Employees at Insecurity Insight, a Switzerland-based nonprofit, received a string of malicious links and pornographic material on their cell phones after publishing a report last month on Russian attacks on hospitals in Ukraine.
The phishing messages were “on a scale we had never experienced” and came as staff members spent late nights documenting the war’s destruction, Christina Wille, the director of Insecurity Insight, told CNN. She suspects it was an (unsuccessful) attempt to deter her team from reporting on Russia’s war in Ukraine.
It’s just one example of a range of digital threats facing humanitarian-focused organizations as Russian President Vladimir Putin shows no sign of ending his brutal war on Ukraine.
In several other cases, malicious software has been used to target charities and aid organizations working on Ukraine “in order to spread confusion and cause disruption” to the provision of medical supplies, food or clothing, according to Amazon Web Services, Amazon’s cloud-computing division.
Humanitarian groups responding to the war remain focused on the physical safety of civilians and their employees. But overwhelmed aid organizations have also had to consider how closely linked the physical security of Ukrainians is to the cybersecurity of their data.
Cybersecurity experts are concerned that scammers or spies could use data exposed during Russia’s war to re-victimize people well into the future, by extorting or surveilling them. And many organizations lack the resources to recover from a big breach.
“There is your immediate safety, security life, and then there is actually, ‘How can cyberattacks repeat this harm over time with the data?’” said Klara Jordan, chief public policy officer at CyberPeace Institute, an organization that works to protect humanitarian groups from hackers.
‘Who protects the aid organizations?’
It is unclear how many humanitarian-related organizations responding to the Ukraine war have experienced cyberattacks. There are only anecdotal reports of incidents, documenting them is complicated by the chaos of war, and aid workers are understandably reluctant to discuss specific cases.
One Ukrainian cybersecurity specialist, Vadym Hudyma, said several civil society groups in Ukraine managed to avoid major disruptions by preemptively scaling back their online footprint on the eve of Russia’s invasion.
“Those organizations withstood these cyberattacks pretty well against websites,” said Hudyma, co-founder of Digital Security Lab Ukraine, an organization that helps secure the online accounts of journalists and activists.
But for aid organizations in Ukraine and abroad, there aren’t enough people like Hudyma.
“The most vulnerable are protected by aid organizations, but who protects the aid organizations?” said Adrien Ogée, CyberPeace Institute’s chief operating officer. “A lot of these NGOs [non-government organizations] don’t even monitor their networks … They don’t even know when they get attacked.”
Some NGOs are “worried that Russians may get their hands on on-prem [computer] servers,” Ogée said, referring to data physically stored in Ukraine that could contain information on political activists, refugees or donors.
Ogée and his colleagues are trying to cut into the cybersecurity resource gap through a program that connects NGOs around the world, including those working on Ukraine, with experts to mitigate the impact of potential hacking incidents. The CyberPeace Institute was able to help Wille, the Insecurity Insight director, assess the hacking attempts aimed at her organization, she said.
Help with the basics of cybersecurity— strong passwords, backed-up data and another layer of authentication for logins — can greatly reduce the likelihood that an organization gets hacked.
The alternative, Ogéee said, is unacceptable. NGOs working in Ukraine and other war zones that fail to secure the data they handle are “potentially creating conditions for further attacks,” he argued.
There is also the risk of an already rampant disinformation environment around aid work in Ukraine being amplified by hacking.
In late February, hackers attempted to breach the email accounts of European government officials “involved in managing the logistics of refugees fleeing Ukraine,” according to cybersecurity firm Proofpoint, which discovered the incident.
Proofpoint investigators suspect that Belarusian state hackers may be behind the activity. One theory is that the attackers could try to use intelligence collected on refugees in NATO countries “that could be used to marshal anti-refugee sentiment” in Europe, said Ryan Kalember, Proofpoint’s executive vice president of cybersecurity strategy.
Cyber activity and the Geneva Conventions
There is a meticulous project, involving thousands of investigators across Ukraine, to collect information on potential war crimes. There is no equivalent effort to catalog potential violations of international law in cyberspace during the war in Ukraine.
One reason is that any alleged crimes in cyberspace of course pale in comparison to the impact of mass killings.
But legal scholars and advocates are still paying close attention.
Cyberattacks on emergency response and humanitarian organizations in Ukraine “raise serious concerns under the Geneva Convention,” Microsoft President Brad Smith argued on February 28, four days into Russia’s latest war in Ukraine.
Tilman Rodenhäuser, a legal adviser at the International Committee for the Red Cross, went a step further.
Cyber espionage — which involves lurking on computer systems and collecting intelligence, rather than disrupting systems — against humanitarian organizations responding to a war could also break international law, Rodenhäuser told CNN.
The Red Cross, he said, is mandated to visit prisoners of war and to interview them about how they’re being treated.
“This confidentiality is protected in the Geneva Conventions,” Rodenhäuser added. “So, conducting espionage against such data would be very hard to reconcile” with that legal obligation.
The Red Cross itself was breached by unidentified hackers in November, an act the aid organization discovered in January. The personal information of half a million of the world’s most vulnerable people was exposed to the attacker, and the incident temporarily disrupted a global Red Cross program for reuniting refugees with their families.
The cyberattack “has not had a substantive impact” on the Red Cross program’s work in Ukraine, Red Cross spokesperson Jason Straziuso told CNN. But it “could have impacted our ability to reconnect separated families … around the Ukraine crisis” had the Red Cross not made “immediate repairs” to its computer systems, he said in an email.
There is no evidence that the hack was connected to the subsequent war in Ukraine. But it typifies the brazenness of computer intrusions targeting aid groups.
“Humanitarian organizations must be respected and protected online as they are offline,” Rodenhäuser said.