The human rights organization said it first detected the breach on October 5, when suspicious activity was discovered on Amnesty’s IT infrastructure. An investigation by forensic investigators and cybersecurity experts was immediately launched, and steps were taken to protect the organization’s systems. This involved taking all organizational and email systems offline for nearly three weeks, Ketty Nivyabandi, secretary general of Amnesty International Canada, told TechCrunch, which had a “significant impact” on Amnesty Canada’s operations, fundraising and planned human rights work.
Amnesty said there is no evidence that any donor or membership data was exfiltrated by the attackers, but Nivyabandi told TechCrunch that the threat actors had access to Amnesty’s working files. Nivyabandi added that while the breach was first detected in October, the attacker’s intrusion efforts began in July 2021, though declined to share further information regarding the nature of the breach.
U.S. cybersecurity company SecureWorks, which was hired by Amnesty International to investigate the breach, has established that “a threat group sponsored or tasked by the Chinese state” was likely behind the attack. Its investigation found that the attackers used tools and techniques associated with specific advanced persistent threat groups (APTs), targeted information consistent with Chinese cyberespionage threat groups and made no attempt to monetize the access.
Barry Hensley, chief threat intelligence officer at SecureWorks, declined to say if the company had linked the attack to a specific APT group. However, in a statement given to TechCrunch, he praised Amnesty’s “openness and transparency about recent events will undoubtedly help all organizations facing persistent and sophisticated threat actors.”
Amnesty said it is speaking out publicly about the attack to warn other human rights organizations. News of the breach comes just a day after a joint investigation by Amnesty International’s Security Lab and Human Rights Watch found that threat actors backed by the Iranian government were targeting human rights activists, journalists, diplomats and politicians working in the Middle East.
“As an organization advocating for human rights globally, we are very aware that we may be the target of state-sponsored attempts to disrupt or surveil our work. These will not intimidate us and the security and privacy of our activists, staff, donors and stakeholders remain our utmost priority,” said Nivyabandi.
“This case of cyber espionage speaks to the increasingly dangerous context which activists, journalists and civil society alike must navigate today. Our work to investigate and denounce these acts has never been more critical and relevant. We will continue to shine a light on human rights violations wherever they occur and to denounce the use of digital surveillance by governments to stifle human rights,” Nivyabandi added.