Saudi-linked Cyber Espionage Against Canadian Victim Discovered

Figure 1: The Royal Embassy of Saudi Arabia to Canada (September 2018; Credit: Ron Deibert)

Today, the Citizen Lab is publishing a major new report, “The Kingdom Came to Canada: How Saudi-Linked Digital Espionage Reached Canadian Soil,” by Bill Marczak, John Scott-Railton, Adam Senft, Bahr Abdul Razzak, and myself.

Our report details how we discovered Canadian permanent resident and Saudi dissident Omar Abdulaziz was targeted with a fake SMS message and his phone infected with spyware manufactured by Israeli-based “Cyber Warfare” company, NSO Group. We attribute this infection to a spyware operator linked to Saudi Arabia.

The research for this report builds on our recently published “Hide and Seek” report, led by the Citizen Lab’s Bill Marczak, in which we detailed the results of more than two years of Internet scanning into NSO Group’s command and control infrastructure. That scanning revealed more than 45 countries in which we found infected devices “phoning home” to NSO Group’s infrastructure, operated by more than 30 likely government clients — many of them with highly problematic human rights issues.

Among those live infections was a particularly noteworthy one: a Saudi-linked operator, which we call KINGDOM, monitoring an infected device in Quebec, Canada. The surveillance of a victim in Canada is particularly intriguing as it takes place in the midst of a serious diplomatic dispute between Canada and Saudi Arabia that was triggered by tweets critical of Saudi Arabia’s human rights record sent by Canadian Foreign Affairs Minister, Chrystia Freeland, and by the official Twitter account of Global Affairs Canada.

Based on Saudi Arabia’s poor human rights track record and its prior history of abuse of spyware (including by the very same KINGDOM operator), we hypothesized that the target in Quebec would be a person or group connected to Saudi political activism. We then reached out to contacts in the Saudi diaspora and human rights communities to try to identify the target. Remarkably, we succeeded.

Omar Abdulaziz is a Canadian university student, and a prominent Saudi activist who sought and received asylum in Canada in 2014 after Saudi Arabia revoked his scholarship for his outspoken criticism of the regime.  Omar produces a very popular satirical talk show on YouTube that is followed by millions of viewers. He was also featured prominently in media coverage of the Canada-Saudi dispute, including on CBC’s The Current. During his interview on that show, Omar claimed Saudi authorities had threatened his family to try to discourage him from speaking out.

Earlier this summer, Omar received a fake DHL courier notification via SMS. The message arrived only hours after he placed an order on Amazon. When we met with Omar, we searched back through his SMS messages with his consent against a list of known NSO domains we had gathered, and discovered the fake DHL notification SMS. We were able to confirm that he was, indeed, targeted by the KINGDOM operator and that the SMS he received contained a link to the NSO Group’s “Pegasus” spyware infrastructure.

Further verification that Omar was the victim came from matches were able to make to his pattern of life. Our scanning showed the infected device moving between two Quebec-based networks at very specific intervals — Vidéotron and RISQ (Réseau d’informations scientifiques du Québec). Omar confirmed that those “check ins” precisely matched his movements between his home wifi network (Vidéotron), and the wifi network to which he connected during a regular evening activity (RISQ).

NSO’s Pegasus spyware is extraordinarily stealthy and invasive. Once a target clicks on a link, the operator has complete surreptitious control over the target’s device. This control includes being able to silently read emails and chat messages, including those that are encrypted, capture ambient sound, and turn on the camera. During the time Omar’s device was infected, several of his family members and friends disappeared in Saudi Arabia. Although we have no way to confirm it, it is certainly possible these disappearances are the direct result of the KINGDOM operator’s surveillance of Omar’s phone.

No doubt, this revelation of Saudi-linked espionage against a Canadian permanent resident will inflame the already tense Canada-Saudi diplomatic dispute. If it does, it will illustrate one major theme of Citizen Lab’s research: that the unregulated commercial spyware market produces costly negative externalities. It is also noteworthy that what we have unearthed may violate several Canadian Criminal Code offences, including willfully intercepting private communications contrary to section 184(1).

It should go without saying that the multiple cases of abuse we have uncovered over several years cast serious doubt on NSO Group’s claims about a “Business Ethics Committee” and other controls they have over their products. While they may treat it frivolously, NSO Group’s accumulating liabilities must be giving its ownership group, US-based investment firm Francisco Partners, serious cause for concern, particularly since the latter has unsuccessfully shopped NSO Group to potential buyers for a reported 1 billion USD.  Who wants to buy a company whose services routinely end up being abused, inflaming geopolitical tensions, or implicated in criminal conduct? What potential liabilities does NSO’s reckless sales present for its ownership group?

This case also illustrates yet again another major theme of our research: in the absence of controls to the contrary, powerful surveillance technology sold to governments for anti-terror or criminal investigations will inevitably be used by corrupt and autocratic rulers to target journalists, dissidents, human rights defenders, research scientists, and other members of civil society they deem a “threat.” Like Ahmed Mansoor of the United Arab Emirates and numerous other targets of spyware we have discovered, Omar Abdulaziz is neither a terrorist nor a criminal. His only “crime” is hosting what is the equivalent of The Daily Show for the Gulf region directed at a regime that brooks no dissent.

It is probable the cases we have reported on at Citizen Lab are but a tip of the iceberg. If so, numerous members of civil society are — right now — being unwittingly surveilled and effectively neutralized by their adversaries. Should these espionage attacks against global civil society continue unabated, democracy itself will be at growing risk.  

Read the full report here: