Civil society under increasing threats from ‘malicious’ state cyber actors, US warns

Russia, China, Iran and North Korea are increasingly targeting civil society organizations across the world, according to U.S. cybersecurity agencies.

In an advisory released on Tuesday, the FBI, Cybersecurity and Infrastructure Security Agency (CISA) and Department of Homeland Security (DHS) warned that nation-state hacking operations have set their sights on nongovernmental organizations, think tanks, human rights activists and journalists. Cybersecurity agencies in Japan, Estonia, Canada, the U.K., and Finland also contributed to the report. 

Civil society organizations and their staff “are at high threat of being targeted by malicious cyber actors” who “seek to undermine democratic values.” The organizations also generally have low defense capacity because they “lack internal IT support and essential cyber hygiene to prevent the possibility of malicious activity (e.g., lifecycle management, patch management, multifactor authentication, password management).”

Many journalists and dissidents are forced to rely on “insecure channels for communication and need to manage public profiles to advance their work” — exposing them to common threats like social engineering.

The goal of most government hacking groups is intimidation, harassment, coercion, and surveillance, according to the agencies. State-sponsored actors use a variety of tactics to gain initial access and then “often install spyware on the compromised devices to conduct more extensive surveillance, such as location tracking and access to files.”

Using cybersecurity industry monikers, the advisory specifically names North Korea’s Velvet Chollima; China’s Mustang Panda and Earth Empusa; Iran’s Charming Kitten, and the Syrian Electronic Army as government-backed groups specifically targeting a mix of aid organizations, religious institutions, dissidents and others. 

In addition to the groups named, research “suggests that numerous other countries also leverage digital transnational repression tactics, focusing on punishing and silencing dissenters.”

“State-sponsored actors seek to undermine fundamental democratic and humanitarian values and interests supported by civil society organizations and individuals,” CISA director Jen Easterly said in a statement. “However, these high-risk community organizations often lack cyber threat information and security resources.”

The advisory links to reports from the European Union Agency for Cybersecurity, Microsoft, CrowdStrike and Cloudflare — which have all shown startling increases in attacks on civil society organizations. 

John Scott-Railton, a senior researcher at Citizen Lab, said on social media that the same groups targeting well-funded governments and Fortune 500 companies also go after civil society, which typically cannot afford to spend resources on cybersecurity tools.

Citizen Lab has uncovered government hacking campaigns involving spyware tracking dissidents, journalists and others. 

“Historically law enforcement & governments in democracies have been achingly slow to recognize this issue and help out groups in need. Dissidents & members of diaspora groups have often been met with puzzlement when reporting complex digital security concerns to local police,” Scott-Railton said.  

“Explicit recognition by a group of democracies of the scale of the threat to civil society and its texture of the challenge is an important first step and hopefully opens the conversation for more leaning in from the signatories.”

The 19-page advisory provides troves of mitigations and measures civil society organizations can take to better protect their workers. It also urges software and hardware manufacturers to make products that have cybersecurity embedded in them. 

Bryan Vorndran, assistant director of the FBI’s cyber division, said the goal of the advisory was to “help these entities, whether they are nonprofits, think tanks, or groups working to defend human rights and advance democracy, defend themselves against malicious state-sponsored actors looking to exploit them.”