Threat Vectors — Greenpeace USA¶
Classification: CONFIDENTIAL — Internal Use Only Document:
security/threat-vectors.md· v1.0 · 2026-03-16 · GPUS-IT
Overview¶
Greenpeace USA operates as a high-profile environmental advocacy organization, making it a target for a distinctive range of threat actors motivated by ideology, politics, and data exfiltration. This document defines the primary threat vectors relevant to the GPUS-WDC infrastructure and maps them to controls.
Threat actor profiles¶
1. Nation-State Actors¶
Risk level: Critical Examples: APT28 (Fancy Bear), APT29 (Cozy Bear), Lazarus Group, UNC2452
State-sponsored groups targeting NGOs engaged in political advocacy, particularly those opposing fossil fuel interests aligned with state economies. Primary objectives are intelligence gathering, campaign disruption, and donor/contact exfiltration.
Known TTPs:
| Technique | MITRE ID | Description |
|---|---|---|
| Spearphishing | T1566 | Targeted emails to staff impersonating donors, journalists |
| Watering hole | T1189 | Compromise of activist websites frequented by staff |
| Supply chain | T1195 | Compromise of shared NGO tooling or IT vendors |
| Valid accounts | T1078 | Credential theft and reuse from prior breaches |
| Persistent backdoor | T1547 | Long-term persistence via boot autostart entries |
Controls: CIS 9.1 (email security), CIS 14.1 (security awareness), Fail2ban, auditd, AIDE
2. Corporate-Aligned APTs¶
Risk level: Critical Sectors: Fossil fuel, agribusiness, commercial logging, mining
Private intelligence firms and APT groups hired by industries targeted by Greenpeace campaigns. Objective is to obtain advance knowledge of campaigns, identify confidential sources, and map internal communications and donor relationships.
Known TTPs:
| Technique | MITRE ID | Description |
|---|---|---|
| Gather org info | T1591 | OSINT on staff, org structure, campaigns |
| Spearphish for info | T1598 | Credential harvesting via fake login pages |
| Social engineering | T1204 | Physical infiltration at events and protests |
| Email compromise | T1114 | Monitoring of compromised staff inboxes |
Controls: CIS 6.2 (access control), CIS 16.1 (application security), MFA (planned)
3. Hacktivists¶
Risk level: High Groups: Counter-activist groups, anti-environmentalist collectives
Ideologically motivated groups opposing environmental advocacy. Attacks spike during high-visibility campaigns. Primary goals are defacement, DDoS, credential leaks, and doxing of staff and activists.
Known TTPs:
| Technique | MITRE ID | Description |
|---|---|---|
| DDoS | T1498 | Network/application layer flooding |
| Brute force | T1110 | Credential stuffing against public services |
| Defacement | T1491 | Website content modification |
| Public data dump | T1530 | Leak of internal documents or contacts |
Controls: Fail2ban, firewalld, Cloud Run (no direct server exposure), DNSSEC
4. Insider Threat¶
Risk level: High Vectors: Malicious insiders, negligent data handling, compromised credentials
Greenpeace's open collaborative culture and frequent use of volunteers and contractors creates elevated insider risk. Three sub-categories:
- Malicious insider: Staff or contractor intentionally exfiltrating data or sabotaging systems
- Negligent insider: Accidental data exposure via misconfiguration, unencrypted transfer, or phishing
- Compromised insider: Legitimate credentials stolen and used by external actors
Controls:
| Control | Implementation |
|---|---|
| Least privilege | Role-specific accounts: dnsadmin, monitadmin |
| AIDE | File integrity monitoring — detects unauthorized changes |
| auditd | Immutable audit log — all syscalls recorded |
| Access reviews | Quarterly (planned) |
| Offboarding procedure | SSH key revocation on departure |
5. Supply Chain¶
Risk level: High Vectors: SaaS vendors, open source dependencies, IT contractors, shared NGO tooling
Greenpeace relies on numerous SaaS platforms and shares technology infrastructure with other NGOs, increasing supply chain exposure. A SolarWinds-style compromise of a shared tool would affect multiple organizations simultaneously.
Known TTPs:
| Technique | MITRE ID | Description |
|---|---|---|
| Supply chain compromise | T1195 | Malicious code in trusted software updates |
| Trusted relationship | T1199 | Abuse of IT vendor access for lateral movement |
| Compromise infrastructure | T1584 | Attacker-controlled infrastructure masquerading as legitimate |
Controls: Container image signing (planned), Artifact Registry scanning, vendor access reviews, GCS lifecycle controls
Attack surface¶
| Surface | Exposure | Primary Threat Actors | Controls | Risk |
|---|---|---|---|---|
| SSH (port 22) | Internal only (VPN) | Insider, nation-state | Fail2ban, key-only auth, auditd | Low |
| DNS (UDP/TCP 53) | Internal + recursive | Hacktivist, APT | DNSSEC, ACLs, rate limiting | Medium |
| DHCP (UDP 67/68) | Internal LAN only | Insider, rogue device | DHCP snooping, failover | Low |
| Prometheus (9090) | VPN only (10.8.0.0/28) | Insider, APT | Firewall ACL, VPN | Low |
| Elasticsearch (9200) | VPN only (10.8.0.0/28) | Insider, APT | Firewall ACL, VPN | Low |
| Cloud Run (HTTPS) | Public internet | All actors | Google WAF, no auth bypass | Medium |
| Cloud VPN | GCP ↔ WDC only | Nation-state, APT | IKEv2, AES-256, PSK rotation | Medium |
| Staff laptops | Internet + VPN | All actors | MDM pending, full-disk encrypt | High |