Amnesty International Canada confirmed that it was the victim of a Chinese state-backed threat actor in October which took its systems down for three weeks in an apparent espionage operation.
No evidence has been found to suggest that sensitive information was exfiltrated in the incident but Chinese state-backed cyber attackers are known for prioritising espionage as a key mission objective.
Once aware of the breach, Amnesty International Canada began an investigation of its network with the assistance of cyber security experts and forensic investigators, who determined that an advanced persistent threat group (APT) was behind the attack. Security firm Secureworks drew a link between the evidence and known methodology of China-backed hackers.
The threat actors were reportedly attempting to monitor the organisation's network without being detected, perhaps with the intention of building a list of contacts and Amnesty International activity, per CBC News.
"The assessment that this breach was likely perpetrated by a Chinese state-sponsored threat group was based on several factors," Mike McLellan, director, counter threat unit at Secureworks told IT Pro.
"Firstly, the tools, techniques and infrastructure we identified are consistent with those we have previously associated to Chinese threat groups.
"Secondly, the nature of Amnesty International Canada as an organisation, and more specifically the information that was targeted, would be of direct interest to the Chinese state. And thirdly, the length of time the threat actors were in the environment, coupled with the absence of any apparent attempt to monetise their access, for example by deploying ransomware, points towards espionage rather than financial gain as the motivation for the attack."
"This assessment is based on the nature of the targeted information as well as the observed tools and behaviours, which are consistent with those associated with Chinese cyber espionage threat groups," read the Secureworks report, via CBC News.
Secureworks keeps a detailed catalogue of threat actor profiles, with information on the states to which each threat group is linked, their known aliases, and the tools characteristic of each group. It has listings for ten such Chinese threat actors, with listed tools including CCleaner and PowerShell Empire.
2022 IBM's Security X-Force cloud threat landscape report
Recommendations for preparing and responding to cloud breaches
“As an organisation advocating for human rights globally, we are very aware that we may be the target of state-sponsored attempts to disrupt or surveil our work,” said Ketty Nivyabandi, secretary general of Amnesty International Canada in the organisation’s blog post on the incident.
“These will not intimidate us and the security and privacy of our activists, staff, donors, and stakeholders remain our utmost priority.”
“This case of cyber espionage speaks to the increasingly dangerous context which activists, journalists, and civil society alike must navigate today. Our work to investigate and denounce these acts has never been more critical and relevant. We will continue to shine a light on human rights violations wherever they occur and to denounce the use of digital surveillance by governments to stifle human rights,” she added.
Cyber security agencies such as the US Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have warned businesses that nation-state hacking tools are being used to compromise critical national infrastructure (CNI).
On 6 December, the US Secret Service seized millions in COVID funds stolen by China-backed hackers, tracked as APT41, in a first-of-its-kind fraud linked to a nation state. APT41 has previously been credited for the hacking of six US government networks, and a number of arrests have been made around individuals associated with the group.
Chinese cyber attacks have continued to dominate headlines, even as Russian-backed threat actors continue cyber attacks on Ukraine, and warnings that they could attack other European nations.
This article was updated to include a comment by Secureworks.
