China-based Hackers Set Sights on NGO Sites and Their Visitors

A malicious operation targeting non-profit and nongovernmental organizations has posted infected “iframes,” or ad-like content, on each group’s website.

The tainted iframes direct site visitors to a URL that is controlled by the attackers. The rogue site then drops malicious software into the victim’s machine. The malware, called Poison Ivy, allows unauthorized command and control of a computer.

Researchers at cyber forensics firm FireEye have observed the campaign on at least three sites: an international nonprofit organization that focuses on environmental advocacy, and two different NGOs that promote democracy and human rights.

“These websites are often visited by organization employees and other organizations in the same industries, allowing threat actors to move laterally within already compromised networks or gain access to new networks,” FireEye reports. While refraining from attributing the assault to a specific bad entity, the company said, “We frequently observe China-based threat actors target non-profits and NGOs, and we suspect that they seek to monitor activity within their borders that may lead to domestic unrest or embarrass the Chinese government.”

The three organizations harmed each have China-based operations.