Canada’s new national security bill: one step forward, two steps back?

Over the last year, the Canadian government has been engaged in extensive public consultations meant to address widespread concerns around C-51 (the anti-terror law implemented by Prime Minister Harper’s government) as well as a range of other national security practices, policies, and oversight and public accountability issues raised by Canadians.  (I participated in some of these consultations and found them to be informative and useful, for the most part).

The outcome of those consultations is a new proposed national security legislation, Bill C-59.  Bill C-59 is arguably the most comprehensive reform of Canada’s national security laws in decades.   While it contains a lot that is positive — particularly in the area of some new forms of oversight and accountability — there is also quite a bit in Bill C-59 that I and many others have found troubling.

Today, a letter is being released, signed by over 40 individuals and organizations, that publicly raises issues with Bill C-59.  Some of my colleagues and I at Citizen Lab — who together are part of an internal working group on signals intelligence — are among the signatories.

To accompany the joint public letter, we have also written a blog post that fleshes out in more detail some of our concerns.   You can read that letter here: https://citizenlab.ca/2017/09/joint-letter-concerning-bill-c-59/

Generally speaking, it is exceedingly difficult for members of the public to hold national security organizations to account.  National security agencies operate in the shadows, and are governed by what can be, at times, confusing and opaque laws, methods, and practices.  Unless you’re a specialist or an insider, it can be frustratingly difficult to know just what is going on that might warrant a citizen’s concern.  In an age when we are effectively turning our digital lives inside out on the one hand, while entrusting to some of these agencies enormous resources, capabilities, and responsibilities on the other, this gap in understanding is a major problem for liberal democracy.

Our internal working group on signals intelligence — myself, Christopher Parsons, Bill Robinson, and Lex Gill — aims to help rectify that confusion.  We are working on a series of outputs and public engagements, of which this is the first, which we hope helps better inform Canadians on these critical issues.

 

Korean Child Monitoring Applications: Insecure by Design

Nearly every day it seems, a friend asks about how to cope with a digital security risk.  Among those with the most acute concerns are parents of minor children, many of whom now carry with them mobile devices.  Parents ask how they can protect their children from inappropriate content, whether their child’s use of their mobile device exposes them to bullying, monitoring, or other threats, and what they can do to mitigate those risks.

These are legitimate concerns for which serious solutions are required.  

Unfortunately, as our new report shows, sometimes good intentions can lead to very bad outcomes — especially when bad public policy is combined with poor software design and engineering.

In April 2015, South Korea became the first country in the world to mandate that all phones registered to individuals under the age of 19 be equipped with monitoring and filtering apps that block content deemed  “harmful.”   At the time, Korea’s telecommunications regulatory body, the Korean Communications Commission (KCC), funded and promoted an app called “Smart Sheriff,” produced by the Korean Mobile Internet Business Association (MOIBA).

Followers of the Citizen Lab may remember that, in collaboration with Cure53, we published a detailed security audit of Smart Sheriff in September 2015 that found the app contained more than 26 serious security vulnerabilities.   We disclosed these vulnerabilities to MOIBA, and eventually Smart Sheriff was withdrawn from the market in November 2015.   

Our latest report, done in collaboration again with Cure53 and our colleagues at OpenNet Korea, analyzes two other  child monitoring applications produced by MOIBA, called Cyber Security Zone and Smart Dream.

To say our findings are disturbing is an understatement.

To our astonishment, our analysis of “Cyber Security Zone” found that it was actually a rebranded version of Smart Sheriff, containing many of the same privacy and security vulnerabilities we identified back in September 2015.   In other words, rather than digest our detailed security audit and start from scratch with proper engineering design principles in mind, MOIBA simply changed the name and slapped on a new logo!

Smart Dream, also produced by MOIBA, is an application that allows concerned parents to monitor their children’s messaging and online history.  What we found is that the application’s poor design actually exposes those children to numerous serious security and privacy risks.

Among the problems we identified:

  • We found both applications were susceptible to a “man-in-the-middle” attack, meaning that someone with access to any network through which the application’s communications passes could easily intercept those communications and acquire passwords, login information, and other sensitive details of children or parents using the apps.  To give you a concrete example, this could be someone with malicious intent operating the local cafe’s wifi hotspot next to the child’s school.
  • Both applications were designed with poor encryption, which means they both leak highly sensitive user data, such as phone numbers, device IDs, and dates of birth of children.
  • If an attacker knew the phone number of a user (see above) we found that they could also insert fake content, making it appear that children were visiting websites or sending messages they were not. Imagine the cyber-bullying possibilities of that vulnerability?
  • We found a security vulnerability in Smart Dream that allows an attacker to collect every single text message and search query of every minor child using the application stored on the Smart Dream server.

In short, what we found was — rather than protecting minor children —  both applications actually put minor children, and their parents, at much greater risk than had they not used the applications in the first place.  

That MOIBA knew of the security vulnerabilities of Smart Sheriff going back to our 2015 report, and simply pushed out a rebranded version containing the same flaws, is grossly irresponsible.

The fact that the applications were funded by a Korean regulatory body and promoted by a respected Korean industry group only makes matters worse. Concerned Korean parents looking to protect their children and follow a law that makes installation of these type of applications mandatory, would naturally expect to receive honest and trustworthy advice from such institutions.  Unfortunately, they were deeply misled.  

We have communicated for weeks with MOIBA about our findings, working with them to ensure that the applications’ problems are fixed. However, given MOIBA’s track record we have no expectation that MOIBA will reform itself and begin undertaking application development with best security practices from the ground up.

We are releasing our report as part of our “NetAlert” series, which includes a cartoon developed by illustrator and designer Jason Li that nicely summarizes the findings and risks and makes recommendations to parents, policymakers, and developers in both English and Korean.  

Parents who are concerned about their children’s safety while using mobile devices may decide to install applications such as these.  If they do, it is critical that they use applications that are thoroughly audited to ensure they conform to secure engineering design principles.   In other words, do not use Smart Dream, Cyber Security Zone, or any other application developed by MOIBA.

Read the report here:   https://netalert.me/safer-without.html

Mexican Surveillance Abuse Continues

We are publishing yet another update to the ongoing investigations Citizen Lab has been conducting, in partnership with R3D, SocialTic, and Article 19, on abuse of commercial spyware in Mexico.  

Our latest report shows that the Claudio X. González, director of the Mexican anti-corruption organization Mexicanos Contra la Corrupción y la Impunidad (MCCI), was targeted with SMS messages containing links to the exploit infrastructure of the Israeli spyware company, NSO Group.   Had the links been clicked on, González’s phone would have been silently commandeered allowing the operators to surreptitiously turn on the camera and microphone, read emails and texts (even those that are encrypted), and track his movements.

This most recent case brings the total number to 22 individuals that we have confirmed being targeted with NSO Group spyware in Mexico.  NSO Group claims it restricts sale of its powerful spyware to government agencies to combat terrorism and track criminals.  Our investigations have shown that it has been used instead to target an alarming number of people who are exercising their political rights and / or doing their jobs as lawyers, journalists, and investigators.   As for who is responsible, we have no specific evidence. However, leaked documents show the Mexican Attorney General’s office is a client of NSO Group and the President of Mexico has gone on record with the admission that it has purchased NSO Group technology.  It is also highly incriminating of the Mexican government that many of the targets we confirmed, including the latest, share a common characteristic: investigations into official Mexican government corruption.

The spyware market is very lucrative and growing, but also replete with abuse.  NSO Group’s US-based majority owner, Francisco Partners, was recently reportedly looking to sell partial ownership of NSO Group to another investment firm, Blackstone Group, for $400 million.  When we learned of the possible sale, we published an open letter to Blackstone Group informing them of our research on the abuse of NSO Group’s spyware in Mexico and elsewhere, and urging them to exercise due diligence over the company’s behavior should the sale go through. Reports of the deal also attracted critical attention from a range of organizations, including Mexican NGOs involved in investigating NSO, Access Now, and Business and Human Rights.  On August 15 2017, Reuters reported that the Blackstone Group deal had fallen through.

The research on the use of NSO Group in Mexico is led by Citizen Lab senior researcher, John Scott-Railton.  Our ability to positively identify NSO Group’s spyware is based on careful network scanning and reverse engineering, undertaken by Citizen Lab’s Bill Marczak.  Using the technical indicators collected from this research, Scott-Railton engages with local advocacy partners to help identify targets in civil society who are willing to cooperate in the research.  We then compare the domains contained in the links in the SMS messages sent to the targets to known NSO Group infrastructure. Overall, this case is a good example of the general mission of the Citizen Lab, which aims to use mixed methods research to highlight digital security issues that arise out of human rights concerns, and then engage in high-level policy and legal engagement to try to mitigate the problem.

As to how this type of abuse can ultimately be solved, there is no simple remedy.  Companies like NSO Group are not violating any law by selling their technology to countries like Mexico.  And if a corrupt government client chooses to use that technology for abusive purposes, there is little that can be done to prevent it.

But that does not mean the situation is hopeless.  Companies like NSO Group can be encouraged to undertake more responsible “know your customer” practices to prevent abuse of their product. That pressure can come from the countries within which they are domiciled as companies (e.g., Israel) who can pass more strict export control regulations that require NSO Group to undertake due diligence. It can come from ownership groups and investment firms that control the purse strings and who themselves are sensitive to public criticism (as our open letter and the other campaigns described above may demonstrate). It can come from legal action in cases in which local laws are violated, as in the targeting of US citizens we discovered in the Mexico NSO Group case (which would be a violation of the U.S. criminal code).  

However, all the above depends in the first instance on patient, evidence-based research of the sort we are undertaking in collaboration with our Mexican partners.

Read the full report here: https://citizenlab.ca/2017/08/nso-spyware-mexico-corruption/

Yet More Evidence of Gross Misuse of NSO Group Spyware In Mexico

The Citizen Lab’s investigation into the abuse of commercial spyware in Mexico continues with yet more troubling findings. Today, we are releasing a new report that affirms two additional individuals’ phones were targeted with Israeli-based NSO Group’s sophisticated Pegasus spyware technology.  

As in some of the prior cases we researched, the individuals in question — Karla Micheel Salas and David Peña — are lawyers representing family members of individuals involved in horrific targeted killings.  Specifically, this case concerns the torture and murder in July 2015 of Nadia Vera and Rubén Espinosa, an activist and journalist respectively, alongside three of their acquaintances.  There were also reports of sexual assault and torture against some of the victims prior to the murders.

Vera and Espinosa had been critical of the then governor of the Mexican state of Veracruz, Javier Duarte, and had received numerous threats in the course of their work. Under Duarte’s reign as governor, Veracruz became the most dangerous place in Mexico for journalists, with 17 killed during his term. Facing numerous and ongoing threats, Vera and Espinosa fled Veracruz to Mexico City, hoping the distance would protect them. Unfortunately, they (along with three people present at the scene: Yesenia Quiroz Alfaro, Mile Virginia Martin, and Alejandra Negrete) were brutally murdered.

Protests followed the Mexico City Attorney General’s investigation into the murder, which was widely perceived as inadequate.  The families of the slain individuals contracted Salas and Peña to push for an investigation.  In September and October 2015, Salas and Peña received text messages containing what we confirmed were links to the NSO Group’s exploit infrastructure which, if clicked on, would have silently infected their phones, allowing the operators to surreptitiously track their movements, phone calls, emails, and SMS’s, as well as record their voices and take pictures. (Watch Citizen Lab’s John Scott-Railton describe how NSO’s spyware works in this video).

While part of the story of these cases concerns the brutal environment for journalists in Mexico, the other part concerns the gross abuse of highly sophisticated surveillance technologies sold by companies like NSO Group.

In spite of the fact that Mexico was widely known to be a country struggling with corruption and abuse, and in spite of the well-known targeting of journalists, advocacy groups, lawyers and others using extrajudicial means, NSO Group went ahead and sold its technology to the Mexican government.  Clearly, there is a serious control problem around commercial spyware that needs to be urgently addressed lest such cases continue to mount.  Indeed, as we outline in our latest report, investigative reporting in the context of Panama has revealed that the former president of Panama, Ricardo Martinelli, used $13.5 million worth of NSO Group services to illegally spy on more than 150 opponents, including several U.S. citizens in the U.S. Embassy and in the United States proper.  Panama authorities are seeking to extradite Martinelli from the United States, where he fled from these charges.

One way to prevent such abuses is to encourage ownership groups to exercise greater due diligence over companies like NSO Group.  Over the last several weeks, it has been reported that the US-based investment firm Blackstone Group is exploring partial acquisition of the NSO Group.  Last week, Citizen Lab wrote to Blackstone Group with a detailed list of questions they should consider prior to the sale, as well as others concerning corporate social responsibility measures they should adopt, should the purchase go through. We hope these questions serve as a baseline for an industry that has yet to develop the type of mature due diligence practices as found in mining, oil, textiles, and other industries (however flawed those may still be).

Meanwhile, we fully expect to find more cases of the abuse of NSO Group technology, not just in Mexico but in other jurisdictions, where corrupt public officials with access to their spyware illegitimately turn it on those who present obstacles to their unscrupulous aims.

As before, the Citizen Lab’s research into Mexican surveillance has been led by senior researcher John Scott-Railton, working in close consultation with our partners in Mexico, R3D, SocialTic, and Article 19.

Read the report here: https://citizenlab.ca/2017/08/lawyers-murdered-women-nso-group/

 

Letter to Blackstone Group Regarding Possible Acquisition of NSO Group

For the last year, Citizen Lab has written five separate reports that document extensive abuse of, and lack of controls around the use of spyware manufactured by the Israeli cyber warfare company, NSO Group.   

These reports are part of a larger interest we have at the Citizen Lab in the lack of controls around the spyware market, from weak or nonexistent export controls of countries in which spyware companies are headquartered, to opaqueness around the market for cyber security, to an absence of due diligence on the part of companies themselves to know their clients.

A growing number of our reports has shown how the products and services of this largely unregulated market end up facilitating abuses in which journalists, human rights defenders, and others end up being targeted by powerful software ostensibly limited to governments to fight terrorists and investigate crime.

In a previous publication, my colleague Sarah McKune and I outlined a checklist of measures that could be taken to reign in the abuse of commercial spyware.  As part of that more comprehensive approach, we have suggested that the industry should be encouraged to adopt “voluntary yet genuine accountability frameworks and human rights-oriented policies and practices.”

To that end, we are today sending a letter to the Blackstone Group, an American private equity, asset management, and financial services firm in the process of considering acquiring a large stake in the NSO Group.  

Should Blackstone Group’s acquisition of NSO Group proceed, we hope our letter will encourage them to exercise stronger due diligence over NSO Group’s sales, and help ensure that the company itself better manages the end-uses of its products.

Read the letter here: https://citizenlab.ca/2017/07/open-letter-to-blackstone-possible-nso-acquisition/

PDF here: https://citizenlab.ca/wp-content/uploads/2017/07/Blackstone_open_letter_NSO_group_citizen_lab.pdf

 

A World Without Liu Xiaobo

Liu Xiaobo died of cancer last week.  A veteran of the 1989 Tiananmen Square protests, and one of the authors of the Charter 08 manifesto advocating for democratic reform, Liu was China’s first Nobel Peace Prize winner.

In spite of Liu’s advocacy for non-violent change, Chinese authorities sentenced Liu in 2009 to eleven years’ imprisonment for “inciting subversion of state power.”

Last month, Chinese authorities acknowledged Liu had contracted cancer.  Liu made an appeal to leave the country to receive outside medical treatment, an appeal that was backed by numerous governments, international organizations, and NGOs.  Apparently concerned that Liu would speak out against the regime, Chinese authorities denied the request.  On July 13, 2017 Liu Xiaobo succumbed to cancer.

The passing of Liu Xiaobo is a very sensitive event for the Chinese Communist Party.  The 1989 Tiananmen Square protests grew out of the mourning of the death of another person advocating for greater government transparency and reform, Hu Yaobang.

Concerned that martyrdom around Liu may spur similar collective action, as well as being concerned about saving face, the kneejerk reaction of China’s authorities is to quash all public discussion of Liu, which in today’s world translates into censorship on social media.

In our latest report, entitled “Remembering Liu Xiaobo: Analyzing censorship of the death of Liu Xiaobo on WeChat and Weibo,” we document the full extent of China’s heavy hand.

Our experiments show that the scope of censorship of keywords, images, and search terms related to Liu Xiaobo on two of China’s most popular social media platforms, WeChat and Weibo, has greatly increased since his passing.

Prior to his death, Liu’s name, in combination with a selection of other keywords perhaps related to his illness or political rights, might trigger censorship.  Afterwards, we found that simply including his name alone was enough to trigger blocking of messages.

We also found that images related to Liu, such as those commemorating his passing, were blocked on WeChat after his death, including images shared in one-to-one chats — the first time we have observed that phenomenon.

As with our prior WeChat research, we confirmed that the censorship is undertaken without any notification to the users, and only applies to users with accounts registered to mainland China phone numbers.  For example, we show that images of Liu posted to an international user’s WeChat feed was visible to other users abroad, but hidden from users with Chinese accounts.

For Weibo, we analyzed search term blocking and confirmed that the platform maintains a blanket ban on searches for Liu Xiaobo’s name. Indeed, searching just his given name, “Xiaobo”, is enough to trigger censorship in English and both Simplified and Traditional Chinese

Freedom of speech is the antithesis to one-party rule.  Dictators throughout history have forced embarrassing truths into the shadows, typically by imprisoning those who speak it, and have scrubbed dissidents from history books, photographs, and other mass media.

The social media censorship we document in our latest report is but the latest manifestation of this authoritarian tendency, and underscores why careful evidence-based research is so essential to the progress of human rights.

Read the full report here: https://citizenlab.ca/2017/07/analyzing-censorship-of-the-death-of-liu-xiaobo-on-wechat-and-weibo/

The New York Times: https://www.nytimes.com/2017/07/17/world/asia/liu-xiaobo-censor.html

Global Voices: https://globalvoices.org/2017/07/17/censorship-after-death-chinese-netizens-quietly-mourn-nobel-laureate-liu-xiaobo/

International Investigation Into Mexican Mass Disappearance Under Surveillance

The Mexican surveillance scandal in which the Citizen Lab is involved now widens substantially.

Our latest report confirms that a phone belonging to an international group of experts from several countries assembled by the Inter-American Commission on Human Rights (known as the GIEI), charged with investigating the 2014 Iguala Mass Disappearance, was targeted with infection attempts using spyware developed by the NSO group, an Israeli “cyber warfare” company.

The infection attempts we documented took place in early March 2016, shortly before the publication of GIEI’s final report on their investigation.

For those who do not know, the 2014 Iguala Mass Disappearance refers to a horrific episode in which 43 students from the Ayotzinapa Rural Teachers’ College were disappeared while travelling to Mexico City to participate in an event commemorating yet another tragic episode in Mexico, the Tlatelolco Massacre. The Mexican government’s inadequate response to the mass disappearance, and suspicions that Mexican government agencies themselves were implicated, led to calls for the creation of the independent international investigation.

While carrying out their investigations, the GIEI experts faced numerous threats and harassment, and eventually a public falling-out with the Mexican attorney general’s office. Just prior to the release of their public report in March 2016, we determined that a phone belonging to the investigators was targeted with SMS messages containing links to NSO Group exploit infrastructure.

While we cannot definitively attribute the targeting we discovered to a particular Mexican government agency or individual, it is highly significant that leaked documents show numerous Mexican government agencies, including the Mexican attorney general’s office itself, purchased NSO Group spyware.

This latest report of ours adds to the growing number of cases clearly showing the abuse of commercial spyware in the context of Mexico.   So far we have positively determined that technology sold by an Israeli-based company ostensibly restricted to governments for anti-terror, criminal, and national security investigations has been used instead to target health scientists and anti-obesity activists, anti-corruption NGOs, journalists (and their family), opposition politicians, and now members of an independent international inquiry into the massacre of 43 students.

These findings will undoubtedly deepen the surveillance crisis in Mexico.  But what’s going on in that country is symptomatic of a much wider global problem. Surveillance companies are making millions selling their products to governments that lack oversight and public accountability who are then turning these powerful and highly invasive tools on civil society to further their corrupt aims.

Addressing this problem will require a comprehensive policy response across multiple domains, from the domestic to the international.  My colleague Sarah McKune and I have outlined recommendations to bring more accountability to the commercial spyware trade in the form of a checklist, which can be found here.  We hope our documentation of cases of abuse such as these will inspire such comprehensive responses.

We are grateful for the cooperation of the GIEI experts, and our Mexican colleagues, R3D, SocialTic, and Article19, without whom this investigation could not be undertaken.

Read the full report here: https://citizenlab.org/2017/07/mexico-disappearances-nso/

More Than Meets the Eye

Every day we hear warnings not to open attachments, click on links, or enter our credentials into websites that do not look trustworthy.  But what if they do look legit?  How do we tell?

Our latest report shows not only the lengths to which an espionage operation will go to fool users, but it also provides a good example of how difficult it may be for the average user to discern one from the other.

Authored by the Citizen Lab’s Jakub Dalek, Geoffrey Alexander, Masashi Crete-Nishihata, and Matt Brooks, our report, entitled “Insider Information: An intrusion campaign targeting Chinese language news sites,” details a campaign of reconnaissance, phishing, and targeted malware at the heart of which are carefully-crafted mimics of several prominent Chinese-language news websites.

Our investigation began when staff members of China Digital Times — a popular China-focused news portal founded by UC-Berkeley professor and prominent human rights activist Xiao Qiang — began receiving unsolicited emails with promises of controversial material.  The emails contained a link to what appears to be the legit China Digital Times website. However, it is not.  The operators behind this campaign had copied the entire website and then hosted it on a slightly altered domain.  Instead of “chinadigitaltimes.net” the operators used the domain “chinadagitaltimes.net.”

Can you spot the difference?  

If you noticed the substitution of “a” for “i” in the word digital, you are correct!

Other than the misspelled domain, the legitimate and fake news websites are identical, with one additional key difference: the operators also coded a few lines of javascript into the fake news domain that trigger a popup window asking the visitor to enter in their email and password into a fake WordPress login page.  Had the targets done so, they would have then been redirected back to the legitimate China Digital Times website, oblivious to the fact that their credentials to administer the website were successfully stolen by the operators, allowing them to effectively manage and edit the legitimate website itself.

By analyzing the server used to host the fake website, Citizen Lab researchers were also able to identify several other fake websites that used content from Chinese language news websites that the operators had also mimicked, presumably for phishing.  We also found that some of the servers controlled by the operators were used to stage malware.

It is noteworthy that all of the fake websites our researchers discovered in this campaign are meant to mimic news websites that publish content critical of the Chinese government.  It is possible the operators behind this campaign are “hackers for hire” — typical of the way in which a lot of cyber espionage is outsourced in China.  However, we are unable to positively attribute this campaign to a specific state agency.

I expect we will see more cases such as these in which legitimate news sites are doctored and manipulated to push disinformation or facilitate cyber espionage.  With each of us bombarded with data from social media on a daily basis, discerning “fake” from “real” or “malicious” from “benign” will become more ever more challenging and time-consuming. Cases such as these illustrate the importance of educating users, especially those working in high-risk areas such as investigative journalism, about the importance of integrating information security and digital hygiene into their daily routines.

One final note in this regard: hats go off to China Digital Times staff not only for spotting the malicious emails but also for sharing them with Citizen Lab for further analysis, which led to the discovery of the wider campaign.  Cooperation of this sort is essential for research to progress, and for journalists and the entire human rights community to be aware of the type of threats they mutually face.

Mexico Wages Cyber Warfare Against Journalists, and their minor children

For years, Citizen Lab has been sounding alarms about the abuse of commercial spyware. We have produced extensive evidence showing how surveillance technology, allegedly restricted to government agencies for criminal, terrorism, and national security investigations, ends up being deployed against civil society.

Today’s report not only adds to the mountain of such evidence, it details perhaps the most flagrant and disturbing example of the abuse of commercial spyware we have yet encountered.

Working with Mexican civil society partners R3D, Social Tic, and Article 19, our team — led by John Scott Railton — identified more than 75 SMS messages sent to the phones of 12 individuals, most of whom are journalists, lawyers, and human rights defenders. 10 are Mexican, one was a minor child at the time of targeting, and one is a US citizen.

These SMS messages contained links to the exploit infrastructure of a secretive Israeli cyber warfare company, NSO Group.  Had they been clicked on, the links would activate exploits of what were, at the time, undisclosed software vulnerabilities in the targets’ Android or iPhone devices.  Known in NSO Group’s marketing as “Pegasus”, this exploit infrastructure allows operators to surreptitiously monitor every aspect of a target’s device: turn on the camera, capture ambient sounds, intercept or spoof emails and text messages, circumvent end-to-end encryption, and track movements.

We first encountered NSO Group in August 2016 when UAE human rights defender Ahmed Mansoor shared with Citizen Lab researchers suspicious SMS messages he received containing links to NSO infrastructure. When we published our report on Mansoor, we had some evidence of targeting in Mexico that subsequently led to a follow-up report earlier this year on the use of NSO’s surveillance technology to target Mexican health advocates and food scientists.

The targeting we outline in our latest report, which runs from January 2015 to August 2016, involves a much wider campaign. It includes 12 individuals who share a common trait:  investigations into Mexican government corruption, forced disappearances, or other human rights abuses. All of the individuals who cooperated in our research consented to be named in the report. The August 2016 endpoint coincides with the time of our disclosure to Apple about NSO’s exploits, which led to the shutdown of NSO’s infrastructure (or at least that particular phase of it).  

Among the noteworthy aspects of this latest case are the persistent and brazen attempts by the operators to trick recipients into clicking on links.  Each of the targets received a barrage of SMS messages that included crude sexual taunts, alleged pictures of inappropriate, threatening, or suspicious behavior, and other ruses.  Many received fake AMBER Alert notices about child abductions as well as fake communications from the US Embassy in Mexico.

What is most disturbing is that the minor child of one of the targets — Emilio Aristegui, son of journalist Carmen Aristegui — received at least 22 SMS messages from the operators while he was attending school in the United States.  Presumably these attempts to infect Emilio’s phone were intended as a backdoor to his mother’s phone. But it is also possible the operators had a more sinister motivation.  The attempts to infect both Carmen and Emilio took place at the same time Carmen Aristegui was investigating a major corruption scandal involving the President of Mexico.

Our report makes it clear that the NSO Group, like competitor companies Hacking Team and FinFisher, is unable or unwilling to control the abuse of its products.  Time and again, companies like these, when presented with evidence of abuse, effectively pass the buck, claiming that they only sell to “government agencies” to use their products for criminal, counterintelligence, or anti-terrorism purposes.  The problem is that many of those government clients are corrupt and lack proper oversight; what constitutes a “crime” for officials and powerful elites can include any activity that challenges their position of power — especially investigative journalism.

Mexico is a case in point.  Ranked by the Economist’s Intelligence Unit as a “flawed democracy”, Mexico’s government agencies are riven with corruption.  Mexico is one of the most dangerous places to be a journalist not only because of violence related to the drug cartels but also because of threats from government officials.   As Reporters Without Borders notes, “[w]hen journalists cover subjects linked to organized crime or political corruption (especially at the local level), they immediately become targets and are often executed in cold blood.”

In spite of these glaring insecurity and accountability issues, the NSO Group went ahead and sold its products to multiple Mexican government agencies, according to leaked documents reported on in the New York Times.  Other leaked documents show that Mexico was at one time another commercial spyware company’s (Hacking Team) largest single country client.  Should it come as any surprise that these powerful surveillance technologies would end up being deployed against those who aim to expose corrupt Mexican officials?

What is to be done about these abuses? In a recent publication, Citizen Lab senior researcher Sarah McKune and I outlined a “checklist of measures” that could be taken to hold the commercial spyware market accountable, including application of relevant criminal law. It is noteworthy in this regard that while in the United States, the minor child Emilio Arestigui received SMS messages purporting to be from the US Embassy.  Impersonating the US Government is a violation of the US Criminal Code, and the targeting may very well constitute a violation of the US Wiretap Act.  At the very least, it is a violation of diplomatic norms.  How will the United States Government respond?

NSO Group is an Israeli company, and thus subject to Israeli law.  In the past, Israel has prided itself on strict export controls around commercial surveillance technology.  Yet this latest example shows yet again the ineffectiveness of those controls.  Will Israeli lawmakers tighten regulations around NSO Group in response?

Among the checklist of measures McKune and I identified is the importance of evidence-based research on the commercial spyware market to help track abuses and raise awareness.  It is important to underline that the work undertaken in this report could not have been done without the close collaboration between Citizen Lab researchers and Mexican civil society groups, R3D, SocialTic, and Article 19.   Collaborations like these are essential to exposing the negative externalities of the commercial spyware market, documenting its harms, and shedding light on abuse.

I suspect it will not be the last collaboration of this sort.

Read the full report, “Reckless Exploit: Journalists, Lawyers, Children Targeted in Mexico with NSO Spyware,” authored by John Scott-Railton, Bill Marczak, Bahr Abdulrazzak, Masashi Crete-Nishihata, and me, here: https://citizenlab.org/2017/06/reckless-exploit-mexico-nso

 

From Russia, with Tainted Love

I am pleased to announce a new Citizen Lab report, entitled “Tainted Leaks: Disinformation and Phishing With a Russian Nexus.” The report is authored by the Citizen Lab’s Adam Hulcoop, John Scott-Railton, Peter Tanchak, Matt Brooks, and myself, and can be found here.

Our report uncovers a major disinformation and cyber espionage campaign with hundreds of targets in government, industry, military and civil society. Those targets include a large list of high profile individuals from at least 39 countries (including members of 28 governments), as well as the United Nations and NATO. Although there are many government, military, and industry targets, our report provides further evidence of the often-overlooked targeting of civil society in cyber espionage campaigns.  Civil society — including journalists, academics, opposition figures, and activists — comprise the second largest group (21%) of targets, after government.

Other notable targets include:

  • A former Russian prime minister
  • A former U.S. Deputy Under Secretary of Defense and a former senior director of the U.S. National Security Council
  • The Austrian ambassador to a Nordic country and the former ambassador to Canada for a Eurasian country
  • Senior members of the oil, gas, mining, and finance industries of the former Soviet states
  • United Nations officials
  • Military personnel from Albania, Armenia, Azerbaijan, Georgia, Greece, Latvia, Montenegro, Mozambique, Pakistan, Saudi Arabia, Sweden, Turkey, Ukraine, and the United States, as well as NATO officials
  • Politicians, public servants and government officials from Afghanistan, Armenia, Austria, Cambodia, Egypt, Georgia, Kazakhstan, Kyrgyzstan, Latvia, Peru, Russia, Slovakia, Slovenia, Sudan, Thailand, Turkey, Ukraine, Uzbekistan and Vietnam

While we have no “smoking gun” that provides definitive proof linking what we discovered to a particular government agency (a common challenge in open source investigations like ours) our report nonetheless provides clear evidence of overlap with what has been publicly reported by numerous industry and government reports about Russian cyber espionage. This overlap includes technical details associated with the successful breach in 2016 of the email account of John Podesta, the former chairman of Hillary Clinton’s unsuccessful presidential campaign.

As is often the case with Citizen Lab research on targeted threats, our report began with a “patient zero” — in this case, the prominent journalist, David Satter.  Satter is a well-known author on Russian autocracy. He was banned from Russia in 2013 for his investigative reporting on corruption and abuse of power associated with the Putin regime.  In October 2016, Satter’s Gmail account was successfully phished.  Documents stolen from his account then appeared on the website of CyberBerkut, a self-described pro-Russian hacktivist group.   Using the genuine documents obtained with Satter’s consent, our report details the disinformation campaign that was orchestrated around his stolen emails to give the false impression that Satter was part of a CIA-backed plot to discredit Putin and his adversaries and engineer a “colour revolution.”  The disinformation was also aimed at providing a false association between Satter, western NGOs, and prominent Russian opposition figures, most notably the prominent Russian anti-corruption activist, Alexei Navalny.

A very detailed technical analysis of the infrastructure and methods used in the phishing attack on Satter, led by Citizen Lab’s Adam Hulcoop, then allowed us to unravel and ultimately identify a much larger group of over 200 individuals across 39 countries targeted by the same operators.  Not since our Tracking Ghostnet report in 2009 do I recall us discovering such an extensive list of high-profile targets of a single cyber espionage campaign.

Why target civil society? For many powerful elites, a vibrant civil society is the antithesis to their corrupt aims.   In the case of Russia, the motivations behind cyber espionage are as much about securing Putin’s kleptocracy as they are geopolitical competition.  It often matters just as much for the Kremlin to know what critical exposé is going to be published on Putin’s inner circle, or what demonstration is going to be organized in the streets of St. Petersburg, as it does what happens in corporate boardrooms or government headquarters abroad. This means journalists, activists, and opposition figures — both domestically and around the world — bear a large burden of the spying.

Our report also offers a detailed glimpse of the new frontier of digital disinformation.  Tainted leaks, such as those analyzed in our report, present complex challenges to the public.  Fake information scattered amongst genuine materials — “falsehoods in a forest of facts” as Citizen Lab’s John Scott-Railton referred to them —  is very difficult to distinguish and counter, especially when it is presented as a salacious “leak” integrated with what otherwise would be private information.

Russia has a long history of experience with what is known as dezinformatsiya, going back even to Soviet times.  The prospect of a country with its superpower resources engaging in systematic “tainted leak” operations generated with data stolen by affiliated cyber criminal “proxy” groups is daunting.  Even more daunting is the prospect that the model of its success will breed similar campaigns undertaken by other governments.  To the extent it is both cheap and effective, and provides plausible deniability when outsourced to the shady underworld, it will almost certainly inspire other governments to follow suit.

With digital insecurity and data breaches now a pervasive and growing problem, it is highly likely digital disinformation operations are going to become widespread. Indeed, we could be on the cusp of a new era of superpower-enabled, digital disinformation.  The public’s faith in media (which is already very low), and the ability of civil society to do its job effectively, will both invariably suffer as collateral damage.

Our hope is that in studying closely and publishing the details of such tainted leak operations, our report will help us better understand how to recognize and mitigate them.  We also hope that in highlighting the large number of civil society members targeted in yet another cyber espionage campaign, the “silent epidemic” can be properly addressed by policymakers, industry, and others.

One final note concerning notification: we chose not to identify targeted or victimized individuals without their consent in order to protect their privacy.  Instead, we have notified the email service provider and relevant Computer Emergency Response Teams.

Report URL: https://citizenlab.org/2017/05/tainted-leaks-disinformation-phish/