Poster of Amnesty international showing security breach by Chinese hackers for espionage

Chinese Hackers Believed To Be Behind Security Breach at Amnesty International

Canada’s branch of Amnesty International is reporting that an early October security breach of the organization’s IT infrastructure has been traced back to state-sponsored Chinese hackers after an investigation by a third party forensics firm.

The organization was hacked on October 5 and engaged cybersecurity firm Secureworks to audit and do forensics work after the fact, with the ultimate conclusion being that state-sponsored Chinese hackers penetrated the system for espionage purposes.

Amnesty International security breach looks to be espionage attempt, donor information not taken

Though the Chinese hackers appeared to be combing for information useful for espionage purposes, Amnesty International Canada says that donor and member information was not compromised in the security breach. The organization had internal components offline for three weeks while the incident was investigated, however, which it says had a substantial negative impact on its fundraising and regular operations.

While the specific security breach incident that raised alarms took place in early October, the forensic report turned up evidence that the Chinese hackers had been targeting the organization since July 2021. Secureworks says that the tools and tactics the group used during this time, the information it targeted once inside the system and the fact that there was no interest in monetizing the breach all points to one of China’s state-sponsored advanced persistent threat groups.

Secureworks did not name a specific APT group as a suspect; China has about a dozen that are known to security researchers and that focus on different projects and regions of the world. The “Cicada” group is the one that has shown the most interest in NGOs throughout the world, and reporting in early 2022 indicated the Chinese hackers were on a broad espionage campaign targeting known vulnerabilities in Microsoft Exchange Servers. This group has been active since at least 2009. Another group called RedAlpha has been acting against NGOs since 2019 using phishing emails and has previously targeted Amnesty International, though it usually has a regional focus on Taiwan.

Though Amnesty International is not naming a specific APT group, it is reporting publicly on the issue to offer a general warning to other human rights organizations. The organization’s Security Lab branch recently issued a joint report with Human Rights Watch outlining a campaign by Iran’s state-backed hackers to target similar organizations in the Middle East.

Unclear what information Chinese hackers sought in Amnesty breach

While it is impossible to attribute motive given the very limited information that is available, Amnesty International has had previous and recent run-ins with the CCP that might prompt the attention of Chinese hackers. In 2020 the organization published a report on the sale of commercial spyware to the Chinese government by European vendors, and has criticized the CCP for its use of biometric technology to track and spy on ethnic minorities in the country. However, none of that clarifies why the Canadian branch specifically was attacked; it may have just been a case of scanning for known vulnerabilities and finding an opening for a security breach there.

In general, NGOs are becoming an increasingly popular target for all sorts of cyber intruders. At least one study found that over half reported being targeted by a cyber attack in 2021. A substantial portion of these attacks are ransomware, indicating that it isn’t just nation-state APT groups that are bent on intelligence gathering. One reason is a simple lack of resources, with few NGOs having a robust fully staffed IT team dedicated to thwarting security breaches. Similar to hospitals, NGOs are generally not swimming in cash with which to pay off attackers but are nevertheless popular targets due to a perception that they cannot afford to be offline for long and that they will have relatively weak cyber defenses.

The state-backed Chinese hackers are also somewhat unique in that at least one of the teams is known to hack for profit in addition to its espionage missions, something that state actors (with the exception of North Korea) tend to avoid. That group was recently tied to about $20 million in theft from United States Covid relief fund programs. The fact that donation information and member accounts were not targeted in the Amnesty Canada security breach would seem to rule out that group’s involvement, however, unless it was under strict orders to only gather specific targeted intelligence.

Andrew Hollister, CSO of LogRhythm and VP of LogRhythm Labs, notes that the effort in attack on NGOs often matches the perceived level of cyber defense; that is to say, even advanced state-backed hacking teams use relatively low-tech and simple methods to get in the door when they see a potential opening: “Microsoft’s 2022 Digital Defense Report indicated that NGOs are among the second most targeted sector by nation-state actors. It’s a sad truth that is common with healthcare and other sectors. NGOs will have to consider diverting resources from their frontline mission to defend against cyber threats in order to continue with their mission. Interestingly, Microsoft’s report indicated that many state actors rely on relatively low-tech means, which suggests that their attacks may be mitigated by good cyber hygiene. Every organization should focus on doing the basics well, such as regular patching, backups and implementing two-factor authentication. They should also seek to gain overall visibility across their entire environment in terms of both assets and activity. All these elements will contribute to mitigating the risk from these actors.”