Amnesty International Canada confirmed that it was the victim of a Chinese state-backed threat actor in October which took its systems down for three weeks in an apparent espionage operation.
No evidence has been found to suggest that sensitive information was exfiltrated in the incident but Chinese state-backed cyber attackers are known for prioritising espionage as a key mission objective.
Once aware of the breach, Amnesty International Canada began an investigation of its network with the assistance of cyber security experts and forensic investigators, who determined that an advanced persistent threat group (APT) was behind the attack. Security firm Secureworks drew a link between the evidence and known methodology of China-backed hackers.
The threat actors were reportedly attempting to monitor the organisation's network without being detected, perhaps with the intention of building a list of contacts and Amnesty International activity, per CBC News.
"The assessment that this breach was likely perpetrated by a Chinese state-sponsored threat group was based on several factors," Mike McLellan, director, counter threat unit at Secureworks told IT Pro.
"Firstly, the tools, techniques and infrastructure we identified are consistent with those we have previously associated to Chinese threat groups.
"Secondly, the nature of Amnesty International Canada as an organisation, and more specifically the information that was targeted, would be of direct interest to the Chinese state. And thirdly, the length of time the threat actors were in the environment, coupled with the absence of any apparent attempt to monetise their access, for example by deploying ransomware, points towards espionage rather than financial gain as the motivation for the attack."
"This assessment is based on the nature of the targeted information as well as the observed tools and behaviours, which are consistent with those associated with Chinese cyber espionage threat groups," read the Secureworks report, via CBC News.
Secureworks keeps a detailed catalogue of threat actor profiles, with information on the states to which each threat group is linked, their known aliases, and the tools characteristic of each group. It has listings for ten such Chinese threat actors, with listed tools including CCleaner and PowerShell Empire.
RELATED RESOURCE
2022 IBM's Security X-Force cloud threat landscape report
Recommendations for preparing and responding to cloud breaches
“As an organisation advocating for human rights globally, we are very aware that we may be the target of state-sponsored attempts to disrupt or surveil our work,” said Ketty Nivyabandi, secretary general of Amnesty International Canada in the organisation’s blog post on the incident.
“These will not intimidate us and the security and privacy of our activists, staff, donors, and stakeholders remain our utmost priority.”
“This case of cyber espionage speaks to the increasingly dangerous context which activists, journalists, and civil society alike must navigate today. Our work to investigate and denounce these acts has never been more critical and relevant. We will continue to shine a light on human rights violations wherever they occur and to denounce the use of digital surveillance by governments to stifle human rights,” she added.
Cyber security agencies such as the US Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have warned businesses that nation-state hacking tools are being used to compromise critical national infrastructure (CNI).
On 6 December, the US Secret Service seized millions in COVID funds stolen by China-backed hackers, tracked as APT41, in a first-of-its-kind fraud linked to a nation state. APT41 has previously been credited for the hacking of six US government networks, and a number of arrests have been made around individuals associated with the group.
Chinese cyber attacks have continued to dominate headlines, even as Russian-backed threat actors continue cyber attacks on Ukraine, and warnings that they could attack other European nations.
This article was updated to include a comment by Secureworks.
-
Putting small language models under the microscopeITPro Podcast The benefits of small language models are undeniable – but they're no silver bullet
-
CyberOne appoints Microsoft’s Tracey Pretorius to its advisory boardNews The threat intelligence leader will provide strategic guidance to CyberOne’s executive team
-
Hackers are targeting Ivanti VPN users again – here’s what you need to knowNews Ivanti has re-patched a security flaw in its Connect Secure VPN appliances that's been exploited by a China-linked espionage group since at least the middle of March.
-
Broadcom issues urgent alert over three VMware zero-daysNews The firm says it has information to suggest all three are being exploited in the wild
-
Nakivo backup flaw still present on some systems months after firms’ ‘silent patch’, researchers claimNews Over 200 vulnerable Nakivo backup instances have been identified months after the firm silently patched a security flaw.
-
Everything you need to know about the Microsoft Power Pages vulnerabilityNews A severe Microsoft Power Pages vulnerability has been fixed after cyber criminals were found to have been exploiting unpatched systems in the wild.
-
Vulnerability management complexity is leaving enterprises at serious riskNews Fragmented data and siloed processes mean remediation is taking too long
-
A critical Ivanti flaw is being exploited in the wild – here’s what you need to knowNews Cyber criminals are actively exploiting a critical RCE flaw affecting Ivanti Connect Secure appliances
-
Researchers claim an AMD security flaw could let hackers access encrypted dataNews Using only a $10 test rig, researchers were able to pull off the badRAM attack
-
A journey to cyber resiliencewhitepaper DORA: Ushering in a new era of cyber security
