Angriffe, Maßnahmen bezüglich Cybersecurity

Cyber Attacks Strike Ukraine’s State Bodies in Espionage Operation

The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of cyber attacks targeting state bodies in the country as part of an espionage campaign.

The intrusion set, attributed to a threat actor tracked by the authority as UAC-0063 since 2021, leverages phishing lures to deploy a variety of malicious tools on infected systems. The origins of the hacking crew are presently unknown.

In the attack chain described by the agency, the emails targeted an unspecified ministry and purported to be from the Embassy of Tajikistan in Ukraine. It’s suspected that the messages were sent from a previously compromised mailbox.

The emails come attached with a Microsoft Word document that, upon enabling macros, launches an encoded VBScript called HATVIBE, which is then used to drop additional malware.

This includes a keylogger (LOGPIE), a Python-based backdoor capable of running commands sent from a remote server (CHERRYSPY), and a tool focused on exfiltrating files with specific extensions (STILLARCH or DownEx).

It’s worth noting that DownEx was recently documented by Bitdefender as being used by an unknown actor in highly targeted attacks aimed at government entities in Kazakhstan and Afghanistan.

“Additional study of the infrastructure and related files made it possible to conclude that among the objects of interest of the group are organizations from Mongolia, Kazakhstan, Kyrgyzstan, Israel, [and] India,” CERT-UA said.

The findings show that some threat actors are still employing macro-based malware despite Microsoft disabling the feature by default in Office files downloaded from the web.

That said, Microsoft’s restrictions have led several attack groups to experiment and adapt their attack chains and payload delivery mechanisms to include uncommon file types (CHM, ISO, LNK, VHD, XLL, and WSF) and techniques like HTML smuggling.

Enterprise security firm Proofpoint said it observed multiple initial access brokers (IABs) – actors who infiltrate major targets and then sell that access to other cybercriminals for profit – using PDF and OneNote files starting in December 2022.

“The experimentation with and regular pivoting to new payload delivery techniques by tracked threat actors, especially IABs, is vastly different from attack chains observed prior to 2022 and heralds a new normal of threat activity,” the company said.

“No longer are the most experienced cybercriminal actors relying on one or a few techniques, but rather are frequently developing and iterating new TTPs. The rapid rate of change for many threat actors suggests they have the time, capability, and understanding of the threat landscape to rapidly develop and execute new techniques.”


(c) Ravie Lakshmanan

Dark Pink APT Group Targets Governments and Military in APAC Region

Government and military organizations in the Asia-Pacific region are being targeted by a previously unknown advanced persistent threat (APT) actor, per the latest research.

Singapore-headquartered Group-IB, in a report shared with The Hacker News, said it’s tracking the ongoing campaign under the name Dark Pink and attributed seven successful attacks to the adversarial collective between June and December 2022.

The bulk of the attacks have singled out military bodies, government ministries and agencies, and religious and non-profit organizations in Cambodia, Indonesia, Malaysia, Philippines, Vietnam, and Bosnia and Herzegovina, with one unsuccessful intrusion reported against an unnamed European state development body based in Vietnam.

The threat actor is estimated to have commenced its operations way back in mid-2021, although the attacks ramped up only a year later using a never-before-seen custom toolkit designed to plunder valuable information from compromised networks.

“Dark Pink APT’s primary goals are to conduct corporate espionage, steal documents, capture the sound from the microphones of infected devices, and exfiltrate data from messengers,” Group-IB researcher Andrey Polovinkin said, describing the activity as a “highly complex APT campaign launched by seasoned threat actors.”

Group-IB told The Hacker News that there is not enough data to explicitly attribute the threat actor to a particular country, but noted that it’s likely of Asia-Pacific origin given the geolocation of identified victims.

In addition to its sophisticated malware arsenal, the group has been observed leveraging spear-phishing emails to initiate its attacks as well as Telegram API for command-and-control (C2) communications.

Also notable is the use of a single GitHub account for hosting malicious modules and which has been active since May 2021, suggesting that Dark Pink has been able to operate without getting detected for over 1.5 years.

The Dark Pink campaign further stands out for employing multiple infection chains, wherein the phishing messages contain a link to a booby-trapped ISO image file to activate the malware deployment process. In one instance, the adversary posed as a candidate applying for a PR internship.

It’s also suspected that the hacking crew may be trawling job boards in order to tailor their messages and increase the likelihood of success of their social engineering attacks.

The ultimate goal is to deploy TelePowerBot and KamiKakaBot, which are capable of executing commands sent via an actor-controlled Telegram bot, in addition to using bespoke tools like Ctealer and Cucky to siphon credentials and cookies from web browsers.

While Ctealer is written in C/C++, Cucky is a .NET program. Another custom malware is ZMsg, a .NET-based application that allows Dark Pink to harvest messages sent via messaging apps such as Telegram, Viver, and Zalo.

An alternate kill chain identified by Group-IB utilizes a decoy document included in the ISO file to retrieve a rogue macro-enabled template from GitHub, which, in turn, harbors TelePowerBot, a PowerShell script malware.

That’s not all. A third method spotted recently in December 2022 sees the launch of KamiKakaBot, a .NET version of TelePowerBot, with the help of an XML file containing an MSBuild project that’s located at the end of a Word document in encrypted view. The Word file is present in an ISO image sent to the victim in a spear-phishing email.

“The threat actors behind this wave of attacks were able to craft their tools in several programming languages, giving them flexibility as they attempted to breach defense infrastructure and gain persistence on victims’ networks,” Polovinkin explained.

A successful compromise is followed by reconnaissance, lateral movement, and data exfiltration activities, with the actor also using Dropbox and email in some cases to transmit files of interest. The malware, besides recording microphone audio via the Windows Steps Recorder tool, is tasked with taking screenshots and infecting attached USB disks to propagate TelePowerBot.

“The use of an almost entirely custom toolkit, advanced evasion techniques, the threat actors’ ability to rework their malware to ensure maximum effectiveness, and the profile of the targeted organizations demonstrate the threat that this particular group poses,” Polovinkin said.


(c) Ravie Lakshmanan

FortiOS Flaw Exploited as Zero-Day in Attacks on Government and Organizations

A zero-day vulnerability in FortiOS SSL-VPN that Fortinet addressed last month was exploited by unknown actors in attacks targeting the government and other large organizations.

“The complexity of the exploit suggests an advanced actor and that it is highly targeted at governmental or government-related targets,” Fortinet researchers said in a post-mortem analysis published this week.

The attacks entailed the exploitation of CVE-2022-42475, a heap-based buffer overflow flaw that could enable an unauthenticated remote attacker to execute arbitrary code via specifically crafted requests.

The infection chain analyzed by the company shows that the end goal was to deploy a generic Linux implant modified for FortiOS that’s equipped to compromise Fortinet’s intrusion prevention system (IPS) software and establish connections with a remote server to download additional malware and execute commands.

Fortinet said it was unable to recover the payloads used in the subsequent stages of the attacks. It did not disclose when the intrusions took place.

FortiOS Flaw

In addition, the modus operandi reveals the use of obfuscation to thwart analysis as well as “advanced capabilities” to manipulate FortiOS logging and terminate logging processes to remain undetected.

“It searches for elog files, which are logs of events in FortiOS,” the researchers said. “After decompressing them in memory, it searches for a string the attacker specifies, deletes it, and reconstructs the logs.”

The network security company also noted that the exploit requires a “deep understanding of FortiOS and the underlying hardware” and that the threat actor possesses skills to reverse engineer different parts of FortiOS.

“The discovered Windows sample attributed to the attacker displayed artifacts of having been compiled on a machine in the UTC+8 timezone, which includes Australia, China, Russia, Singapore, and other Eastern Asian countries,” it added.


(c) Ravie Lakshmanan

Live From London: Next-Gen Cybersecurity Takes Stage at Black Hat Europe

Check out our slideshow detailing the emerging cybersecurity trends in cloud, creating a defensible Internet, malware evolution, and more that lit up audiences in London.

Live From London: Next-Gen Cybersecurity Takes Stage at Black Hat Europe

We stand on the brink of a new year, and true to form, contributors to Black Hat Europe 2022 took the opportunity to peer out on the horizon to see what might be emerging to keep security practitioners up at night — and what sorts of defensive innovations we might be in for.

At an event in London last week that saw record in-person attendance for the post-pandemic era, a slate of industry veterans and up-and-coming security researchers took to the stage to deliver briefings that covered the future-think waterfront.

Topics ranged from how to break some really cool stuff (like a Volkswagen EV), to manipulating billion-dollar NFTs and performing “social-engineering pen testing” — and much, much in-between.

In case you missed the show, Dark Reading has compiled this slideshow of some of the top talks at this year’s Black Hat Europe conference. And don’t forget, all of the sessions are now available on-demand, too.

European Union Cybersecurity Initiatives

Did you know the European Union is working on several initiatives to improve #cybersecurity? The Network and Information Systems Directive, the Cybersecurity Act, the General Data Protection Regulation, and the ePrivacy Regulation are just a few examples of the EU’s efforts to protect its citizens in the digital age. 

The European Union (EU) recognizes the importance of cybersecurity in today’s digital age and has taken a number of steps to strengthen its cybersecurity posture. Here are some of the efforts and names of legislation that the EU is working on in the field of cybersecurity:

  • The Network and Information Systems Directive (NIS Directive): This directive aims to ensure the security of network and information systems in the EU. It requires member states to adopt measures to ensure the security of their networks and systems and to designate national competent authorities to oversee the implementation of the directive.
  • The Cybersecurity Act: This act establishes the EU Cybersecurity Agency (ENISA) as a permanent body with increased responsibilities in the field of cybersecurity. ENISA is responsible for providing technical and scientific support to the EU and its member states in the areas of cybersecurity certification, incident reporting, and threat intelligence sharing.
  • The General Data Protection Regulation (GDPR): This regulation strengthens the rights of individuals with regard to their personal data and establishes a single set of data protection rules for the entire EU. It requires companies to implement appropriate technical and organizational measures to protect personal data and to report data breaches to the relevant authorities.
  • The ePrivacy Regulation: This regulation aims to protect the privacy of individuals when using electronic communications services, such as email and messaging apps. It requires companies to obtain consent from users before collecting and processing their personal data and sets out rules for the use of cookies and other tracking technologies.
  • The Cybersecurity Competence Center: This center, which is part of ENISA, is responsible for supporting the development of cybersecurity research and innovation in the EU. It aims to create a network of research and innovation stakeholders and to promote the exchange of knowledge and best practices in the field of cybersecurity.

Overall, the EU is working on a number of initiatives to strengthen its cybersecurity posture and protect the privacy and security of its citizens in the digital age.

InfraGard, FBI Program for Critical Infrastructure Cybersecurity, Breached by Hackers

A database with contact information for elite cybersecurity professionals is now being sold on the dark web to the highest bidder.

A hacker has breached an FBI program dedicated to critical infrastructure cybersecurity and is now selling access to its data on the dark web.

Security blogger Brian Krebs reports that InfraGard, an information-sharing program maintained by the bureau, was compromised earlier this month by a cybercriminal who goes by the moniker “USDoD.” After swiping an internal database that contained contact information for “tens of thousands” of InfraGard members, the hacker proceeded to post its contents for sale on the dark web marketplace “Breached,” where anybody can now buy the info for $50,000. The hacker told Krebs that the high price set for the data was a negotiating tactic: “I don’t think someone will pay that price, but I have to [price it] a bit higher to [negotiate] the price that I want,” they said.

InfraGard is an information-sharing network designed to allow high-level professionals both in and out of the government to collaborate on issues of cybersecurity and defense. InfraGard’s membership includes security pros from government agencies and major corporations and, on its website, it describes its mission like this:

InfraGard is a partnership between the Federal Bureau of Investigation (FBI) and members of the private sector for the protection of U.S. Critical Infrastructure. Through seamless collaboration, InfraGard connects owners and operators within critical infrastructure to the FBI, to provide education, information sharing, networking, and workshops on emerging technologies and threats.

In the field of cybersecurity, information-sharing is a popular way for institutions to help protect themselves and each other. Despite InfraGard’s stated mission, however, the FBI apparently missed the emerging threat of a hacker sifting through their network.

“USDoD,” the hacker, claims that they gained entry to InfraGard’s protected environment by using a corporate executive’s stolen personal information. The hacker used the executive’s Social Security Number, birthday, and other info to file a phony application for inclusion in InfraGard’s membership (it’s unclear where the hacker got the exec’s info, but such data can also be purchased on the dark web). Within several weeks, the hacker’s application was accepted, apparently without much vetting by the FBI. Once granted access to the org’s internal environment, USDoD says they used a simple Python script aimed at one of the website’s Application Programming Interfaces (APIs) to call up and steal personal information on the other participating members.

As of Tuesday evening, USDoD’s phony account was apparently still active and hadn’t yet been terminated by the FBI. Krebs reports:

To prove they still had access to InfraGard as of publication time Tuesday evening, USDoD sent a direct note through InfraGard’s messaging system to an InfraGard member whose personal details were initially published as a teaser on the database sales thread. That InfraGard member, who is head of security at a major U.S. technology firm, confirmed receipt of USDoD’s message but asked to remain anonymous for this story.

Whether the data that USDoD stole is actually all that valuable or not is a hanging question. Krebs writes that a lot of the accounts in the database are missing critical pieces of personal information, such as birthdays, social security numbers, and emails.

When reached for comment by Gizmodo, InfraGard provided us with the same brief statement it had shared with Krebs: “This is an ongoing situation, and we are not able to provide any additional information at this time.”

Royal Ransomware Threat Takes Aim at U.S. Healthcare System

The U.S. Department of Health and Human Services (HHS) has cautioned of ongoing Royal ransomware attacks targeting healthcare entities in the country.

“While most of the known ransomware operators have performed Ransomware-as-a-Service, Royal appears to be a private group without any affiliates while maintaining financial motivation as their goal,” the agency’s Health Sector Cybersecurity Coordination Center (HC3) said [PDF].

“The group does claim to steal data for double-extortion attacks, where they will also exfiltrate sensitive data.”


Royal ransomware, per Fortinet FortiGuard Labs, is said to be active since at least the start of 2022. The malware is a 64-bit Windows executable written in C++ and is launched via the command line, indicating that it involves a human operator to trigger the infection after obtaining access to a targeted environment.

Besides deleting volume shadow copies on the system, Royal utilizes the OpenSSL cryptographic library to encrypt files to the AES standard and appends them with a “.royal” extension.

Last month, Microsoft disclosed that a group it’s tracking under the name DEV-0569 has been observed deploying the ransomware family through a variety of methods.

This includes malicious links delivered to victims by means of malicious ads, fake forum pages, blog comments, or through phishing emails that lead to rogue installer files for legitimate apps like Microsoft Teams or Zoom.

The files are known to harbor a malware downloader dubbed BATLOADER, which is then used to deliver a wide variety of payloads such as Gozi, Vidar, BumbleBee, in addition to abusing genuine remote management tools like Syncro to deploy Cobalt Strike for subsequent ransomware deployment.

The ransomware gang, despite its emergence only this year, is believed to comprise experienced actors from other operations, indicative of the ever-evolving nature of the threat landscape.

“Originally, the ransomware operation used BlackCat’s encryptor, but eventually started using Zeon, which generated a ransomware note that was identified as being similar to Conti’s,” the HHS said. “This note was later changed to Royal in September 2022.”

The agency further noted that Royal ransomware attacks on healthcare have primarily focused on organizations in the U.S., with payment demands ranging from $250,000 to $2 million.

Security News This Week: Attackers Keep Targeting the US Electric Grid

Plus: Chinese hackers stealing US Covid relief funds, a cyberattack on the Met Opera website, and more.


We at WIRED have written plenty about the threat that cyberattacks pose to power grids worldwide. But lately, the most significant attacks on electrical systems have demonstrated that hacking is hardly necessary when physical destruction and sabotage are an option: Just as Russia’s invasion force in Ukraine has systematically destroyed electrical infrastructure to cause vast blackouts across the country, a mysterious and continuing series of physical attacks have hit power utilities in the American southeast—and in one case, have caused an extended outage for tens of thousands of people.

We’ll get to that. In the meantime, though, the cyber news we’ve reported on hasn’t exactly let up this week: Apple added end-to-end encryption for its iCloud backups, while also officially nixing its plan to hunt for child sexual abuse materials in iCloud and reopening a long-running rift with the FBI. Payroll and HR services provider Sequoia admitted to a data breach that included users’ Social Security numbers. A study of cybercrime forums revealed a trend of scammers scamming scammers. And we looked at how the Twitter Files will fuel conspiracy theorists, how technology is contributing to UK authorities creating a “hostile environment” for immigrants, and security and privacy concerns around the Lensa AI portrait app.

But there’s more. Each week, we highlight the security news we didn’t cover in-depth ourselves. Click on the headlines below to read the full stories.

Physical Attacks Target US Grid in At Least Four States in Three Months

When shootings at two electrical substations in North Carolina left 40,000 customers without power for days, the incident seemed like an isolated—if bizarre and troubling—case. But this week, the same utility, Duke Energy, reported gunfire at another facility, a hydroelectric power plant in South Carolina. And combined with two more incidents of hands-on sabotage of US power facilities that occurred in Oregon and Washington in October and November, the vulnerability of the US grid to old-fashioned physical harm has begun to seem like a serious threat.

No damage seems to have occurred in the South Carolina case, and in the earlier incidents in Washington, the utilities involved described the cases as “vandalism.” But the intruders in Oregon carried out a more deliberate attack, cutting through a perimeter fence and damaging equipment, according to the Oregon utility, causing a “brief” power outage in one case. And in yet another, separate collection of incidents, Duke Energy saw half a dozen “intrusions” at substations in Florida, according to documents seen by Newsnation. Federal law enforcement is investigating the cases.

The incidents are reminiscent of another strange, isolated attack on the California power grid in 2015, when a sniper fired on an electrical substation and triggered a blackout to parts of Silicon Valley along with $15 million in damage. These newer cases, while still relatively small in scale, show just how disturbingly vulnerable the American power grid remains to relatively simple forms of sabotage.

Chinese Hackers Stole US Covid Relief Funds

The state-sponsored Chinese hacker group APT41 has long carried out a rare mix of cyberespionage and cybercrime. The group, linked in a 2020 US indictment to a company called Chengdu 404 working as a contractor for China’s Ministry of State Security, has been accused of moonlighting as for-profit thieves and even deploying ransomware. Now, NBC News reports that the Secret Service believes APT41 went so far as to steal $20 million from US Covid relief funds—state-sponsored hackers stealing money from the US government itself. About half of the stolen funds were reportedly recovered. But a hacker group on the Chinese government payroll stealing from US federal coffers represents a far more brazen form red-line crossing than even APT41’s previous exploits.

New York’s Metropolitan Opera Website Hit With Cyberattack

The Met Opera announced earlier this week that it was hit with an ongoing cyberattack that took down its website and online ticketing system. Given that the Met Opera sells $200,000 in tickets a day, the losses from the disruption could do serious harm to one of New York’s major cultural institutions. As of Friday afternoon, the website remained offline, and its administrators had moved ticket sales to a new site. The New York Times, in its reporting on the attack, pointed out that the Met Opera had been critical of Russia’s war in Ukraine—going so far as to part ways with its Russian soprano singer—but there’s still no real explanation of the attack.

Iran-Linked Hackers Target Israeli Diamond Industry Software

Cybersecurity firm ESET this week pinned responsibility for a campaign of data-destroying malware attacks targeting the diamond industry on a hacker group it calls Agrius, which has been previously linked to the Iranian government. The attackers hijacked the software updates of an Israeli-made diamond industry software suite to deploy the wiper malware, which ESET calls Fantasy, in March of this year. As a result, it hit targets not only in Israel but others as far-flung as a mining operation in South Africa and a jeweler in Hong Kong. Although Iranian cyberattacks on Israeli targets are certainly nothing new, ESET’s researchers’ writeup doesn’t speculate on the attack’s motivation.

Inside NATO’s Cyber Range: How armies prepare against attack and why nations must work together

The CR14 NATO Cyber Range, in Tallinn, Estonia.   –   Copyright  NATO

At the touch of a button, a soldier holding a laptop sends sparks flying on a circuit board, causing a power generator to flash bright red as a beeping sound grows louder. This is the representation of a country’s power infrastructure coming under a cyber attack.

Though the map of circuit boards depicts a fictional island, with streets called “Blockchain Street” and “Macintosh Street,” a real-life cyber attack may not be as visible as this. Still, the effects on infrastructure can be just as devastating, causing homes to lose power or water.

The scenario is just a simulation but it serves as a training ground for soldiers who are at the NATO Cyber Range in Estonia’s capital Tallinn.

At the CR14 NATO Cyber Range, around 145 on-site commanders from as many as 30 countries – most of them NATO countries but some not – are put to the test on how they would prevent a cyber attack.

Inside the three-storey building which houses it, the first floor is where food and refreshments are provided and some of the innovations are showcased. The second floor is used for training and where phones are not allowed. And the third floor is where the real action happens, but is out of bounds for journalists.

A Cyberattack Sponsored by China Targeted Amnesty International Canada

It has come to light that Amnesty International’s Canadian branch was the victim of a sophisticated cyber-security attack during the fall – and one that forensic investigators believe originated in China with the blessing of the authorities in Beijing.


An announcement from the human rights group, published on Monday, said that the intrusion was detected for the first time on October 5.


Based on the forensic investigation conducted by the cyber security firm, the attack appears to be the work of a group that has been classified as an advanced persistent threat group (APT).


The attack on Amnesty was very different from any other hacker attack, as it involved covertly spying on the operating system of Amnesty’s network to create a false sense of security, according to a report prepared by U.K.-based cybersecurity firm Secureworks on behalf of Amnesty International Canada.


The hackers do not seem to have intended to steal data from Amnesty International but rather to gather its contacts and monitor its activities.


According to the report, the revelation comes at a time when relations between Canada and China remain cold on many fronts.


A spokesperson for Secureworks told CNN that the company is confident that Beijing – or a group affiliated with the Chinese government – was behind the breach.


“The assessment in this report is based on the nature of the targeted information as well as the observable tools and behaviors, many of which are consistent with those associated with Chinese cyberespionage groups,” the document stated.


In an interview with BBC, Amnesty International Canada secretary general Ketty Nivyabandi stated that other human rights organizations and members of civil society, and the public must take note of the experience. Further, she stated that there is no question that this case of cyber espionage indicates the increasingly dangerous environment in which activists, journalists, as well as civil society have to strive to survive today.


Earlier this month, Secureworks director of intelligence Mike McLellan said the targeting of human rights groups. He said that we are committed to raising awareness of human rights violations wherever they take place. He also added that we are committed to denouncing the use of digital surveillance by governments to stifle human rights and will continue to shine a light on human rights violations wherever we locate them and speak out against governments that use digital surveillance against their citizens.


McLellan told CBC News that China uses its cyber capabilities to gather political and military intelligence, as well as to spy on its opponents. Organizations such as Amnesty International are intriguing to China because of the people they work with and the work they do. McLellan added, “As a result of China’s interest in surveillance, we see organizations like this being targeted because of their activities.”


According to McLellan, there is a definite connection between the current tensions between Canada and China and the timing of the cyberattack. McLellan thinks that the issue is primarily about Amnesty Canada and less about China and Canada.


A report by another cybersecurity firm based in Massachusetts, Recorded Future, issued last summer, cited that hacking groups suspected to be working on behalf of the Chinese government have been conducting espionage against numerous governments, NGOs, think tanks, and news agencies for more than a decade.


A report stated that since 2019, the campaign had targeted organizations such as the International Federation for Human Rights (FIDH), Amnesty International, the Mercator Institute for China Studies (MERICS), Radio Free Asia (RFA), the American Institute in Taiwan, the Democratic Progressive Party (DPP) that governs Taiwan, and the National Informatics Centre of India.


It has been reported that Citizens Lab is a Canadian group that investigates internet matters. The group published a paper in 2016 which revealed that it had been penetrated by cyberspies, including some linked to China. This was in addition to other civil society organizations.


The target of spies sponsored by states


Tibet Action, with nine other civil society associations that worked together on the study, had conducted four years of research. A total of eight of the organizations were focused on China or Tibet; two were large international human rights groups.


A Citizen Lab study examined over 800 suspicious emails for malware as part of the ground-breaking study. Located at the Munk School of Global Affairs and Public Policy at the University of Toronto, it is an interdisciplinary laboratory that focuses on global issues.


The Canadian chapter of Amnesty International is aware that its work may put Amnesty International in the crosshairs, as Nivyabandi mentioned. Several of our members are aware that our organization is vulnerable to state-sponsored attacks aiming to disrupt our work or to keep an eye on what we do as an organization advocating for human rights around the world,” she said.


Despite these threats, we will not be intimidated by them, and we will always put the security and privacy of our activists, staff, donors, and stakeholders as a top priority.”


A statement made by the official stated that the relevant authorities, staff, donors, and stakeholders had been informed of the breach. There will be an ongoing effort to safeguard the organization against future threats by working with security experts.