We always knew that governments and military forces spied on each other. But over the last five years or more, we’ve seen them spying on NGOs, journalists and human rights workers, too.
The world first became aware of states hacking “civilian” targets in 2010, when Google revealed it had detected an intrusion by the Chinese government. Adobe Systems and Juniper Networks then confirmed they were attacked as part of the same campaign, and further investigation revealed that Yahoo and Symantec were also targeted. At the same time, the Chinese were using similar tactics against Tibetan NGOs, and their targeting of the Tibetan community continues to the present day.
Hacking activists has become common practice for governments around the world.
Morgan Marquis-Boire and Eva Galperin
Since then, hacking activists to access their communications, networks and online lives has become common practice for governments around the world. When a wave of revolutionary uprising swept through the Arab world in 2011, a campaign of targeted surveillance of activist groups came with it.
Journalists, activists and lawyers
Mamfakinch, a Moroccan citizen journalist organization, was hacked by its government using commercial spyware sold by Italian surveillance vendor Hacking Team. Bahrain Watch, an NGO devoted to tracking arms sales to the Bahraini government, was targeted (along with other prominent Bahraini activists and lawyers), using another commercial spyware package, FinFisher (which, while German made, was at the time distributed by the British company Gamma Group).
In the United Arab Emirates, Ahmed Mansoor, a member of Human Rights Watch’s Middle East advisory committee, opened a malicious document which implanted Hacking Team’s spyware on his computer, allowing the local authorities to track his movements and read his email. A group of hackers supporting the Syrian government and calling themselves the Syrian Electronic Army also went on a hacking spree, compromising many news organizations as well as Human Rights Watch.
Multi-layered hacking
This activity certainly isn’t limited to the Arab world. The UK’s intelligence agencies have intercepted the private communications of Amnesty International. In late 2012, the Center for Democracy and Technology in the USA was targeted by groups sponsored by the Chinese state. In December 2013, Electronic Frontier Foundation (EFF) employees in the USA who had been working with Vietnamese activists were targeted by groups associated with the Vietnamese government.
The attempt on the EFF was part of a multi-year targeted hacking effort which included the targeting of an Associated Press journalist, a France-based Vietnamese academic, and the founder of “Ba Sam”, one of the most popular Vietnamese dissident blogs. More recently, in August of 2015, another EFF activist was targeted in a complicated phishing attack by people associated with the Iranian Government.
Tip of the iceberg
These documented attacks are almost certainly the tip of the iceberg. Analyzing incidents to the point where solid statements can be made about the attackers requires time and expertise, and even then may not yield conclusive results. For example, an online attack on the Committee for the Protection of Journalists in 2012 appeared to be politically motivated, but was never attributed to a particular government.
Many NGOs simply don’t have the infrastructure necessary to recognize when an attack is taking place.
Morgan Marquis-Boire and Eva Galperin
There are other reasons why attacks against NGOs go undocumented. Many NGOs simply don’t have the infrastructure necessary to recognize when an attack is taking place. Even if they do notice something, like a phishing email, they often lack in-house expertise, don’t know where to seek additional help, or are reluctant to reach out because it means admitting to having been compromised. Additionally, many NGOs choose not to go public with their security problems for fear of undermining the trust that activists place in their organizations.
Silence helps the attackers
So, what can NGOs and human rights organizations do? As a first step, they need to understand they can’t rely on encrypted communications alone to protect themselves. Then they need create a response plan for dealing with targeted attacks, including developing a network of experts to contact in the event of an attack as well as paying for infrastructure and security professionals.
Finally, organizations should consider going public when they are the targets of state-sponsored hacking. Silence only helps the attackers. Publicly-available information about state-sponsored attacks is useful to other NGOs facing similar threats, gives potentially-vulnerable users the information that they need in order to take additional steps to protect themselves, and allows us to have a realistic conversation about the threats faced by activists all over the world and what can be done to protect them.
Morgan Marquis-Boire is an acting Advisor on Amnesty’s Technology and Human Rights Council, providing threat intelligence and security expertise to inform our research and advocacy on human rights abuses related to emerging technologies. Eva Galperin is a Global Policy Analyst for the Electronic Frontier Foundation in San Francisco.