OTTAWA, Canada—Non-profits and human rights groups are being hacked by "threat actors" in China with the kind of sophistication that governments and Fortune 500 companies are dealing with but with a lot fewer resources, according to a new report.
Ten groups participated in a four-year study by The Citizen Lab, an interdisciplinary laboratory based at the Munk School of Global Affairs at the University of Toronto. The Lab identified 2,814 malicious payloads, or virus components that have different subversive jobs, targeting these groups.
The groups are focused largely on human rights-related work in China, many of them on Tibetan issues.
The report found that these attacks were draining their victims, undermining their core communications, and risking the safety of people the groups communicate with in foreign countries.
Safety and Cost
This is one of the concerns of Urgyen Badheytsang, national director of Canada for Students for a Free Tibet International.
"There have been countless Tibetans arrested because they have shared information from inside Tibet about uprisings and self immolations," he said.
The report adds, "in the most serious cases, staff or individuals with whom they are in contact may experience physical intimidation, abuse, detention, or imprisonment by authorities that stems in whole or in part from surreptitiously monitored communications."
But cost is the most common impact. Paying to prevent or remediate intrusions undermines a group's efficacy as they spend time and money trying to secure themselves or track down the vulnerabilities that led to intrusions.
Degrading communication can also deeply damage a Civil Society Organization's (CSO) work, especially those that depend on vulnerable populations in foreign countries, like Tibetans in China, to collect information and document abuses.
"If digital attacks of CSOs continue to spread unchecked, we risk the gradual erosion of many of the core institutions of a vibrant democratic society: NGOs, foundations, independent journalists, activists, and others—all of which have experienced and continue to experience targeted threats," warns the report.
For those in safe countries, the report says these attacks create a sense of violation, fear of harm for themselves or loved ones, and a loss of morale that has been dubbed "malware fatigue," the feeling that these attacks cannot be escaped.
That can cause groups to become less diligent and abandon security practices. Groups can also be blamed by others compromised due to the attack.
The report focuses on the ways the Chinese regime and others target overseas civil society groups, using approaches that range from customized malware to social engineering, sometimes employing highly skilled "cyber militias." But it also notes that repurposed crimeware was used by the Assad regime against rebels during the Syrian civil war, and expensive off-the-shelf solutions provided by companies like FinFisher and Hacking Team have also been used by repressive regimes.
Such software is marketed as a way for legitimate governments to go after criminals, but that isn't always the case, says the report.
"Citizen Lab research has identified troubling evidence that these products and services are ending up in the hands of regimes that are using these powerful tools to actively target civil society."
Governments can help by cracking down on the unregulated market for commercial spyware, Citizen Lab says.
The report suggests that the private sector, civil society, and government work together to share threat information and coordinate their efforts to prevent and defend against these attacks.
States that believe in the right to privacy and freedom of expression should address attacks against civil society as seriously as those against the defense and private sector, Citizen Lab says.
"We have not seen the US Attorney General demand an end to the persistent attacks of US-based NGOs that work on China-related human rights issues, despite the threats to life and liberty that could result," the report said.