A cyber spy group "likely" linked to the Chinese state has targeted human rights campaigners working on issues about the country for up to five years, a new report claims.

The espionage group, dubbed Bronze President, deployed malware against its alleged victims to monitor their activities and steal documents, according to the assessment released on Sunday by Secureworks , a US-based cyber security company.

One of the alleged targets is understood to be a human rights group that has raised concerns about the treatment of hundreds of thousands of Uighur and other Muslim minorities in China. It has also written about pro-democracy activists in Hong Kong.

The non-governmental organisation (NGO) asked not to be named in relation to the report.

Secureworks said it was aware of a "handful" of NGOs that it believes had been targeted but that the number could be higher. The security company has been helping some of the alleged targets deal with the cyber attack and understand more about it.

"The motivation for going public with this particular report is that the nature of the victims has a real human element to it," said Mike McLellan, a threat intelligence expert at Secureworks.

"A lot of these organisations are working in very dangerous environments, they are talking to individuals on the ground, they are having to take the personal information about those individuals and protect it," he said.

"We really wanted to make sure other organisations in the NGO-sphere are aware of the [cyber espionage] campaign and are able to check and see whether they may have been affected as well. The impact of this going unnoticed could be very significant for those organisations and the people they work with."

As well as NGOs, the cyber spies also allegedly targeted law enforcement agencies and political entities operating in countries surrounding China, including India and Mongolia, according to the report.

Secureworks said its researchers had been observing the activities of the cyber espionage group since the middle of 2018 but the campaign could have begun as far back as 2014.

"It is highly likely that Bronze President is based in the [People's Republic of China] PRC," the report said.

This conclusion was based on the fact that the NGOs allegedly targeted all "conduct research on issues relevant" to Beijing as well as "strong evidence" linking the spy group's infrastructure to entities within China, the document claimed.

Another factor was "connections between a subset of the group's operational infrastructure and PRC-based internet service providers", it said.

In addition, Secureworks said tools used by the cyber attackers "have historically been leveraged by threat groups operating in the PRC".

The report concluded: "It is likely that Bronze President is sponsored or at least tolerated by the PRC government. The threat group's systemic long-term targeting of NGO and political networks does not align with patriotic or criminal threat groups."

Mr McLellan, a director in the cyber intelligence cell of Secureworks' counter threat unit, said the company was "as confident as we can be that China is responsible for this campaign and these attacks".

He said a possible factor in the decision to target the NGOs could have been the work they were doing on issues related to Hong Kong - which has been consumed by anti-government protests - as well as on China's Uighar Muslim minority.

"I think the Chinese government will try and gather information around those kind of events," Mr McLellan said. "It will want to understand how opponents are thinking, how regional partners might be thinking and one of the ways they will do that is go out and try to gather information through means such as cyber attacks… I think there's every chance those kind of real world events are all tied up with the same campaign that we've seen here."

Secureworks said its researchers found malware they had not seen before when investigating the alleged actions of the cyber spy group.

This suggests it may be able to develop its own capabilities rather than just rely on widely available malware, according to the report. The attackers allegedly used a combination of widely available cyber tools as well as what appear to have been their own kit to gain access to the networks of their alleged victims.

Story continues