When it comes to malicious online actors planning their next cyberattack, no target is considered off-limits. Over the years, we have witnessed hackers launch disruptive cyberattacks against many key industries, such as energy, agriculture, and even healthcare. One of these important societal sectors has increasingly found itself caught in digital crosshairs: the humanitarian sector. Despite their dedication to saving lives and improving our collective society, hackers often view humanitarian organizations as easy targets since these companies tend to be significantly underfunded when it comes to addressing cyber threats.
One humanitarian organization that found itself a victim of a cyberattack is Roots of Peace. Through leveraging a man-in-the-middle (MitM) attack, hackers tricked Roots of Peace’s coworkers and the organization’s trusted bank to transfer a large sum of money to an offshore bank account, placing Roots of Peace and its mission at risk. To gain a deeper understanding of the real-life impact of cyberattacks against the humanitarian sector, we spoke with Roots of Peace Founder Heidi Kühn who found herself weathering the storm of this shameful cyberattack. This is her story.
(Edited for brevity and clarity)
DPN: Tell us about yourself.
HK: I am a mother of four children and a grandmother of six, and I dream of a mine-free world. For a quarter of a century, I have dedicated my life to Roots of Peace to make this dream come true.
What is Roots of Peace?
Roots of Peace began on September 21st, 1997, only three weeks after the late Princess Diana had tragically died. In her final year of life, she had catapulted the issue of landmines to the forefront of the international agenda. I was deeply inspired by her legacy. Her compassion motivated me to action. One day, I saw the beautiful harvest in Napa Valley and Sonoma Valley. It dawned on me that farmers made that happen. They sparked my vision of turning mines to vines, replacing the scourge of landmines with bountiful vineyards worldwide. To this day, I cannot imagine a more hateful thing to do to our planet than plant 60 million landmines in 60 countries.
25 years later, people are waking up to the issue of landmines. When we turn on our television sets, we see the effects of landmines in Ukraine. We witness how this beautiful basket of agriculture, capable of providing bread to the world, is held hostage by insidious landmines. We see how these unexploded ordinances are preventing farmers from planting their fields. So, Roots of Peace is trying to heal the wounds of war by planting the roots of peace. We have managed over $200 million over the last two decades. I could not be prouder of the team and their courage to go the distance.
Walk us through the day of the cyberattack.
Let’s take this back to January 1st, 2020. I really wanted to begin the new decade in a mine field because I felt so strongly and passionately about turning mines to vines in Vietnam. We have worked in Vietnam for the past twelve years, helping farmers cultivate fresh black pepper on former battlefields, then sell that black pepper to distributors in the United States, such as Morton and Bassett Spice Company.
80% of the land in Quang Tri Province remains riddled with unexploded ordinances, landmines, UXOs, and cluster munitions. So, I brought a very high-level delegation to Vietnam. I went with my husband, Roots of Peace President Gary Kühn. We met with the Vietnamese government and visited the US Embassy. Afterwards, Gary and I were invited to China, so we continued our journey to Shanghai. It was overall a successful trip.
We returned from our trip on January 18th. When we came back to our headquarters, we went about our day-to-day activities. We met with our finance team, and they asked my husband about a wire transfer of $500,000. I’ll never forget the look on his face. He said, “I did not make a wire transfer of $500,000. What are you talking about?” Our finance manager told us, “Well, you’ve made several transfers over the last few weeks.”
Describe the moment you discovered you were targeted by a cyberattack.
Our hearts sank. We sat down with our finance team and saw they had transferred our funds to a Bank of China account. We also saw the emails and how believable they were. In fact, the emails not only tricked the finance team, but they also tricked the bank. We’ve been working with the same local bank for over 20 years. Nobody questioned the emails because they truly appeared as if they came from Gary. That afternoon, we tallied up the transactions and discovered they stole $1.34 million. That is devastating to a nonprofit. We felt sick to our stomachs. Later, CyberPeace Institute helped us with our investigation. They informed us that the hacker used the man-in-the-middle method to access Gary’s email and correspond with others.
How did you respond to the incident?
Upon our return and learning of the cyberattack, I drove to the Consulate General of China in San Francisco, who graciously took my meeting unannounced. I’ve never done that before. They knew I would never do such a thing unless it was an emergency. They suggested I contact the Hong Kong police and report the attack to the FBI.
Recently, something very interesting happened. The Hong Kong Police informed us that our case was under review. We hired a law firm recommended by trusted friends in China. They are trying extremely hard to trace down the culprits and see if we can recoup the stolen funds. We are optimistic and hope for a positive outcome.
How did this impact Roots of Peace?
It was a defining moment for us, and it greatly constrained us. The magnitude of this cyberattack could have taken us down permanently. We really had to tighten our belt strap. Before the attack, we planned to hire a communications director, marketing director, and an executive assistant. We had to cut that from our budget. Those funds could have helped us get the people we needed to share our workload. I still find myself up at 1,2, even 3 in the morning, working in the office or taking Zoom calls.
We’ve been able to raise about half of the stolen amount back. We are still seeking $600,000. I am so proud of our team for pushing against the current and making the conscious decision to help farmers. The cyberattack did not stop our mission. Even after Kabul fell in 2021, Roots of Peace stayed open, even when many other nonprofits had to shut their doors, we stayed open. We are continuing our course, turning guns into shovels and mines into vines, despite this crippling cyberattack. We have done what many in Washington told us was impossible.
How did this incident affect others, like your coworkers?
My coworkers were devastated. Our Afghan finance manager could barely get out of bed because he felt responsible. There was just a general sense of humiliation and devastation across the board. The FBI went in and out of our office, talking to our entire staff. We were numb. We were also heartbroken that we could lose the hard-earned trust of donors who believed in us. Fortunately, our donors did continue to believe in us. Because of their trust we were able to plant over 1.1 million fruit trees in Afghanistan this Spring.
Can you explain how the cyberattack disrupted your personal life?
I felt lonely. Shame followed me. People can sense it, and that can impact the confidence they have in you. It certainly affected the confidence I had in myself. Some people put me in a negative space when I said I experienced a cyberattack. Others supported us, like Stéphane Duguin from CyberPeace Institute. He was a lifesaver. I was embarrassed about this situation until he told me it was not my fault. He explained that I was attacked, and I was a victim. That helped me put this nightmare into perspective.
I remember one moment when my husband and I just looked at each other and asked, “How do we get out of this? What do we do? Should we just close Roots of Peace?” Luckily, the supportive people in our lives, like Stéphane, and our donors, told us, “Carry on. Carry on.” And here we are today.
What was the most concerning aspect of this cyberattack?
The most concerning part is that the cyberattack targeted a nonprofit organization. Nonprofits work their fingers to the bone to help people across the globe. They use their resources to improve the lives of others. In the nonprofit world, it’s hard enough to keep the lights on and pay your employees. These are not volunteers—they are hardworking professionals. When you have that amount of money stolen from you, as a nonprofit, you either close your doors or tighten your belt. We were fortunate to tighten our belts and continue to serve. If cyberattacks like this continue, other nonprofits may find themselves shutting down entirely.
How much did you know about cyberattacks and/or cyberwarfare before this attack occurred?
I knew very little, and that shaped how I felt about the experience. I did not want to tell anybody because I thought it would reflect poorly on me. When I learned more about the sophistication of these attacks, I realized it had nothing to do with poor management. This was a professional attack from professional hackers who had done thorough research.
Has the experience made you rethink your organization’s approach towards technology?
Yes. I refuse to take shortcuts on technology. We contracted a technology director shortly after the attack. We also implemented a two-person authorization system for wire transfer over $100,000. I now know it is important to invest in technology and invest in cybersecurity. Organizations need to have professionals check their IT systems and make sure they are bulletproof.
What would you tell people unaware of the threat of cyberattacks and cyberwarfare?
Keep your guard up because cyberattacks have a ripple effect. A targeted cyberattack against a small nonprofit in California can affect farmers in fields worldwide. If Roots of Peace had made a different decision, if the team pulled the covers over their heads, millions of people in Afghanistan would not have tasted the nectar of our fruit trees.
I would tell them to view cyberattacks as weapons capable of significant destruction, like a landmine. Cyberattacks hurt. They hurt people, and they hurt communities. More than ever before, we need to get our hands in the dirt and remove destructive weapons from both physical fields and digital fields. No one deserves to experience what my coworkers and myself went through for the past two and a half years.
What would you like to say to others impacted by cyberattacks?
It takes a lot of courage to share your cyberattack story. I understand your feelings of embarrassment and humiliation. Do not let those feelings hold you back. What you went through is not your fault. Find the strength to use your voice to protect others from suffering. The more we talk about this issue and bring the truth to light, the sooner we find solutions. I believe our stories can motivate people, organizations, and governments to support those caught in the nightmare of a cyberattack. So, tell your story, and tell it with dignity and grace.
Thank you so much for your time.
If you would like to support Roots of Peace’s efforts to redevelop mine-affected regions, donate today by clicking HERE.
Have you been personally affected by a cyberattack? If so, we want to hear from you. Let us know by DMing our Twitter account @DigitalPeaceNow.