Non-profit organization targeted by cyberattack: valuable lessons for you

EU DisinfoLab is an independent non-profit organization tackling sophisticated disinformation campaigns. They recently were targeted in a cyberattack. With their co-founder and executive director we discuss how they managed this and what such attacks mean for civil society.

Due to the nature of its work, EU DisinfoLab has developed a security culture unusual for a non-profit organization of relatively small size. We, at the CyberPeace Institute, had a conversation with them to understand what happened when they were targeted by a cyberattack and how they reacted, to extract key learnings for other civil society actors. 

What happened?

On the afternoon of 25 May 2021, along with 149 other non-governmental organizations around the world, EU DisinfoLab received an email from USAID, the US Agency for International Development. USAID gives millions of dollars of funding to NGOs around the world each year.

The email, shown below, invited recipients to click on a link. Upon doing so, victims’ devices downloaded a piece of malicious code that gave the attacker persistent access to their machine and allowed “action-on objectives, such as lateral movement, data exfiltration, and delivery of additional malware”. In non-technical terms, those who clicked and opened the email were at risk of having their emails and files stolen, their IT systems encrypted, their staff blackmailed and their reputation tarnished. The list of harm is long.

This attack, attributed by Microsoft to Nobelium, the same group that compromised US company SolarWinds in a high-profile supply chain attack at the end of 2020, is noteworthy for two aspects:

First, it involved gaining a foothold into USAID’s ICT system, then using legitimate email accounts from the Agency to launch the attack.

Second, the attack specifically targeted several NGOs. Along with the growing recognition of the critical roles that NGOs play in society, they are increasingly targeted by adversarial attacks.

What can civil society learn from this attack?

1. Consider why any sender of an email or message would write to you and check the content before clicking anywhere

As Alexandre pointed out, the sender is not one of DisinfoLab’s regular contacts: an email received from USAID wasn’t in context. This is a red flag. Additionally, the email content relating to Donald Trump wasn’t expected either, it wasn’t part of an ongoing conversation. Red flag.

2. Consider the recipient’s email address

The email was sent to a shared mailbox which had not been significantly promoted. The DisinfoLab team wasn’t used to receiving this type of email there. Another red flag.

3. Double-check the sender’s email address

Scammers often disguise an illegitimate email address with an alias. “USAID” could be displayed as the sender’s alias with the actual email address behind being “[email protected]”. EU DisinfoLab checked the sender’s email address simply by Googling it: it looked valid, suggesting the email could be legitimate.

4. Check the links

Phishing emails – like this USAID example – attempt to trick recipients into clicking on a link that will take them to a site the attackers control where they can then steal credentials or install malicious software. The EU DisinfoLab team hovered over the links, saw they were not pointing to a usaid.gov domain, and copied them by right-clicking on them. They took the right action. It is  crucial not to left click and not open such links. EU DisinfoLab then used a free service called VirusTotal to check the domain, revealing that it had been already used for phishing and other fraud. This is an indicator of a compromise, and in this case a confirmation of a phishing attempt. EU DisinfoLab benefited from the fact that other organizations had flagged this domain as a threat enabling them to assess the risk they were facing.

5. Alert your staff as early as possible

Despite the sender’s email address, the team at EU DisinfoLab realized this email was not legitimate.  They alerted all staff, instructing everyone not to click or share the email and to immediately report any instances where it had already been opened or shared.

What is the best way to do that? Take a screenshot of the email and share that.

6. Verify

Consider that some of your staff may have forgotten that they clicked on the email link, or be reluctant to admit it, or may not see the alert. If you have the capability, it is critical to check endpoint logs, to verify whether anyone did in fact click on the link.  Consider that a compromised workstation may have downloaded or installed malicious software. Running an antivirus scan on all workstations can help assess and even contain damage.

7. Start an incident log

As soon as you realize that something is out of the ordinary, start keeping notes to record what you have done and learned. The amount of data generated by an incident can grow rapidly: it is easy to lose or forget critical information. At EU DisinfoLab, one person consolidated these notes for the incident log.  They had a procedure in place.

8. Look for information

Beyond VirusTotal, you can Google key indicators (URL, email address, etc.) to see whether security vendors or governments have published advisories linked to the email address or domain name in question. These advisories  often include mitigation measures that can be taken, such as the advisory in Microsoft’s blogpost on Nobelium published on 27 May. Use these advisories to support your assessments and to introduce mitigation measures; and note that your antivirus program may not yet be able to detect the particular threat.

9. Ask for help

Without clear and effective mitigation steps in place, don’t be afraid or hesitate to ask for help. Managing the response in such situations is not a trivial undertaking for civil society organizations as governments will rarely offer any support and professional services can be costly. Knowing this, EU DisinfoLab had chosen a provider specifically for its security expertise and willingness to help them upskill; they turned to them for help first. Thanks to long-established contacts, Alexandre was also able to get rapid and free assistance from a security vendor. Preparation can be vital.  Build these connections before, not during an incident. There are a few other options for not-for-profit organizations seeking free digital assistance, including at the CyberPeace Institute.

10. Think about your communications

The New York Times published an article on 28 May revealing that EU DisinfoLab was amongst the targets, with little advance notice, notably due to the differences in time zones. EU DisinfoLab was indeed targeted, but the attack failed. Still, being mentioned as a target in a major news outlet is sufficient to potentially impact trust with beneficiaries, donors and other media actors, who may confuse being a target for being a victim. To take control of the narrative, EU DisinfoLab issued a short, factual statement, acknowledging the attack, explaining the steps taken to reassure its stakeholders, and highlighting the apparent absence of impact from the attack.

Security culture eats security strategy for breakfast

EU DisinfoLab’s experience is a valuable example of an organizational culture that takes security seriously. As a small non-profit organization, it cannot have the same security technologies as larger organizations. However,  a conscious approach to embedding security into all their activities helped EU DisinfoLab fend off this attack.

It is such a security culture that pushed them to upskill through their contractors, rather than merely outsource all their IT and security.

It is such a security culture that pushed EU DisinfoLab, despite its size and age, to prioritize preparation and investment in phishing simulations, cybersecurity training for staff, tabletop exercises, and other mitigation tools.

It is such a security culture that is reflected in staff recruitment, onboarding, data management and other work-related procedures.

And it is the same security culture that pushed Alexandre to take our call. He understands that cybersecurity can be a critical advantage to an NGO. Disinformation is a highly complex domain and in the operating environment of EU DisinfoLab threats are common – digital and physical, organizational and personal. 

All NGOs operate in difficult environments, filling gaps not covered by governments and private actors, supporting often vulnerable communities. Not talking about the threats that affect NGOs will not deter adversaries. In fact, talking openly about threats confronting NGOs is to their benefit in three tangible ways:

1. It helps other NGOs to realize they can be targeted too, while providing practical advice and solutions.

2. It reveals how a strong security culture, even for small organizations, goes a long way in fostering the emergence of a robust, united civil society.

3. It raises awareness and helps bridge the accountability gap arising from the lack of recognition of the provision of critical services by civil society.

We asked Alexandre what his hopes were for cyberpeace.

As a small NGO, feeling part of a community and knowing who else was targeted by a cyberattack is important, so as to exchange information and best practices. Peer-to-peer exchanges can be extremely valuable in learning lessons and strengthening know-how. For civil society organizations providing critical services, obtaining recognition but also appropriate assistance from the host state, the private sector or even other NGOs, could also contribute to building a safer cyberspace.

The CyberPeace Institute helps NGOs like EU DisinfoLab protect themselves, connect with other civil society actors, and share information about the cyber threats they face. Contact us for more information at [email protected].