Saudi-linked Cyber Espionage Against Canadian Victim Discovered

Figure 1: The Royal Embassy of Saudi Arabia to Canada (September 2018; Credit: Ron Deibert)

Today, the Citizen Lab is publishing a major new report, “The Kingdom Came to Canada: How Saudi-Linked Digital Espionage Reached Canadian Soil,” by Bill Marczak, John Scott-Railton, Adam Senft, Bahr Abdul Razzak, and myself.

Our report details how we discovered Canadian permanent resident and Saudi dissident Omar Abdulaziz was targeted with a fake SMS message and his phone infected with spyware manufactured by Israeli-based “Cyber Warfare” company, NSO Group. We attribute this infection to a spyware operator linked to Saudi Arabia.

The research for this report builds on our recently published “Hide and Seek” report, led by the Citizen Lab’s Bill Marczak, in which we detailed the results of more than two years of Internet scanning into NSO Group’s command and control infrastructure. That scanning revealed more than 45 countries in which we found infected devices “phoning home” to NSO Group’s infrastructure, operated by more than 30 likely government clients — many of them with highly problematic human rights issues.

Among those live infections was a particularly noteworthy one: a Saudi-linked operator, which we call KINGDOM, monitoring an infected device in Quebec, Canada. The surveillance of a victim in Canada is particularly intriguing as it takes place in the midst of a serious diplomatic dispute between Canada and Saudi Arabia that was triggered by tweets critical of Saudi Arabia’s human rights record sent by Canadian Foreign Affairs Minister, Chrystia Freeland, and by the official Twitter account of Global Affairs Canada.

Based on Saudi Arabia’s poor human rights track record and its prior history of abuse of spyware (including by the very same KINGDOM operator), we hypothesized that the target in Quebec would be a person or group connected to Saudi political activism. We then reached out to contacts in the Saudi diaspora and human rights communities to try to identify the target. Remarkably, we succeeded.

Omar Abdulaziz is a Canadian university student, and a prominent Saudi activist who sought and received asylum in Canada in 2014 after Saudi Arabia revoked his scholarship for his outspoken criticism of the regime.  Omar produces a very popular satirical talk show on YouTube that is followed by millions of viewers. He was also featured prominently in media coverage of the Canada-Saudi dispute, including on CBC’s The Current. During his interview on that show, Omar claimed Saudi authorities had threatened his family to try to discourage him from speaking out.

Earlier this summer, Omar received a fake DHL courier notification via SMS. The message arrived only hours after he placed an order on Amazon. When we met with Omar, we searched back through his SMS messages with his consent against a list of known NSO domains we had gathered, and discovered the fake DHL notification SMS. We were able to confirm that he was, indeed, targeted by the KINGDOM operator and that the SMS he received contained a link to the NSO Group’s “Pegasus” spyware infrastructure.

Further verification that Omar was the victim came from matches were able to make to his pattern of life. Our scanning showed the infected device moving between two Quebec-based networks at very specific intervals — Vidéotron and RISQ (Réseau d’informations scientifiques du Québec). Omar confirmed that those “check ins” precisely matched his movements between his home wifi network (Vidéotron), and the wifi network to which he connected during a regular evening activity (RISQ).

NSO’s Pegasus spyware is extraordinarily stealthy and invasive. Once a target clicks on a link, the operator has complete surreptitious control over the target’s device. This control includes being able to silently read emails and chat messages, including those that are encrypted, capture ambient sound, and turn on the camera. During the time Omar’s device was infected, several of his family members and friends disappeared in Saudi Arabia. Although we have no way to confirm it, it is certainly possible these disappearances are the direct result of the KINGDOM operator’s surveillance of Omar’s phone.

No doubt, this revelation of Saudi-linked espionage against a Canadian permanent resident will inflame the already tense Canada-Saudi diplomatic dispute. If it does, it will illustrate one major theme of Citizen Lab’s research: that the unregulated commercial spyware market produces costly negative externalities. It is also noteworthy that what we have unearthed may violate several Canadian Criminal Code offences, including willfully intercepting private communications contrary to section 184(1).

It should go without saying that the multiple cases of abuse we have uncovered over several years cast serious doubt on NSO Group’s claims about a “Business Ethics Committee” and other controls they have over their products. While they may treat it frivolously, NSO Group’s accumulating liabilities must be giving its ownership group, US-based investment firm Francisco Partners, serious cause for concern, particularly since the latter has unsuccessfully shopped NSO Group to potential buyers for a reported 1 billion USD.  Who wants to buy a company whose services routinely end up being abused, inflaming geopolitical tensions, or implicated in criminal conduct? What potential liabilities does NSO’s reckless sales present for its ownership group?

This case also illustrates yet again another major theme of our research: in the absence of controls to the contrary, powerful surveillance technology sold to governments for anti-terror or criminal investigations will inevitably be used by corrupt and autocratic rulers to target journalists, dissidents, human rights defenders, research scientists, and other members of civil society they deem a “threat.” Like Ahmed Mansoor of the United Arab Emirates and numerous other targets of spyware we have discovered, Omar Abdulaziz is neither a terrorist nor a criminal. His only “crime” is hosting what is the equivalent of The Daily Show for the Gulf region directed at a regime that brooks no dissent.

It is probable the cases we have reported on at Citizen Lab are but a tip of the iceberg. If so, numerous members of civil society are — right now — being unwittingly surveilled and effectively neutralized by their adversaries. Should these espionage attacks against global civil society continue unabated, democracy itself will be at growing risk.  

Read the full report here: https://citizenlab.ca/2018/10/the-kingdom-came-to-canada-how-saudi-linked-digital-espionage-reached-canadian-soil/

Watching NSO Group

I am pleased to announce a new Citizen Lab report, authored by Bill Marczak, John Scott-Railton, Sarah McKune, Bahr Abdul Razzak, and myself, entitled “Hide and Seek: Tracking NSO Group’s Pegasus Spyware to Operations in 45 Countries.” This report is the latest in a major research area for the Citizen Lab: the proliferation and abuse of commercial spyware.

Commercial spyware is sophisticated surveillance technology sold by companies to governments under the justification of assisting in law enforcement or national security investigations. It typically tricks targets into clicking on links or attachments and then takes advantage of undisclosed and often very valuable software flaws to surreptitiously take control of a target’s device. Once in control, an operator can secretly monitor emails and chats, even those that are protected with encryption, track movements and locations, and record audio and video.

As numerous government agencies have both the resources and a growing appetite for surveillance capabilities, the market for commercial spyware is lucrative and expanding. The company at the centre of our latest report, Israel-based NSO Group, was recently valued at around USD 1 billion.

Naturally, this market is also highly secretive. Spy agencies and the companies that service them do not, as a matter of practice, publicly disclose their contracts or operations. However, even the most sophisticated surveillance operations leave digital traces in the open that careful researchers can discover. One aim of our research is to shed light on what is otherwise opaque principally through structured, peer-reviewed Internet scanning techniques and other technical means we have refined.

The research for our latest report was led once again by Citizen Lab senior fellow Bill Marczak. From August 2016 to August 2018, we scanned the entire Internet on a regular basis for servers associated with NSO Group’s “Pegasus” spyware designed to target iPhones, and found 1,091 IP addresses that matched our fingerprint and 1,014 domain names that pointed to them. Using a novel technique we call Athena as well as a newly designed global DNS Cache Probing method, we were able to identify a total of 45 countries where Pegasus operators (which we group into more than 30 likely government clients) may be conducting surveillance operations. 

Among the likely government clients are a number with a highly-problematic track record not only of human rights abuses, but also prior abuse of commercial spyware. This list includes:

  • Bahrain — a country Amnesty International recently described as descending into “a full-blown human rights crisis”;
  • Kazakhstan — a country with a track record of abusing spyware to target journalists and activists critical of the government;  
  • Mexico — a country that was the focus of six separate Citizen Lab reports that exposed government surveillance of research scientists, health advocates, journalists, and international investigators into mass disappearances, including four reports that were the subject of separate front page exclusives in the New York Times in 2017;
  • Morocco — the subject of a 2012 Citizen Lab report on the use of Italy-based Hacking Team’s spyware to target the Moroccan citizen media and journalism project Mamfakinch;
  • Saudi Arabia — a country whose track record Human Rights Watch describes as including “arbitrary arrests, trials, and convictions of peaceful dissidents.”
  • The United Arab Emirates — the country in which we first encountered NSO Group in 2016 when we determined that the UAE had employed NSO Group technology to target the iPhone of award-winning human rights defender Ahmed Mansoor. Mansoor is presently serving a 10-year jail sentence for social media posts critical of the government.

The companies that sell commercial spyware claim they “follow local laws” and export control requirements. That claim is certainly true, but also precisely part of the problem. Some government clients use technology developed by companies like NSO Group not just to investigate what most reasonable people would describe as genuine “criminals” or “terrorists”; our research has shown they also use it to monitor the private communications of activists, human rights defenders, journalists, and other members of civil society. For corrupt or autocratic rulers whose aims are to limit human rights and public accountability, those are “legitimate” targets. This is the type of “local law” that companies like NSO Group follow.

Meanwhile, export controls are weak, flawed, or in some cases non existent. As a consequence, there is little disincentive for the companies to control the abuse of their technology. They reap the private rewards while passing the responsibility on to others. Clearly, as our report shows, NSO Group is either unable or unwilling to prevent the abuse of its technology and did not take any noticeable measures to restrict the use of its powerful surveillance technology even after widespread public reporting on cases where their surveillance technology was abused.

On 14 September 2018, I sent a letter on behalf of the Citizen Lab to two NSO Group principals, Mr. Omri Lavrie and Mr. Shalev Hulio, notifying them of the details of this report, explaining that we had shared an embargoed copy with journalists, and offering to publish in full any response they wished to communicate on the record.

NSO Group principals responded with initial emails, and a full public statement, which we are posting in full alongside our report.  In part, the statement claims:

“NSO has several times requested a meeting with Citizen Lab so we could present our position and provide additional details on our product. As in the past, Citizen Lab has not responded to our request to meet about this report and published a misleading report.”

I have no record of any such prior requests. More importantly, although I am always willing to listen to and learn from people who are involved in cases that are the subject of our research, I do not believe that a private meeting is a proper substitute for responsible communication on a serious matter of public interest.

The NSO statement also says “NSO Group develops products that are licensed only to legitimate government agencies for the sole purpose of investigating and preventing crime and terror. The company works in full compliance with all applicable laws, including export control laws.” The statement goes on to claim that there is a “Business Ethics Committee” operating at NSO Group “which includes outside experts from various disciplines, including law and foreign relations, [which] reviews and approves each transaction and is authorized to reject agreements or cancel existing agreements where there is a case of improper use.”  However, no comment was made or explanation given about the continued, repeated cases of abuse we have identified in spite of the supposed scrutiny of this committee.

What is to be done, then, about the proliferation and abuse of commercial spyware?

Awareness about these issues is still a very important part of the process. To that end, we at Citizen Lab will certainly continue to refine our methods to allow us to better uncover the continued proliferation and abuse of commercial spyware, and we encourage other research groups to use the methods we have developed to do the same.

Litigation of various sorts may also be an option. It is noteworthy that our report discloses that several of the operators using NSO Group technology are engaged in surveillance across international borders. We have no indication whether the country operators undertaking such cross-border surveillance are doing so with the permission or knowledge of the governments in whose jurisdictions they are spying. However, many countries in which such surveillance is occurring — for example, Canada, the United Kingdom, the United States — have laws that prohibit eavesdropping without a warrant. By facilitating and abetting such cross-border surveillance, NSO Group may be exposed to serious legal risks. Indeed, NSO Group is currently the target of two separate lawsuits alleging illegal spying. These legal risks should certainly cause ownership groups and investors to consider their own liabilities as a result of lax controls. NSO Group is currently owned by US-based investment firm, Francisco Partners.

Lastly, there is the prospect of more effective government oversight concerning the export of commercial spyware. Although the Israeli government has claimed it has strong export controls in this area, our research and other reporting shows clearly there are major gaps. It is ultimately up to Israeli policymakers, and Israeli citizens, to determine whether the continued harms caused by the abuse of commercial spyware that we document warrant new and more stringent export controls. We believe they do.

 

Digital Security for Whom or What?

With data surrounding us and networked into everything we do, the security of our data, both in transit and while at rest, is an obvious public safety issue. Which makes it puzzling why governments — whose principal job, since at least the time of Thomas Hobbes, is to keep us safe — have repeatedly sought to deliberately weaken the protocols that secure our data.

Figure: GCHQ Network Diagram shows how the agency proposed a system to identify encrypted traffic from its internet cable-tapping programs and decrypt what it could in near-real time. Source: The Guardian

 

As with much else, the root of this seeming paradox can ultimately be traced to differences in threat paradigms: differences between what are considered to be the principal objects of security (meaning, that which is to be protected). Is it the state, or is it the people? Is it the network within a particular sovereign territorial space, or is it the undifferentiated global network as a whole? A new resource jointly published today by Citizen Lab and CIPPIC will hopefully help unpack these issues.

Generally speaking, government agencies navigate the world through a realist political lens (“realist” in the IR theory sense, à la Thomas Hobbes). From this perspective, the world is divided into territorially-based sovereign states who compete against each other for political advantage. One state’s gain is another’s loss. Through most of modern history, one part of this competition for power involved governments using various forms of cryptography to protect their communications and to hide their machinations from each other while simultaneously racing to find ways to crack each other’s secret codes. (An infamous version of this competition was popularized in the film, The Imitation Game, which told the story of Alan Turing and his Bletchley Park colleagues’ attempts to break Nazi Germany’s Enigma-machine cryptographic algorithms using some of the earliest computing machines.)

While these state-vs-state contests over code may have made sense when the world was neatly divided into territorially-segmented communication spaces, they no longer do. Government agencies that deliberately weaken cryptographic protocols to gain some momentary advantage over their opponents do so at the expense of their own citizens’ security. The reason that they do is that governments, companies, and citizens all over the world increasingly rely on the same communication technologies for everything they do.  

National security concerns are not the only motivation for government agencies to weaken data security. Like intelligence agencies, law enforcement has also sought to keep cryptography contained or deliberately compromised, but for them the principal concern is about being able to investigate criminal behavior. It’s obviously much easier to solve a crime or chase down illegal activity if you can secretly listen in or watch what the criminals are doing. But as is the case as far as national security is concerned, a government agency can only gain such an advantage at the expense of the whole of society. Criminals and law-abiding citizens alike use the same communication systems: weaken them for one and you weaken them for all.

And yet continue to try to weaken them they do.

Time and again, government officials have used national security or lawful access justifications to argue for restrictions or special “back doors” on encryption. Time and again, computer scientists, engineers, and rights activists have argued the opposite case. Not always are the efforts to settle these debates undertaken in the open. One of the most serious revelations coming from the 2013 Edward Snowden disclosures showed that the NSA and its Five Eyes colleagues had surreptitiously foisted a deliberately weakened encryption standard (Dual EC ERGB) on the rest of the world, as part of a secret program codenamed “Bullrun.” Reports from the latest round of the International Organization of Standardization suggests they may still be up to such machinations.

There has been a lot written about these debates from all sides, but not much focusing in particular on the Canadian context. To be sure, it is not for lack of Canadian government agencies trying to influence the space. Canadian law enforcement and intelligence agencies have pushed for weakened encryption, back doors, company cooperation, or some kind of other “compromise” for lawful access as often as other governments do.  Canada’s SIGINT agency, CSE, may have also had a hand in the NSA’s subterfuge around the weakened encryption protocol mentioned above. Meanwhile, for the Canadian public, the issue is only getting more salient. Many Canadians carry with them devices that feature full-disk, biometric-enabled encryption that only they can unlock. Can government agents compel them to do so when they are detained, arrested, or while crossing a border?

To help Canadians navigate these issues, today the Citizen Lab, in collaboration with CIPPIC, is releasing a report, entitled “Shining a Light on the Encryption Debate: A Canadian Field Guide,” authored by the Citizen Lab’s Lex Gill and Christopher Parsons and CIPPIC’s Tamir Israel.  The report provides critical insight and analysis for policymakers, legal professionals, academics, journalists, and advocates who are trying to navigate the complex implications of encryption technology. It is designed to be a “field guide.” The report can be read top-to-bottom, but is also organized so that most sections can be reviewed as self contained references.

Now more than ever, encryption is vital to preserving and extending human rights. Encryption serves as an important guarantor of freedom of expression, opinion, privacy, anonymity, equality, and even physical safety for ordinary citizens, human rights activists, and journalists. With this latest report, we hope that those involved in encryption debates are better able to understand the full spectrum of issues related to the use and potential misuse of these technologies.

Sweeping the Internet for Netsweeper

Figure 1: Results of our Internet-wide scan for Netsweeper installations (John Scott-Railton)

The LGBTQ news website, “Gay Today,” is blocked in Bahrain; the website for Greenpeace International is blocked in the UAE; a matrimonial dating website is censored in Afghanistan; all of the World Health Organization’s website, including sub-pages about HIV/AIDS information, is blocked in Kuwait; an entire category of websites labeled “Sex Education,” are all censored in Sudan; in Yemen, an armed faction, the Houthis, orders the country’s main ISP to block regional and news websites.  

What’s the common denominator linking these examples of Internet censorship? All of them were undertaken using technology provided by the Canadian company, Netsweeper, Inc.

In a new Citizen Lab report published today, entitled Planet Netsweeper, we map the global proliferation of Netsweeper’s Internet filtering technology to 30 countries. We then focus our analysis on 10 countries with significant human rights, insecurity, or public policy issues in which Netsweeper systems are deployed on large consumer ISPs: Afghanistan, Bahrain, India, Kuwait, Pakistan, Qatar, Somalia, Sudan, UAE, and Yemen. The research was done using a combination of network measurement and in-country testing methods. One method involved scanning every one of the billions of IP addresses on the Internet to search for signatures we have developed for Netsweeper installations (think of it like an x-ray of the Internet).

National-level Internet censorship is a growing norm worldwide. It is also a big business opportunity for companies like Netsweeper. Netsweeper’s Internet filtering service works by dynamically categorizing Internet content, and then providing customers with options to choose categories they wish to block (e.g., “Matrimonial” in Afghanistan and “Sex Education” in Sudan). Customers can also create their own custom lists or add websites to categories of their own choosing.

Netsweeper markets its services to a wide range of clients, from institutions like libraries to large ISPs that control national-level Internet connectivity. Our report highlights problems with the latter, and specifically the problems that arise when Internet filtering services are sold to ISPs in authoritarian regimes, or countries facing insecurity, conflict, human rights abuses, or corruption. In these cases, Netsweeper’s services can easily be abused to help facilitate draconian controls on the public sphere by stifling access to information and freedom of expression.  

While there are a few categories that some might consider non-controversial—e.g., filtering of pornography and spam—there are others that definitely are not. For example, Netsweeper offers a filtering category called “Alternative Lifestyles,” in which it appears mostly legitimate LGBTQ content is targeted for convenient blocking. In our testing, we found this category was selected in the United Arab Emirates and was preventing Internet users from accessing the websites of the Gay & Lesbian Alliance Against Defamation (http://www.glaad.org) and the International Foundation for Gender Education (http://www.ifge.org), among many others. This kind of censorship, facilitated by Netsweeper technology, is part of a larger pattern of systemic discrimination, violence, and other human rights abuses against LGBTQ individuals in many parts of the world.

According to the United Nations Guiding Principles on Business and Human Rights, all companies have responsibilities to evaluate and take measures to mitigate the negative human rights impacts of their services on an ongoing basis. Despite many years of reporting and numerous questions from journalists and academics, Netsweeper still fails to take this obligation seriously.

As is customary for our research, we sent Netsweeper a letter prior to publication notifying them of our key findings, asking a series of questions, and offering to publish in full their response.  On the positive side, this report is the first in which Netsweeper has sent a formal reply. (Their only other prior “communication” with us was a defamation suit filed against me and the University of Toronto in January 2016, and then subsequently withdrawn four months later.)

On the negative side, however, its response lacks detail and makes sweeping, dubious assertions.  Rather than address our questions, Netsweeper (writing through its legal counsel) chose instead to disparage our research. It asserted that “Mr. Diebert’s [sic] analysis and conclusions, as well as representations he has made before Parliament, are alarming for the real absence of any sound technical understanding on how internet providers operate, how information technology companies support online operations, and how online programs function.” The careful methods we used to undertake our research are exceedingly well-detailed in Section 1 of our report, and so we will leave it for knowledgeable readers to draw their own conclusions.

Strangely, Netsweeper also asserts that “The ultimate effect of what Mr. Diebert [sic] and his interests propose would be the full-scale shut down of the internet in multiple jurisdictions worldwide.” In fact, by encouraging more transparency, accountability, and proportionality around Internet censorship, we are aiming to do precisely the opposite.

Our report also suggests Canada could be doing more. It should go without saying that the use of Canadian technology by authoritarian and other regimes to undertake Internet censorship undercuts Canada’s own foreign policy and commitment to human rights. The Trudeau Government has prioritized an international stance that promotes “gender equality,” and yet here we have the services of a Canadian company employed to do the exact opposite on behalf of the some of the world’s most illiberal regimes. Worse, both the Government of Canada and some Provincial Government entities have actually facilitated Netsweeper’s exports through grants and other forms of assistance, which we document in the report.  

To be more consistent with its own policies and obligations, we suggest the Canadian government could take measures to prevent these types of human rights violations, including tying whatever government support is provided to clear prohibitions against activities that undermine human rights, and effective and ongoing due diligence, public transparency reporting, and other accountability measures. Canada could also strengthen the control of exports for Internet censorship and surveillance services, and focus transparency and accountability efforts on the “dual-use” technology sector through the newly created Canadian Ombudsperson for Responsible Enterprise (CORE).

Access to information is a human right recognized under international law — yet one that many governments defy in practice through extensive Internet censorship. By facilitating these practices, Netsweeper is profiting from the dark curtain being drawn over the Internet for a large number of users around the world.

Introducing QUANTUM-as-a-Service

Imagine that your device could be silently commandeered and used to spy on you simply because you surfed the web. No need for anyone to have possession of it and physically install something. No need to trick you into downloading spyware, clicking on a malicious link, or entering your credentials into a phony login page.  Attackers just wait for you to visit any unencrypted website (http rather than https, that is) and — boom — you’re owned.

Now imagine this capability was commercialized and available for sale to operators all over the world…

Imagine no more.

In a new Citizen Lab report, titled Bad Traffic, we present our discovery of how operators appear to use technology manufactured by a company called Sandvine (formerly Procera) to help deliver exactly this type of nation-state malware in Turkey and Syria. Bizarrely, we also discovered that the same Sandvine technology was configured by operators apparently to commandeer unwitting Internet users in Egypt, but not to spy on them. Instead, there we found user requests appeared to have been manipulated by operators to covertly raise money through online ads and cryptocurrency mining scams.

Known as “packet injection,” and undertaken by Deep Packet Inspection (DPI) devices, the techniques we uncovered at work in Turkey and Egypt are similar to those revealed in the Edward Snowden disclosures, codenamed “QUANTUM.” QUANTUM attacks are considered among the most powerful weapons in the NSA’s (and its Five Eyes allies’) toolkit. One was reportedly employed by the UK’s GCHQ to get inside the computers of Belgium’s largest telco, Belgacom, by redirecting senior Belgacom technicians to fake Linkedin pages where their computers were silently infected with malware.  As the Belgacom operation demonstrates, QUANTUM attacks typically involve two components: a first, where packets are injected into Internet requests; and a second, in which a separate server controlled by the attackers (codenamed FOXACID by the NSA) injects spyware (Figure 1).  We found Sandvine Packetlogic devices were being used by operators to perform the first component, with spyware of the operator’s choice (presumably Turkish authorities) involved in the second.

Figure 1: Top Secret NSA Slide QUANTUM INSERT Diagrams

Pulling off a QUANTUM attack is relatively simple if you control the network of a group of users. Computer scientist Nick Weaver demonstrated a QUANTUM attack at our 2015 Citizen Lab Summer Institute. However, to be able to execute QUANTUM attacks at the national scale requires control or cooperation of a major telecommunications provider, something only national governments can practically do.  

In another Snowden disclosure, Canada’s spy agency, CSE, noted in a top-secret presentation that “it’s no lie, quantum is cool,” but then added “it’s easy to find.” Well, maybe for them. For researchers like us, it’s not so easy. Our report is the first case where nation-state spyware injection has been empirically documented “in the wild.” Credit goes to the Citizen Lab’s Bill Marczak, whose remarkable detective work included scanning every one of the billions of IPv4 addresses on the Internet to search for the unique fingerprint he developed for Sandvine’s PacketLogic device. We also verified the fingerprint in a laboratory setting using a second-hand PacketLogic device we purchased. Marczak’s sleuthing identified spyware injection targeting Türk Telekom subscribers in at least five provinces in Turkey, and hundreds of users across the border in Syria who were receiving their Internet access through WiFi connection points leased from Türk Telekom. The same methods helped uncover the Egyptian mass injections for profit scheme, which we have dubbed “AdHose”.

Figure 2: AdHose Packet Injection Diagram 

One imagines that the NSA, GCHQ, and their allies spent many years and considerable scientific and financial resources developing QUANTUM capabilities in house. Today, commercial DPI technology combined with spyware in the ways we have documented allows a government to simply order them up.  With QUANTUM-as-a-Service, many more governments will now be playing in the Five Eyes’ league  — governments like Turkey and Egypt, which Human Rights Watch describes respectively as “the world leader in jailing journalists and media workers,” and “continuing near-absolute impunity for abuses by security forces under the pretext of fighting ‘terrorism.’”

The prospect of QUANTUM capabilities being sold “off-the-shelf” to any government or government-controlled telco should give everyone pause, especially because the type of DPI sold by companies like Sandvine, as presently advertized, falls through the regulatory cracks. It is classic “dual-use” technology, marketed as benign-sounding “quality of service” or “quality of experience” functionality: helping Internet Service Providers manage network traffic, speed up the delivery of videos for higher-paying clients, and block forbidden applications. The 51 member-state, dual-use technology Wassenaar Arrangement targets “IP network communications surveillance” items for export controls, but specifically exempts “quality of service” and “quality of experience” systems. However, as our report shows, Sandvine’s technology (which appears at present to fall under this exemption) can also surreptitiously redirect users to sophisticated spyware, or permit the hijacking of browsers to mine cryptocurrency for profit. Its power is in the hands of the local operator — operators that answer to autocratic rulers like Turkey’s Erdogan or Egypt’s el-Sisi.

It is worth noting that Sandvine is owned by Francisco Partners, the same investment group that also happens to own Israeli spyware vendor NSO Group, another company whose misused services have been the subject of numerous Citizen Lab reports.  In response to our letters to these companies, Sandvine and Francisco Partners both claimed that they have stringent business ethics and other internal checks to prevent abuse of their services. Not good enough checks, it seems.

Until its acquisition by Francisco Partners last year, and its subsequent combination with Procera, Sandvine was headquartered in Waterloo, Canada. At the time of the proposed sale, I argued that the takeover warranted closer scrutiny by the federal government. In light of Citizen Lab’s report, I wonder if anything will be done by relevant authorities in Canada and the United States? Targeted injection of spyware at the nation-state level represents a major public safety risk, and technologies that facilitate such injection should be regulated accordingly.

While we wait for governments to act, there’s more that can be done right now to protect users. Properly encrypting websites by default would certainly frustrate these sorts of attacks. However, Google and Firefox stats show around 20-30% of all websites are still not encrypted by default. That needs to change.

Until such time, keep an eye out for the headers of the websites you visit. If it reads “http” without the “s”, and there’s no little lock icon up in the address bar that says “secure,” you too may be vulnerable to this type of attack.

A Year in the Life of a Phishing Operation

It’s often remarked that digital espionage can be undertaken on the cheap. But just how cheap?

In a new Citizen Lab report released this morning, we give one answer. Taking advantage of simple errors committed by the operator of a phishing operation, we were able to get an “inside view” of just what it takes to mount an effective digital spying job.  

For more than 8 months, we quietly observed as the operator set up phishing lures, registered decoy domains disguised as popular email services, made fake login pages, sent targeted emails to individuals and organizations, and maintained the back-end infrastructure for the entire enterprise.

Total estimated cost: $1,068.00  

Running this operation would require only basic system administration and web development skills and although it was sloppy in execution, the phishing campaign was nonetheless successful. At least two accounts we tracked were compromised, with contact lists stolen from the victims used to send out more phishing emails to other targets.  We suspect there were likely other successful compromises beyond these accounts based on decoy documents we collected that appear to be private files likely extracted from compromised accounts.

Who was behind it? While we have no evidence linking the individual(s) running it to a specific government agency or other client, there are a number of clues as to its motivation and possible benefactor.  The bulk of activity we observed was focused on Tibetan organizations, and we were able to verify this targeting with the cooperation of individuals and organizations involved in Tibet-related activism who shared with us phishing emails they received from the operator.

But the operator was interested in more than Tibet. Our analysis of decoy documents, phishing pages, and registered domains used in the operation  shows several non-Tibetan themes that suggest there were other targets.  These themes include the Uyghur ethnic minority group, Epoch Times (a media group founded by members of the persecuted religious organization Falun Gong), themes related to Hong Kong, Burma, the Pakistan Army, the Sri Lankan Ministry of Defence, the Thailand Ministry of Justice, and a controversial Chinese billionaire critical of state corruption.  

Add these up and the common denominator uniting them all is that they fall within the strategic interest of the People’s Republic of China. While we have no evidence to show the operator was working on behalf of a specific Chinese government agency, it’s well known that freelancers and security contractors do so on a regular basis. In November 2017, for example, the US Department of Justice indicted three Chinese nationals working at an Internet security firm for digital theft of commercial secrets. (One wonders what it will take to marshall the political will to bring such an indictment against an individual for hacking a human rights organization). Although the indictment didn’t say so, it’s reported that the Internet security firm (Boyusec) is ultimately working on behalf of the Chinese Ministry of State Security. Such arms-length relationships are beneficial to the state, which can reap the fruits of espionage while retaining a certain degree of plausible deniability.

The sloppiness of the operator may also be suggestive. Who ever was behind this campaign may have just been amateurs who made mistakes. Or they may also have been operating on the assumption that their actions were, if not condoned by some higher authority, then at least implicitly tolerated. In other words: operational security may be inversely correlated with fear of consequences, And in China there are, at present, very few consequences of running a hacking operation for hire — whether the targets are a foreign company’s intellectual property assets or a NGO’s strategic communications plans. Why worry about operational security if getting caught doesn’t matter?

The case also illustrates yet another important lesson: digital espionage operations will only be as sophisticated and expensive in their execution as what it takes for them to work. Someone is not going to bother spending more time and money than necessary if something “on the cheap” like this setup will do the job just as well.

But there’s a flip side to this lesson, one that we hope individuals and organizations will pick up upon in their digital security planning: simple phishing operations can also be simply blunted.  The successful compromises would likely have never happened had the individuals and organizations in question implemented  two-factor authentication — a security feature that requires a second ‘factor’ (like a code on a mobile phone) to access an account. Unfortunately, two-factor authentication is still far from being widely adopted by many users, and is not on by default in almost all popular online platforms.

We need to start thinking of two-factor authentication as the equivalent of a “seat belt” for the Internet: not perfect, but it may help mitigate the impact of a digital crash. Major platform providers should mainstream security features like two factor authentication into their services to help limit the harm done by inexpensive but effective phishing. And just as with seat belts and automobile manufacturers, if the companies can’t do it themselves, perhaps it’s time that regulators step in and require that it be done.

Read the full report here: Spying on a Budget: Inside  Phishing Operation with Targets in the Tibetan Community.

Also, check out a few of our digital security resources to learn more about two factor authentication and other ways to protect yourself online at Net Alert and Security Planner.

A close look at the proposed “CSE Act”

The Citizen Lab is releasing a new report today, in collaboration with our partners at the Canadian Internet Policy & Public Interest Clinic (CIPPIC), entitled, “Analysis of the Communications Security Establishment Act and Related Provisions in Bill C-59.”

The 75 page report provides a detailed overview of Canada’s SIGINT agency, the Communications Security Establishment (CSE), an analysis how the Liberal government’s new proposed national security legislation, Bill C-59, will impact its mandate, operations and oversight, and some recommendations on legislative and other changes.  

The report was researched and written by our SIGINT working group at Citizen Lab that includes (along with myself) Christopher Parsons, Lex Gill, and Bill Robinson, and CIPPIC’s Tamir Israel.  

Agencies like CSE are critical to public safety, foreign policy, and national security.  It is essential that they are well-equipped and trained.  However, their extraordinary and far-reaching capabilities and activities present enormous governance challenges for liberal democratic societies.  Much of CSE’s activities are shrouded in secrecy — the most highly classified of any Canadian government agency.   There are obvious good reasons for that secrecy.  But government secrecy without strong independent oversight is a recipe for the abuse of power.

It is important to recognize that CSE does not act alone.  It is part of a large and very powerful global alliance of SIGINT agencies that share data, infrastructure, and personnel.  Among those partnerships the most important is the “Five Eyes” alliance that includes New Zealand, Australia, the United Kingdom and the United States’ massive National Security Agency. These alliances allow Canada to “punch above its weight,” but they can also further obscure CSE’s activities and distance them from proper domestic oversight.

CSE’s expertise is in the area of data collection and analysis — the “signals” of “signals intelligence”  Whereas at one time this expertise was focused on the interception of a relatively narrow band of diplomatic, military, and government communications, today it’s focused on all of society’s communications, all of the time.  This broad sweep may be necessary and justifiable to identify threatening “needles in haystacks” that could wreak havoc. But it also raises tremendous and largely unprecedented civil liberties’ concerns.  At a time when we have turned our digital lives inside out, and carry around in our pockets devices that track our movements, social relationships, and habits, agencies like CSE have been granted extraordinary powers to collect and monitor it all.  Making sure such agencies are checked with thorough oversight and public accountability measures is critical to liberal democracy.

The proposed Communications Security Establishment Act  ( “CSE Act” ) is a major component of the comprehensive national security reforms proposed by the Trudeau government in Bill C-59. Among the many far-reaching implications of the CSE Act, Bill C-59 would add an entire new “mandate” to CSE to engage in “active cyber operations,” which in other words means granting the CSE authorization to engage in state sponsored hacking.  Although CSE has for many years already engaged in such activities, codifying this mission into law as an entirely new mandate will legitimize and undoubtedly amplify them.  The implications of doing so definitely require broad public debate.   

Having CSE engage in state sponsored hacking will (among other things) further the already harmful and opaque practice of hoarding software vulnerabilities as weapons of warfare and intelligence, as opposed to disclosing them to vendors in the interest of public safety; encourage the poorly regulated market for commercial spyware, whose harmful consequences the Citizen Lab has extensively documented; and contribute to the normalization abroad of the already dangerously escalating militarization of cyberspace, including the spread of state-sponsored disinformation campaigns.  For a heavily networked country so dependent on global communications, Canadians should seriously debate what is most in our national interest: to contribute to an already escalating arms race in cyberspace, or to be a force for mutual restraint and the control of weapons instead?

Our 75 page analysis raises numerous issues of concern for CSE around Bill C-59, as well as outlines over 50 recommendations to improve systems of review, oversight, and control of the CSE and to constrain the CSE’s ability to engage in activities that are problematic, abusive, unconstitutional, or in violation of international human rights norms.

Our post and a link to the full report can be found here https://citizenlab.ca/2017/12/citizen-lab-and-cippic-release-analysis-of-the-communications-security-establishment-act/.

Ethiopian Cyber Espionage with Israel-based Commercial Spyware

Citizen Lab has published a new report today in which we uncover a major global cyber espionage campaign targeting numerous individuals in the United States, United Kingdom, Canada, Germany, and more than a dozen other countries.  Strong circumstantial evidence points to Ethiopia, with the surveillance technology supplied by an Israel-based company, Cyberbit Solutions.

WIRED has published an opinion piece I wrote that summarizes the report’s findings and puts them in a larger context, which can be found here.  Reuters also published a good overview here.

The full, very detailed report entitled, “Champing at the Cyberbit: Ethiopian Dissidents Targeted with New Commercial Spyware,” and authored by Citizen Lab’s Bill Marczak, Geoffrey Alexander, Sarah McKune, John Scott-Railton, and myself, can be found here.

Among the report’s notable details: public logfiles located by Citizen Lab’s Bill Marczak allowed us to track Cyberbit employees as they carried infected laptops around the world, apparently providing demonstrations of the spyware to the Royal Thai Army, Uzbekistan’s National Security Service, Zambia’s Financial Intelligence Centre, the Philippine President’s Malacañang Palace, ISS World Europe 2017 in Prague, and Milipol 2017 in Paris. Cyberbit also appears to have provided other demos of PSS in France, Vietnam, Kazakhstan, Rwanda, Serbia, and Nigeria.  Bill’s extraordinary detective work here is spectacular. Special shout to to Geoff Alexander, who did some excellent supportive work reverse engineering malware samples.

A graphic (put together thanks to John Scott Railton, as usual) that shows the locations of these demonstrations can be found here.

The operators also tried to infect Citizen Lab lead technical researcher on the project, Bill Marczak, as outlined in this Motherboard piece.  As Daily Beast reporter, Joseph Cox, noted, that’s “one of the dumbest things you can possibly do with your nation-state malware.”

A companion piece (led by Citizen Lab’s Sarah Mckune) detailing legal and regulatory issues raised by our report can be found here. Great to see support from Human Rights Watch, who wrote a lengthy post and a letter to Cyberbit.

Citizen Lab Submission to UN SR on Online Violence Against Women

In March 1994, the United Nations Commission on Human Rights appointed a “Special Rapporteur on violence against women, including its causes and consequences”.  The current Special Rapporteur is Dr. Dubravka Šimonović.

Recently,  Dr. Šimonović issued a call for submissions on the topic of “online violence against women” and Citizen Lab decided to make such a submission.

Over the years, Citizen Lab research has touched on many subjects that are relevant to the topic of online violence against women and girls, and we are committed to integrating a gender and diversity based analysis into our work.  As our submission notes, “Citizen Lab research has exposed efforts to target women in digital espionage campaigns, revealed the use of surveillance tools against those seeking justice for slain women’s rights advocates, mapped Internet censorship systems that filter out information related to women’s rights and sexuality, and supported partners in the Global South who study online threats faced by women human rights defenders”.

Based on these experiences, we have become concerned about the ways in which the very real vulnerabilities of women and girls in online and offline spaces are exploited to justify new, expansive, and sometimes unaccountable censorship and surveillance powers.  We see little evidence that these powers will mitigate the problems affecting women and other at-risk communities.  In fact, sometimes they can actually make matters worse, as in the case of the massive security vulnerabilities we discovered in South Korean child monitoring applications that actually put parents and their minor children at greater risk had they not used the application in the first place.

In order to assist the UN Special Rapporteur, we make several recommendations which we hope will inform the report she is preparing on the topic, to be presented at the next Human Rights Council in June 2018.  These recommendations stress the importance of robust digital security to protect women and girls online; the importance of proper oversight, transparency, and public accountability with respect to sharing of user data and removal of content undertaken by social media and other companies when requested by governments or otherwise; the need for better regulation of the commercial spyware market, the abuses around which include so-called “stalkerware” used by spouses to track their partners; and finally the importance of education, training, and capacity- building so that all stakeholders are more literate in all of the areas above.

The authors of the submission include researchers from the Citizen Lab (Ron Deibert, Lex Gill, Irene Poetranto, Amitpal Singh), Chelsey Legge from the International Human Rights Program at the University of Toronto, and Tamir Israel from the Canadian Internet Policy and Public Interest Clinic.

The full report can be found here.

Canada’s new national security bill: one step forward, two steps back?

Over the last year, the Canadian government has been engaged in extensive public consultations meant to address widespread concerns around C-51 (the anti-terror law implemented by Prime Minister Harper’s government) as well as a range of other national security practices, policies, and oversight and public accountability issues raised by Canadians.  (I participated in some of these consultations and found them to be informative and useful, for the most part).

The outcome of those consultations is a new proposed national security legislation, Bill C-59.  Bill C-59 is arguably the most comprehensive reform of Canada’s national security laws in decades.   While it contains a lot that is positive — particularly in the area of some new forms of oversight and accountability — there is also quite a bit in Bill C-59 that I and many others have found troubling.

Today, a letter is being released, signed by over 40 individuals and organizations, that publicly raises issues with Bill C-59.  Some of my colleagues and I at Citizen Lab — who together are part of an internal working group on signals intelligence — are among the signatories.

To accompany the joint public letter, we have also written a blog post that fleshes out in more detail some of our concerns.   You can read that letter here: https://citizenlab.ca/2017/09/joint-letter-concerning-bill-c-59/

Generally speaking, it is exceedingly difficult for members of the public to hold national security organizations to account.  National security agencies operate in the shadows, and are governed by what can be, at times, confusing and opaque laws, methods, and practices.  Unless you’re a specialist or an insider, it can be frustratingly difficult to know just what is going on that might warrant a citizen’s concern.  In an age when we are effectively turning our digital lives inside out on the one hand, while entrusting to some of these agencies enormous resources, capabilities, and responsibilities on the other, this gap in understanding is a major problem for liberal democracy.

Our internal working group on signals intelligence — myself, Christopher Parsons, Bill Robinson, and Lex Gill — aims to help rectify that confusion.  We are working on a series of outputs and public engagements, of which this is the first, which we hope helps better inform Canadians on these critical issues.