NGOs: Fighting Human Rights Violations and, Now, Cyber Threat Groups

With so many non-government organizations (NGOs) in operation today around the world, we asked ourselves a question here at FireEye Labs. Who would think about targeting NGOs?  Steal from a nonprofit? It would seem unthinkable to most people. But, as we can see from a few recent examples below, this is a clear reality.

As more NGOs reach out to us, it is clear that the situation for them is not a pretty one. Based on the breaches we have observed in this space, it appears there are more than 15 distinct advanced threat groups active in NGO networks. The sheer volume and variety of threat groups active in NGO environments struck us as unusually high for a single industry and indicates the incredibly difficult threat landscape NGOs face.

Hamstrung by limited budgets to establish strong network defenses and few personnel that understand how and why these threats are materializing, NGOs make a relatively easy target. Even if they aren’t profitable, NGOs use credit cards for donations, transact with cash, store personally identifiable information (PII) and, in some cases, even house intellectual property.  Many NGOs also work on political issues—an inviting target for opponents who want to monitor their communications and activities. Weak defenses and a target-rich environment make NGOs an enticing victim to maliciously motivated threat actors.

Cyber Operations at NGOs: An Intelligence Collection Pursuit?

NGOs — particularly those based in the U.S. — have long been perceived as instruments of U.S. government policy. Regimes with a less-than-favorable view of the U.S. frequently consider NGOs’ work as a rallying point for domestic unrest and political opposition. Three nations that fit this description — China, Russia and Iran — are all rumored or known to have existing and growing cyber operations to support their governments’ political agendas. Data acquired from NGOs via network compromises has the potential to grant these nation-states valuable, predictive insights on key policy topics and NGO programming, as well as intelligence on personnel and their contacts.

Over the last few years, we have observed China-based advanced persistent threat (APT) groups frequently target U.S.-based NGOs. Unsurprisingly, they were organizations with programs that touched on Chinese human rights, democratic reforms, and social issues.  In these instances, data theft was not just limited to documents about NGO programming, but also included documents on grants, legal proceedings, research programs, and even employee communications. The threat actors and recipients of the stolen data were likely able to gain significant insights into the NGOs’ operations, issues, and personnel. Not only were the threat actors better positioned to understand the NGOs’ values and plans, but, more importantly, they could potentially identify in-country contacts for the NGOs. These domestic contacts could face repercussions for their collaboration with the NGO.


Figure 1: A sample breakout of the types of documents stolen from an NGO

Sought-After Financial Data Goldmine

Because NGOs are often dependent on donations from large donors and dedicated supporters, they maintain or process financial data of potentially great value to cybercriminals who seek to steal PII. This financial information could be used to perpetrate identity theft and other types of criminal exploitation, including the theft of credit card numbers, bank account information, and other PII of wealthy individuals. There are any number of cases of non-profits who were either breached via network compromise or even experienced the physical theft of devices that gave perpetrators access to databases filled with valuable information such as names, addresses and social security numbers. In one instance, a simple website misconfiguration exposed one nonprofit’s database of donors and their personal information.

The acknowledged wealth of many NGO donors likely contributes to the motivations financial threat groups would have in targeting NGOs. FireEye tracks a number of criminal threat groups who conduct network intrusions to obtain data similar to the kind NGOs manage in large quantities. These threat actors may seek financial gain from cyber operations through direct theft of funds or the resale of data they have stolen. Because NGOs maintain valuable financial data, and perhaps other data they perceive to be valuable, criminal threat actors may target these networks with the intent to profit.

Perception of Weak Defenses

When criminals are looking for an easy target, NGOs’ networks may be perceived to be easy pickings. Just as the common thief would rather steal items of value from a house without an alarm than one with, the same is true with advanced threat actors and cybercriminals. NGOs possess information of value that a variety of threat actors desire, and their networks can sometimes be far easier targets than government institutions or large commercial organizations, due to their typically limited resources when it comes to network security and defense.

Although NGOs face a unique landscape when it comes to advanced threats in terms of the sheer number of threat groups targeting them and the widely varying possible impacts of a breach, their operations and needs share many similarities with those of our small- and medium-sized (SMB) customers. To that end, FireEye Labs recommends reviewing our latest SMB-focused white paper for more insight into what the broader threat landscape looks like for NGO-like organizations. A copy of the paper can be found here: