This attack is the latest in an increasing trend for threat actors to target nonprofits. Most nonprofits are not resourced to withstand this level of attack and, when they are breached and fall victim to such attacks, the effects are felt by the world’s most vulnerable people, and can be life threatening. In the short term we need an emergency response to support nonprofits and urgently scale up their capabilities, and in the medium term we need to activate the necessary conditions for sustainability for nonprofit’s cyber-defense so they can continue their vital work.
The NetHope community is collectively calling for an urgent focus on the poor state of information security (cybersecurity) resourcing within the nonprofit sector.
This includes a renewed urgency on how programs are funded to ensure a robust cybersecurity framework is always in place. We call on funders and nonprofits to join us to address the systemic reasons for this “race to the bottom” that encourages nonprofits bidding for funding to frequently leave out important cybersecurity costs. When program designs must fund cybersecurity and data protection costs through overhead (indirect costs), it can lead to starving cybersecurity and data protection functions at a time when such investment is needed to counter increasingly sophisticated actors and targeted threats. When these functions fail, the effects are mostly felt by the world’s most vulnerable people, thereby exacerbating already large and complex world problems, increasing digital divides, and potentially leading to loss of life.
Considering this specific attack, which constitutes an immediate and serious threat, NetHope Members are working together to defend and remediate against these malicious actors and their effects in the short term. Collectively, NetHope Members have outlined critical actions all nonprofits must take urgently, which can be distilled as follows and require executive aircover and sponsorship.
Sophisticated cyberattacks are increasingly being perpetrated against nonprofits. Many of these attacks are launched by nation state actors, with the likely goals of espionage, reconnaissance, building out targeting profiles, and establishing long-term strategic footholds. In many cases the agencies that seek to protect the world’s most vulnerable people are specifically targeted for information that will result in greater vulnerabilities for these people. For example, recent events suggest that refugee identity data is being targeted because it is an easy route to identity fraud. Thus, we see that the agencies most at risk are the very ones that advocate for the world’s most vulnerable, expose human rights abuses, monitor elections, and in other ways hold duty bearers to account. The needed emergency response, to be fought in the digital realm, requires immediate increased resourcing and prioritization for digital protection, active threat hunting, and potential remediation activities. It is very likely that nation-state threat actors have already compromised nonprofits without their knowledge.
Most humanitarian organizations struggle to resource technology in an effective and transformative manner, let alone build a robust cybersecurity program on top of (or despite) their digital program. This struggle only increases when the nonprofit organization structure is inherently porous/distributed, for example in models that rely on implementing partners, government agencies, and volunteers to successfully deliver programs. In situations like these, cybersecurity presents a different puzzle than it does for traditional companies that have stronger and more predictable boundaries of interaction, as well as more conservative and hierarchical decision-making structures. Harder still is integration of cybersecurity risk into a broader program approach – especially for actors working in conflict zones or nonprofits/agencies that meet the increasing number of sophisticated state actors with offensive cyber programs.
Some donors are already realizing that cybersecurity should be part of their program agenda. USAID's recent exploration of cybersecurity as a fundable area is a notable move in the right direction. But there has never been a better time for a well-funded, cross-agency endeavor to make the ecosystem safer and more robust – or to take a firm stand on the law and ethics of attacking humanitarian actors. In the short term we call on our donors and tech partners to step up to help us address this specific threat – fast. In the longer term we need to leverage this springboard to unpack and address some of the harder challenges related to cybersecurity
A comprehensive, cross-agency collaborative cybersecurity effort could provide huge humanitarian benefit at a time of unprecedented humanitarian need (exacerbated by Covid-19) and when many nonprofits are already stretched to breaking point in responding to humanitarian crises. Nonprofits deliver essential services when governments are not able to do so, serving as a last resort for billions of people globally. Thus, when malicious actors succeed in bringing them down, the impacts are not just financial (as would be the case in most corporations): the world’s most vulnerable people lose access to food, water, and vital health services. We have learned (anecdotally) that some data has even been used to facilitate loss of life.
A more robust collective nonprofit cybersecurity strategy is likely to directly align with the national interests of host/domestic governments for North American and European NGOs. The vast majority of NetHope's nonprofit Members receive funding from their respective states’ development agencies or foreign ministries. Threats realized in nonprofits will hamper their ability to fulfill donor contracts and the outcomes to which donor and host governments aspire, let alone worldwide priorities like the Sustainable Development Goals.
Excerpt from “Another Nobelium Cyberattack” published by Microsoft here:
“This wave of attacks targeted approximately 3,000 email accounts at more than 150 different organizations. At least a quarter of the targeted organizations were involved in international development, humanitarian, and human rights work. Nobelium launched this week’s attacks by gaining access to the Constant Contact account of USAID. Constant Contact is a service used for email marketing. From there, the actor was able to distribute phishing emails that looked authentic but included a link that, when clicked, inserted a malicious file used to distribute a backdoor we call NativeZone. This backdoor could enable a wide range of activities from stealing data to infecting other computers on a network. You can read more about the technical aspects of these attacks in this blog post from the Microsoft Threat Intelligence Center (MSTIC).”
For more information, please contact NetHope on behalf of its global Members: