Skip to content

BianLian group targets Save the Children; steals sensitive data

  • by
  • 2 min read

Cybercrime group BianLian has claimed responsibility for a major breach of a prominent nonprofit organisation, Save the Children, allegedly stealing a substantial volume of sensitive data, including financial, health, and medical information.

Reports of the breach surfaced following posts from VX-Underground and insights provided by Emsisoft threat analyst Brett Callow, as first reported by The Register.

BianLian announced its exploit on its website, identifying the victim as an organisation resembling ‘Save The Children International’. This well-known non-governmental organisation dates back to 1919 and employs over 25,000 individuals.

According to BianLian, their victim is described as “the world’s leading nonprofit”, operating in 116 countries with a staggering $2.8 billion in annual revenue. The cybercriminals assert they have pilfered 6.8 terabytes of data, including international HR records, personal data, over 800 gigabytes of financial records, email correspondence, and medical and health-related information.

The motive behind this breach appears to be extortion, with BrianLian likely intending to demand a ransom for the return or non-disclosure of the stolen data.

“Save the Children International recently experienced an IT incident involving unauthorised access to part of our network. There has been no operational disruption, and the organisation continues to function as normal to build a better future for children worldwide,” the organisation said in a statement.

BianLian is a relatively new threat actor that emerged in June 2022. Although new, the group has gained notoriety for targeting healthcare and critical infrastructure sectors. Originally known for double-extortion ransomware attacks, they later transitioned to pure extortion tactics, discarding encryption but maintaining the threat of data exposure unless a ransom is paid.

To evade detection, the group has leveraged the Go programming language and demonstrated a proclivity for infiltrating systems through remote desktop services.

In response to this threat, U.S. and Australian law enforcement and cybersecurity agencies jointly advised organisations to “strictly limit the use of RDP and other remote desktop services” to reduce vulnerability to BianLian’s tactics.

In the News: ShadowPad Trojan used in espionage attack on an Asian country

Kumar Hemant

Kumar Hemant

Deputy Editor at Candid.Technology. Hemant writes at the intersection of tech and culture and has a keen interest in science, social issues and international relations. You can contact him here: