A suspected Chinese-based threat actor was in the IT system of Amnesty International Canada for 17 months before being detected, according to the head of the non-profit group.
The Canadian branch of the human rights organization said in a news release Monday that the breach of security controls was detected in October. To its knowledge, this was the first breach of security controls the division has suffered.
But in an interview with IT World Canada, secretary general Ketty Nivyabandi said the intrusion started in July, 2021.
It’s “difficult to tell” how the attacker got past the agency’s defences, she said. “We’re not about to determine for a fact what the point of entry was.” But a forensic investigation by Secureworks has determined that a threat group sponsored or tasked by the Chinese state was likely behind the attack.
One of the pieces of evidence, Nivyabandi said, was searches done by the attacker on the agency’s IT systems for information on China and Hong Kong. Another was the attacker’s tools and techniques.
Arguably, the attacker might still be silently in the agency’s systems but for chance. “We updated our systems over the summer,” she said, “and we were able to detect some suspicious activity in October. Rather than continuing with the advice we were getting locally, we engaged an international team of cyber experts” from Secureworks for deeper analysis and remediation.
Secureworks has determined the root cause, but Nivyabandi wouldn’t divulge details of its report.
The agency’s IT systems were taken offline, carefully inspected and brought back. While the organization is back working, some systems are still unavailable. “We are still very much in recovery mode,” she said. The organization said in the news release it has taken “swift and robust action to strengthen its digital security and restore systems back online securely.”
Nivyabandi emphasized that no donor or membership data was exfiltrated. That information was held on a separate system. However, what, if any, other data was copied during those 17 months the attacker had access isn’t clear. “I don’t know what they have,” she said. “What we’re able to see is that there are systems you have to put in order to exfiltrate data, and we can tell these were not used.”
Mike McLellan, director of intelligence for the research group at Secureworks, wouldn’t go into detail about the company’s findings. Asked what Amnesty Canada could have done to prevent the breach of security controls, he said the suspected attacker is an advanced persistent threat group, so it will “try and try and try again” to beat defences.
“China has a long-standing approach of using its cyber capabilities to gather intelligence, intellectual property and conduct surveillance of individuals of interest. They have a particular interest in ethnic groups deemed to be hostile to the state. Because of that, NGOs like Amnesty and other inter-governmental agencies have been a long-standing target of Chinese cyber espionage. Based on some of the tools we saw, based on the nature of Amnesty as an organization, based on the nature of the state, we believe it was targeted … We [therefore] assessed that a group sponsored by or tasked by the Chinese state was likely responsible for the breach.”
It is possible the Canadian branch was targeted as a way to get information on Amnesty International itself, he said. While there is currently tension between Canada and China, McLellan doubts that’s behind this attack.
Amnesty International Canada is the Canadian branch of the recognized independent human rights advocate. It doesn’t accept any government funding for its research and campaigning work.
Nivyabandi said the branch tries to ensure that international rights Canada recognizes are upheld here, including Indigenous and refugee rights. It also works with activist groups here with international goals on human rights, including people from Hong Kong and China.
“Because we work on human rights globally, we are constantly issuing reports on human rights violations across the world, so we are a little bit the enemy of every state and leader who violates human rights, and constantly aware that we can be the target of just about anyone,” she said. Still, the compromise was a surprise.
Her agency is publicizing the attack now and explaining how it responded because other victimized organizations might just “reboot their systems and carry on without really knowing the root cause.”
Non-governmental agencies (NGOs) like Amnesty International have long been targets of governments unhappy with their work. State-backed hackers directly or indirectly break into the servers or smartphones of NGO workers looking for intelligence.
NGOs, many of whom are small and have limited funding, can be vulnerable. In January, after a service provider to the International Red Cross was hacked, Stéphane Duguin, CEO of the CyberPeace Institute, wrote a statement which in part said his agency’s research has shown that only one in 10 NGOs trains its staff regularly on cybersecurity, only one in four monitors their networks and only one in five has a cybersecurity plan.
In 2017, University of Toronto’s Citizen Lab, along with partners R3D, SocialTic and Article19, released a series of eight reports on widespread use of the Pegasus smartphone spyware used against many sectors of Mexican civil society, including investigative journalists and lawyers for cartel victims’ families, anti-corruption groups, prominent lawmakers, international investigators examining enforced disappearances, and even the spouse of a journalist killed in a cartel slaying.
Secureworks has some experience in looking at attacks on NGOs. In 2019 it published a report on a cyberespionage group it dubbed Bronze President, which it believes is likely a China-based threat actor targeting NGOs, as well as political and law enforcement organizations in countries in South and East Asia.
NGOs and similar organizations should pay attention to the Amnesty Canada attack, he added, and think about the security of their own IT networks and data.
Asked if NGOs devote enough resources to cybersecurity, McLellan noted as a group they have resource and financial constraints. “It’s about making the best you can with the investments you’ve got.”