to function as normal to build a better future for children across the world.

"We are working hard with external specialists to understand what happened and what data was impacted so we can take all the appropriate next steps. This process is complex and takes time, but remains our absolute priority. Our systems are also secured, and we are confident in the ongoing integrity of our IT infrastructure.

"These types of incidents are a reality that all organisations face, but it is disappointing that Save the Children, whose core purpose is to help those most in need, is also subject to such unwarranted activity. Our investigation is ongoing, and we will continue to work with the relevant authorities. We will get to the bottom of this, and we thank all our staff and supporters for their patience and understanding in the meantime."