Amnesty International breach linked to Chinese government, investigation finds

Amnesty International's Canadian branch suffered a data breach by a group allegedly sponsored by the Chinese government, according to a statement from the organization this week. 

The human rights organization said it discovered the breach on October 5 after employees detected activity they deemed “suspicious” on their IT infrastructure. The organization hired forensic investigators and cybersecurity experts from Secureworks to examine the situation. 

Secureworks determined that tools and techniques associated with specific advanced persistent threat (APT) groups indicated that the breach was likely conducted by “a threat group sponsored or tasked by the Chinese state.”

Amnesty International Canada and Secureworks did not explain what specifically led them to this conclusion, with the human rights giant saying the assessment was based “on the nature of the targeted information as well as the observed tools and behaviors, which are consistent with those associated with Chinese cyberespionage threat groups.”

“This case of cyberespionage speaks to the increasingly dangerous context which activists, journalists, and civil society alike must navigate today. Our work to investigate and denounce these acts has never been more critical and relevant,” Ketty Nivyabandi, secretary general of Amnesty International Canada, said in a statement.

“We will continue to shine a light on human rights violations wherever they occur and to denounce the use of digital surveillance by governments to stifle human rights.”

Amnesty International Canada said it decided to speak out about the incident to warn other human rights organizations about the increased threat they now face, particularly from state-backed groups intent on siphoning critical information and disrupting human rights work. Secureworks lauded the organization for being open about the attack.

“Amnesty International Canada’s openness and transparency about recent events will undoubtedly help all organizations facing persistent and sophisticated threat actors," said Barry Hensley, chief threat intelligence officer at Secureworks.

Earlier this year, the Red Cross dealt with a wide-ranging hack that targeted a program called Restoring Family Links, which is a web-based system used by Red Cross volunteers to reunite family members separated by conflict, disaster, or migration. 

The Red Cross said there were indicators that the attack was conducted by a state-sponsored group and noted that the hackers gained entry using CVE-2021-40539 – a vulnerability affecting password management company Zoho commonly used by a Chinese state-sponsored group known as APT27.

Several other campaigns against human rights groups and activists have been uncovered this year, including attacks on the Uyghur community as well as activists, journalists, diplomats and politicians working in the Middle East. 

Amnesty International Canada did not say what information was stolen during the attack on their infrastructure but noted that no membership or donor data was taken. The organization has already contacted law enforcement and is taking several measures to strengthen its digital security. 

“As an organization advocating for human rights globally, we are very aware that we may be the target of state-sponsored attempts to disrupt or surveil our work,” Nivyabandi said. 

“These will not intimidate us and the security and privacy of our activists, staff, donors, and stakeholders remain our utmost priority.”