Amnesty International Canada hit by cyberattack out of China, investigators say

The Canadian branch of Amnesty International was the target of a sophisticated cyber-security breach this fall — an attack forensic investigators believe originated in China with the blessing of the government in Beijing.

The hackers appear to have been looking for a list of Amnesty's contacts

Protesters gather outside the Parliament buildings in Ottawa on February 22, 2021 to protest China's actions against ethnic Muslim Uyghurs. (The Canadian Press)

The Canadian branch of Amnesty International was the target of a sophisticated cyber-security breach this fall — an attack forensic investigators believe originated in China with the blessing of the government in Beijing.

The intrusion was first detected on October 5, the human rights group said Monday.

The attack showed signs of being the work of what's known as an advanced persistent-threat group (APT), according to the cyber security company that conducted the forensic investigation.

Unlike a typical cybercrime attack, the attack on Amnesty involved establishing covert surveillance of the operating system of Amnesty's network, said the report prepared for Amnesty International Canada by the U.K.-based cybersecurity firm Secureworks.

The hackers appeared to be attempting to obtain a list of Amnesty's contacts and monitor its plans.

The revelation comes as relations between Canada and China remain frosty on several fronts.

Secureworks said it's confident in its conclusion that Beijing — or a group affiliated with the Chinese government — was responsible for the breach.

"This assessment is based on the nature of the targeted information as well as the observed tools and behaviours, which are consistent with those associated with Chinese cyberespionage threat groups," said the report.

Ketty Nivyabandi, secretary general of Amnesty International Canada, said the experience should offer a clear warning to other human rights groups and civil society members.

"This case of cyberespionage speaks to the increasingly dangerous context in which activists, journalists and civil society alike must navigate today," she said.

"Our work to investigate and call out these acts has never been more critical and relevant. We will continue to shine a light on human rights violations wherever they occur and to denounce the use of digital surveillance by governments to stifle human rights."

Activists from Amnesty International stage a protest in a show of support for China's Uyghur Muslims outside the National Assembly in Paris on Jan. 26, 2022. (Michel Euler/Associated Press)

Mike McLellan, director of intelligence for Secureworks, said targeting human rights groups falls under China's recent methods of operation.

"China uses its cyber capabilities to gather political and military intelligence and spy, and organizations like Amnesty are interesting to China because of the people they work with, the work that they do," McLellan told CBC News. "We see organizations like this targeted because China is interested in surveillance." 

He said he doesn't believe there's any connection between the tense current nature of the Canada-China relationship and the timing of the cyber attack.

"I think it's much more about Amnesty Canada than Canada-China," McLellan said. 

Four days after the release of the Amnesty report, the Chinese embassy in Ottawa issued a sternly-worded denial accusing the human rights group of misleading the public and "spreading lies and rumours about China."

"As a staunch defender of cybersecurity, we firmly oppose and combat attacks of any kind. China will never encourage, support, or connive in such cyber attacks," said the unsigned statement.

Last summer, another Massachusetts-based cybersecurity firm — Recorded Future — issued a report warning that hacking groups suspected of acting for the Chinese government have been involved in a multi-year espionage campaign against numerous governments, NGOs, think-tanks and news agencies.

The report said that campaign has targeted the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), the American Institute in Taiwan, Taiwan's ruling Democratic Progressive Party (DPP) and India's National Informatics Centre since 2019.

Canadian-based Citizen Lab, an internet watchdog group, published a major study in 2016 that showed it and other civil society organizations have been penetrated by cyberspies, many of them linked to China.

Targeted by 'state-sponsored' spies

The study drew on four years of research with Tibet Action and nine other cooperating civil society groups. Eight were China or Tibet-focused; two were large international human rights organizations.

As part of that groundbreaking study, more than 800 suspicious emails were examined for malicious software by Citizen Lab, an interdisciplinary laboratory based at the University of Toronto's Munk School of Global Affairs & Public Policy.

Nivyabandi said Amnesty International Canada is aware the work it does can make it a target.

"As an organization advocating for human rights globally, we are very aware that we may be the target of state-sponsored attempts to disrupt or surveil our work," she said.

"These will not intimidate us and the security and privacy of our activists, staff, donors, and stakeholders remain our utmost priority."

She said the relevant authorities, staff, donors and stakeholders have been told of the breach and the organization will continue to work with security experts to guard against future risks.


Murray Brewster

Senior reporter, defence and security

Murray Brewster is senior defence writer for CBC News, based in Ottawa. He has covered the Canadian military and foreign policy from Parliament Hill for over a decade. Among other assignments, he spent a total of 15 months on the ground covering the Afghan war for The Canadian Press. Prior to that, he covered defence issues and politics for CP in Nova Scotia for 11 years and was bureau chief for Standard Broadcast News in Ottawa.


To encourage thoughtful and respectful conversations, first and last names will appear with each submission to CBC/Radio-Canada's online communities (except in children and youth-oriented communities). Pseudonyms will no longer be permitted.

By submitting a comment, you accept that CBC has the right to reproduce and publish that comment in whole or in part, in any manner CBC chooses. Please note that CBC does not endorse the opinions expressed in comments. Comments on this story are moderated according to our Submission Guidelines. Comments are welcome while open. We reserve the right to close comments at any time.

Become a CBC Account Holder

Join the conversation  Create account

Already have an account?