Just weeks after the Russian invasion of Ukraine began in 2022, employees of Insecurity Insight, a Switzerland-based non-governmental organization (NGO) that provides humanitarian organizations with conflict-related data, began receiving pornographic material on their smartphones.
Emails that looked like phishing attempts were also blasted at the non-profit’s employees.
Insecurity Insight found at one point its website was taken offline.
Remote and Neutral Doesn't Mean Secure
The incident was “a wake-up call” for the non-profit, its director Christina Wille told Infosecurity.
“We’re helping humanitarian NGOs, but we are not an aid organization. Until then, we had felt completely safe, operating remotely from neutral Switzerland, and not having any in-country operation that would put us at risk of being attacked,” Wille said.
They were wrong. Whether working online or on-premises, small or big, all NGOs can be targeted by cyber-attackers.
Two months before the incident at Insecurity Insight, the International Committee of the Red Cross (ICRC), part of the largest humanitarian network in the world, noticed that some of its servers were hacked in a sophisticated cyber-attack.
The servers hosted personal data belonging to more than 515,000 people worldwide.
An investigation into the incident concluded that threat actors exploited a vulnerability in the password management system Zoho ManageEngine ADSelfService Plus – an exploit previously used by Chinese state-backed hackers in several other attacks.
We are taking this cyber-attack extremely seriously and are working with our humanitarian partners to take the appropriate measures to safeguard our data.https://t.co/Fzm6V1jOHd
— ICRC (@ICRC) January 19, 2022
That same month, a Doctors Without Borders server in Spain was compromised.
These incidents prompted a former black hat hacker, Florent Curtet, to found Hackers Without Borders (HWB), an NGO helping other NGOs respond to cyber-attacks, with three other IT and security experts.
In October 2022, Amnesty International Canada was the target of a cyberattack where tools and techniques associated with specific advanced persistent threat (APT) groups were deployed.
NGOs Are in Cyber-Attackers' Crosshairs
Two-thirds of NGOs Fear Permanent Damage from Cyber-Attacks
Globally, the non-governmental sector is the second most targeted by cybercriminals and hacktivists after IT, according to the Organization for Economic Co-operation and Development (OECD).
The OECD figure doesn’t surprise Stéphane Duguin, CEO of the CyberPeace Institute, another NGO helping non-profits to mitigate cyber threats.
“NGOs are particularly vulnerable because they’re in all sorts of cyber-attackers crosshairs, from financially motivated to nation-state actors and hacktivists, with all types of motivations (religious, political…). Why? Because they operate where no one wants to go anymore,” he told Infosecurity.
“It’s not so much big-head hunting that they have to fear most at this point because, first, they’re more likely than other organizations to have their IT systems down because of mass phishing campaigns or ransomware attacks due to an unpatched vulnerability,” Duguin added.
According to the CyberPeace Institute, NGOs are usually aware of the threats but ill-prepared to fight against them.
The Institute’s 2023 Analytical Report showed that 70% of NGOs said they either don’t think or are not sure whether they have an adequate level of resilience to recover from a disruptive cyberattack.
NGOs’ Biggest Hurdle is a Lack of Human Resources
Several experts Infosecurity spoke with confirmed that NGOs can generally use some IT and security services for free, such as the those provided by Google (Google Workspace), Microsoft (Microsoft 365), and Amazon (Amazon Web Services).
However, when in need of security assistance, most NGOs do not know where to go nor who to talk to, Wille explained.
"When I realized what was happening, I quickly felt out of my depth because we have not really been prepared for this."Christina Wille, director, Insecurity Insight
Moreover, Duguin insisted that the biggest hurdle for NGOs is not so much the lack of solutions, but the lack of human and financial resources.
The CyberPeace Institute found that in 2023 over half (56%) of NGOs reported that they did not have a budget to deal with IT issues – let alone cyber-attacks – and 33% said they had no IT support or technical expertise.
NGO’s lack of IT budget is due not only to their overall lack of funding but also to their funding model, Duguin noted.
“They’re largely funded through grants, which are motivated by specific projects relating to the NGO’s mission. Cybersecurity is almost never part of it,” he explained.
Additionally, many NGOs do not have the capacity to monitor cyber risks and respond to incidents.
According to the CyberPeace Institute report:
- 70% do not have any incident response, analysis, or in-house investigative capabilities in the case of a cyberattack
- 63% do not monitor the clear or dark web for leaked credentials or compromised accounts/infrastructure
- 37% do not believe they have the capability, or are uncertain about their capacity, to detect potential security incidents or suspicious activity
“When I realized what was happening on the phones and email addresses of our staff, I quickly felt out of my depth because we have not really been prepared for this,” Wille recalled.
How the CyberPeace Institute Helps Defend Against Cyber Threats
Matching NGOs’ Cyber Needs With Cyber Experts
Insecurity Insight was put in contact with the CyberPeace Institute to help handle the incident.
The CyberPeace Institute was founded in Geneva in September 2019, with funding from the Hewlett Foundation, Mastercard, Microsoft, the Ford Foundation and Facebook.
While its initial mission was to help the healthcare sector respond to skyrocketing cyber-attacks during the COVID-19 pandemic, the Institute now helps over 215 other NGOs across all industries.
It now has 30 staff members and collaborates with 700 volunteers from companies in the technology and cybersecurity sectors. These partner businesses allow their employees to dedicate some of their office hours to work for the Institute, usually as part of their environmental, social, and governance (ESG) program.
As well as offering advice and helping NGOs implement security solutions, the CyberPeace Institute runs the CyberPeace Builders Program.
“We match people with IT, cyber or data security expertise with an NGO with technical needs,” Duguin explained.
In practice, the CyberPeace Institute staff breaks down the needs of an NGO into specific, punctual tasks – that would take up no more than a few hours – on their own Trello-like dashboard, where they describe the mission’s characteristics (objectives, time needed, language, resources needed…).
Next, the volunteers choose among the several tasks displayed on the dashboard and start communicating with the receiving NGOs without knowing anything about the NGOs’ identities.
“Finally, we at the Institute are in charge of matching both parts and then they can start working together,” Duguin added.
“A handful of volunteers came to work with us individually, but we always make sure they have useful skills and work in a serious company. And we always run a thorough due diligence process before onboarding them.”
Equipping Insecurity Insights with Essential Tools
When Insecurity Insight’s Wille reached out to the CyberPeace Institute, the first mission for the CyberPeace Builders was to conduct a cybersecurity assessment of the NGO.
Then, the CyberPeace Builders helped Insecurity Insights implement basic security measures, such as adopting strong passwords, using a password manager, generalizing multifactor authentication (MFA), and backing up data.
The Builders also provided the NGO staff and volunteers with dark web monitoring, cybersecurity training and a simulated phishing attack.
“Now, we have check-ins with the CyberPeace Builders every three months. At the end of 2023, we conducted a similar cybersecurity assessment to the one we did a year earlier, showing a 45% improvement rate,” Wille said.
“The Institute’s help has been very beneficial for us to enhance our cyber hygiene. We now have made MFA compulsory for everything we do. We ask everyone to avoid using public Wi-Fi networks or a VPN. Finally, we keep reminding our volunteers and staff to monitor their emails, apps, and devices, especially when we release a new report,” she added.
MITRE’s Mission to Standardize Cyber Resilience for NGOs
Following its collaboration with the CyberPeace Institute, Insecurity Insight’s Wille continued the orgnaization’s cyber efforts beyond the security basics.
At the end of 2022, she contacted MITRE, the non-profit organization behind the threat intelligence ATT&CK framework, to help her NGO become more cyber resilient.
Speaking to Infosecurity, Victoria Gammino, senior principal scientist at MITRE’s Biomedical Innovation Division, commented: “Although we are ourselves a non-profit, our focus isn’t traditionally to help secure NGOs. We got involved as part of a wider initiative focused on support for Ukraine started in 2022.”
"We are now trying to develop a [cyber resilience] framework that can be used by other humanitarian NGOs."Matt Boyas, principal data scientist, MITRE
MITRE and its technical partner JTEK Data Solutions helped the Swiss NGO draft a long-term ‘technology roadmap’ to improve its response to future cyber-attacks.
Matt Boyas, principal data scientist at MITRE, explained: “First, we worked with Insecurity Insight on an incident response plan. Then, through research and interviews, we developed a long-term roadmap that plans the typical steps an organization can take to enhance its cyber posture within the next five, 10 or 20 years in the context of a small-sized humanitarian NGO with limited resources.”
MITRE presented the result of their work during the first edition of the Global Conference on Cyber Capacity Building (GC3B), held in Accra, Ghana, in November 2023.
“We’re now trying to generalize the process we’ve been through with Insecurity Insight to develop a framework that can be used by other humanitarian NGOs. Now, all of this is supposed to be written up and published in an academic journal at some point in the future,” Boya concluded.
Conclusion: Collaboration Is the Way Forward
The outcomes from Insecurity Insight’s March 2022 “wake-up call” could soon benefit the whole humanitarian sector.
The move comes at a timely moment, when efforts are being made to collaborate more between like-minded organizations helping non-profits against cyber threats.
Speaking to Infosecurity, Karim Lamouri, president of Hackers Without Borders, said that, despite diverging visions between his organization and the CyberPeace Institute, he strives for a broader coalition.
“As cyber-mavericks, we have a very different model to the CyberPeace Institute model. We work with individual volunteers and not companies, we refuse corporate funding and we don’t even have a bank account. However, I’d love to see the day when we can join forces with the CyberPeace Institute – and others to curb the increasing number of cyber-attacks faced by NGOs.”
While he admitted there is no contact with HWB, Duguin insisted that the CyberPeace Institute is expanding its effort to drive further collaboration with other organizations.
In February 2023, it centralized all its security resources and services designed for humanitarian NGOs in a bundle branded as the Humanitarian Cybersecurity Center, launched in collaboration with the cybersecurity industry and academia.
In June, it joined seven other partners in the EU-funded Underserved Project, a two-year initiative to develop a platform for reporting and analyzing threats intended for sectors vulnerable to cyberattacks yet lacking the resources to mitigate them effectively.
This platform will be based on the open source MeliCERTes platform, originally developed under the framework of the Connecting Europe Facilities – Cybersecurity Digital Service Infrastructure — SMART 2015/1089 initiative.
Finally, the Institute’s CEO told Infosecurity that it regularly collaborates with other NGOs helping mitigate digital threats, such as Access Now and Amnesty International.
The collaborative efforts mentioned represent a significant step forward in safeguarding the humanitarian sector.
However, the fight against cyber threats is ongoing. Continued support and participation from all stakeholders, including governments, tech companies, and individual volunteers, is essential to ensure NGOs can securely operate, in conflict zones as well as in cyberspace.
This would be a crucial step towards making the cyber assistance one-stop-shop Wille is hoping the humanitarian sector could benefit from.