IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

China-backed hackers take down Amnesty International Canada for three weeks

Cyber security experts linked state-sponsored APTs to the tools and methodology of the attack, which may have been intended as a covert campaign

A sign bearing the Amnesty International logo is held up in front of a skyscraper

Amnesty International Canada confirmed that it was the victim of a Chinese state-backed threat actor in October which took its systems down for three weeks in an apparent espionage operation.

No evidence has been found to suggest that sensitive information was exfiltrated in the incident but Chinese state-backed cyber attackers are known for prioritising espionage as a key mission objective.

Once aware of the breach, Amnesty International Canada began an investigation of its network with the assistance of cyber security experts and forensic investigators, who determined that an advanced persistent threat group (APT) was behind the attack. Security firm Secureworks drew a link between the evidence and known methodology of China-backed hackers.

The threat actors were reportedly attempting to monitor the organisation's network without being detected, perhaps with the intention of building a list of contacts and Amnesty International activity, per CBC News.

"The assessment that this breach was likely perpetrated by a Chinese state-sponsored threat group was based on several factors," Mike McLellan, director, counter threat unit at Secureworks told IT Pro.

"Firstly, the tools, techniques and infrastructure we identified are consistent with those we have previously associated to Chinese threat groups.

"Secondly, the nature of Amnesty International Canada as an organisation, and more specifically the information that was targeted, would be of direct interest to the Chinese state. And thirdly, the length of time the threat actors were in the environment, coupled with the absence of any apparent attempt to monetise their access, for example by deploying ransomware, points towards espionage rather than financial gain as the motivation for the attack."

"This assessment is based on the nature of the targeted information as well as the observed tools and behaviours, which are consistent with those associated with Chinese cyber espionage threat groups," read the Secureworks report, via CBC News.

Secureworks keeps a detailed catalogue of threat actor profiles, with information on the states to which each threat group is linked, their known aliases, and the tools characteristic of each group. It has listings for ten such Chinese threat actors, with listed tools including CCleaner and PowerShell Empire.

Related Resource

2022 IBM's Security X-Force cloud threat landscape report

Recommendations for preparing and responding to cloud breaches

Whitepaper cover with image of a cloud with seven arrows over it pointing upwards

“As an organisation advocating for human rights globally, we are very aware that we may be the target of state-sponsored attempts to disrupt or surveil our work,” said Ketty Nivyabandi, secretary general of Amnesty International Canada in the organisation’s blog post on the incident.

“These will not intimidate us and the security and privacy of our activists, staff, donors, and stakeholders remain our utmost priority.”

“This case of cyber espionage speaks to the increasingly dangerous context which activists, journalists, and civil society alike must navigate today. Our work to investigate and denounce these acts has never been more critical and relevant. We will continue to shine a light on human rights violations wherever they occur and to denounce the use of digital surveillance by governments to stifle human rights,” she added.

Cyber security agencies such as the US Cybersecurity and Infrastructure Security Agency (CISA) and National Security Agency (NSA) have warned businesses that nation-state hacking tools are being used to compromise critical national infrastructure (CNI)

On 6 December, the US Secret Service seized millions in COVID funds stolen by China-backed hackers, tracked as APT41, in a first-of-its-kind fraud linked to a nation state. APT41 has previously been credited for the hacking of six US government networks, and a number of arrests have been made around individuals associated with the group.

Chinese cyber attacks have continued to dominate headlines, even as Russian-backed threat actors continue cyber attacks on Ukraine, and warnings that they could attack other European nations

This article was updated to include a comment by Secureworks.

Featured Resources

2023 Strategic roadmap for data security platform convergence

Capitalise on your data and share it securely using consolidated platforms

Free Download

The 3D trends report

Presenting one of the most exciting frontiers in visual culture

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Recommended

GTA V vulnerability exposes PC users to partial remote code execution attacks
vulnerability

GTA V vulnerability exposes PC users to partial remote code execution attacks

23 Jan 2023
MSI to release securer BIOS settings after critical flaw discovered
vulnerability

MSI to release securer BIOS settings after critical flaw discovered

20 Jan 2023
'CryWiper' trojan disguises as ransomware, says Kaspersky
malware

'CryWiper' trojan disguises as ransomware, says Kaspersky

2 Dec 2022
Hyundai vulnerability allowed remote hacking of locks, engine
Security

Hyundai vulnerability allowed remote hacking of locks, engine

30 Nov 2022

Most Popular

Warning issued over ransomware attacks targeting VMware ESXi servers globally
cyber attacks

Warning issued over ransomware attacks targeting VMware ESXi servers globally

6 Feb 2023
ION Trading reportedly pays LockBit ransom demands
ransomware

ION Trading reportedly pays LockBit ransom demands

6 Feb 2023
BT Group extends Kyndryl deal to migrate legacy mainframe apps to the cloud
Business strategy

BT Group extends Kyndryl deal to migrate legacy mainframe apps to the cloud

31 Jan 2023