The phishing messages were “on a scale we had never experienced” and came as staff members spent late nights documenting the war’s destruction, Christina Wille, the director of Insecurity Insight, told CNN. She suspects it was an (unsuccessful) attempt to deter her team from reporting on Russia’s war in Ukraine.
It’s just one example of a range of digital threats facing humanitarian-focused organizations as Russian President Vladimir Putin shows no sign of ending his brutal war on Ukraine.
Humanitarian groups responding to the war remain focused on the physical safety of civilians and their employees. But overwhelmed aid organizations have also had to consider how closely linked the physical security of Ukrainians is to the cybersecurity of their data.
Cybersecurity experts are concerned that scammers or spies could use data exposed during Russia’s war to re-victimize people well into the future, by extorting or surveilling them. And many organizations lack the resources to recover from a big breach.
‘Who protects the aid organizations?’
It is unclear how many humanitarian-related organizations responding to the Ukraine war have experienced cyberattacks. There are only anecdotal reports of incidents, documenting them is complicated by the chaos of war, and aid workers are understandably reluctant to discuss specific cases.
One Ukrainian cybersecurity specialist, Vadym Hudyma, said several civil society groups in Ukraine managed to avoid major disruptions by preemptively scaling back their online footprint on the eve of Russia’s invasion.
“Those organizations withstood these cyberattacks pretty well against websites,” said Hudyma, co-founder of Digital Security Lab Ukraine, an organization that helps secure the online accounts of journalists and activists.
But for aid organizations in Ukraine and abroad, there aren’t enough people like Hudyma.
“The most vulnerable are protected by aid organizations, but who protects the aid organizations?” said Adrien Ogée, CyberPeace Institute’s chief operating officer. “A lot of these NGOs [non-government organizations] don’t even monitor their networks … They don’t even know when they get attacked.”
Some NGOs are “worried that Russians may get their hands on on-prem [computer] servers,” Ogée said, referring to data physically stored in Ukraine that could contain information on political activists, refugees or donors.
Ogée and his colleagues are trying to cut into the cybersecurity resource gap through a program that connects NGOs around the world, including those working on Ukraine, with experts to mitigate the impact of potential hacking incidents. The CyberPeace Institute was able to help Wille, the Insecurity Insight director, assess the hacking attempts aimed at her organization, she said.
Help with the basics of cybersecurity— strong passwords, backed-up data and another layer of authentication for logins — can greatly reduce the likelihood that an organizations gets hacked.
The alternative, Ogéee said, is unacceptable. NGOs working in Ukraine and other war zones that fail to secure the data they handle are “potentially creating conditions for further attacks,” he argued.
There is also the risk of an already rampant disinformation environment around aid work in Ukraine being amplified by hacking.
Proofpoint investigators suspect that Belarusian state hackers may be behind the activity. One theory is that the attackers could try to use intelligence collected on refugees in NATO countries “that could be used to marshal anti-refugee sentiment” in Europe, said Ryan Kalember, Proofpoint’s executive vice president of cybersecurity strategy.
Cyber activity and the Geneva Conventions
One reason is that any alleged crimes in cyberspace of course pale in comparison to the impact of mass killings.
But legal scholars and advocates are still paying close attention.
Tilman Rodenhäuser, a legal adviser at the International Committee for the Red Cross, went a step further.
Cyber espionage — which involves lurking on computer systems and collecting intelligence, rather than disrupting systems — against humanitarian organizations responding to a war could also break international law, Rodenhäuser told CNN.
The Red Cross, he said, is mandated to visit prisoners of war and to interview them about how they’re being treated.
“This confidentiality is protected in the Geneva Conventions,” Rodenhäuser added. “So, conducting espionage against such data would be very hard to reconcile” with that legal obligation.
The cyberattack “has not had a substantive impact” on the Red Cross program’s work in Ukraine, Red Cross spokesperson Jason Straziuso told CNN. But it “could have impacted our ability to reconnect separated families … around the Ukraine crisis” had the Red Cross not made “immediate repairs” to its computer systems, he said in an email.
There is no evidence that the hack was connected to the subsequent war in Ukraine. But it typifies the brazenness of computer intrusions targeting aid groups.
“Humanitarian organizations must be respected and protected online as they are offline,” Rodenhäuser said.