Introducing QUANTUM-as-a-Service

Imagine that your device could be silently commandeered and used to spy on you simply because you surfed the web. No need for anyone to have possession of it and physically install something. No need to trick you into downloading spyware, clicking on a malicious link, or entering your credentials into a phony login page.  Attackers just wait for you to visit any unencrypted website (http rather than https, that is) and — boom — you’re owned.

Now imagine this capability was commercialized and available for sale to operators all over the world…

Imagine no more.

In a new Citizen Lab report, titled Bad Traffic, we present our discovery of how operators appear to use technology manufactured by a company called Sandvine (formerly Procera) to help deliver exactly this type of nation-state malware in Turkey and Syria. Bizarrely, we also discovered that the same Sandvine technology was configured by operators apparently to commandeer unwitting Internet users in Egypt, but not to spy on them. Instead, there we found user requests appeared to have been manipulated by operators to covertly raise money through online ads and cryptocurrency mining scams.

Known as “packet injection,” and undertaken by Deep Packet Inspection (DPI) devices, the techniques we uncovered at work in Turkey and Egypt are similar to those revealed in the Edward Snowden disclosures, codenamed “QUANTUM.” QUANTUM attacks are considered among the most powerful weapons in the NSA’s (and its Five Eyes allies’) toolkit. One was reportedly employed by the UK’s GCHQ to get inside the computers of Belgium’s largest telco, Belgacom, by redirecting senior Belgacom technicians to fake Linkedin pages where their computers were silently infected with malware.  As the Belgacom operation demonstrates, QUANTUM attacks typically involve two components: a first, where packets are injected into Internet requests; and a second, in which a separate server controlled by the attackers (codenamed FOXACID by the NSA) injects spyware (Figure 1).  We found Sandvine Packetlogic devices were being used by operators to perform the first component, with spyware of the operator’s choice (presumably Turkish authorities) involved in the second.

Figure 1: Top Secret NSA Slide QUANTUM INSERT Diagrams

Pulling off a QUANTUM attack is relatively simple if you control the network of a group of users. Computer scientist Nick Weaver demonstrated a QUANTUM attack at our 2015 Citizen Lab Summer Institute. However, to be able to execute QUANTUM attacks at the national scale requires control or cooperation of a major telecommunications provider, something only national governments can practically do.  

In another Snowden disclosure, Canada’s spy agency, CSE, noted in a top-secret presentation that “it’s no lie, quantum is cool,” but then added “it’s easy to find.” Well, maybe for them. For researchers like us, it’s not so easy. Our report is the first case where nation-state spyware injection has been empirically documented “in the wild.” Credit goes to the Citizen Lab’s Bill Marczak, whose remarkable detective work included scanning every one of the billions of IPv4 addresses on the Internet to search for the unique fingerprint he developed for Sandvine’s PacketLogic device. We also verified the fingerprint in a laboratory setting using a second-hand PacketLogic device we purchased. Marczak’s sleuthing identified spyware injection targeting Türk Telekom subscribers in at least five provinces in Turkey, and hundreds of users across the border in Syria who were receiving their Internet access through WiFi connection points leased from Türk Telekom. The same methods helped uncover the Egyptian mass injections for profit scheme, which we have dubbed “AdHose”.

Figure 2: AdHose Packet Injection Diagram 

One imagines that the NSA, GCHQ, and their allies spent many years and considerable scientific and financial resources developing QUANTUM capabilities in house. Today, commercial DPI technology combined with spyware in the ways we have documented allows a government to simply order them up.  With QUANTUM-as-a-Service, many more governments will now be playing in the Five Eyes’ league  — governments like Turkey and Egypt, which Human Rights Watch describes respectively as “the world leader in jailing journalists and media workers,” and “continuing near-absolute impunity for abuses by security forces under the pretext of fighting ‘terrorism.’”

The prospect of QUANTUM capabilities being sold “off-the-shelf” to any government or government-controlled telco should give everyone pause, especially because the type of DPI sold by companies like Sandvine, as presently advertized, falls through the regulatory cracks. It is classic “dual-use” technology, marketed as benign-sounding “quality of service” or “quality of experience” functionality: helping Internet Service Providers manage network traffic, speed up the delivery of videos for higher-paying clients, and block forbidden applications. The 51 member-state, dual-use technology Wassenaar Arrangement targets “IP network communications surveillance” items for export controls, but specifically exempts “quality of service” and “quality of experience” systems. However, as our report shows, Sandvine’s technology (which appears at present to fall under this exemption) can also surreptitiously redirect users to sophisticated spyware, or permit the hijacking of browsers to mine cryptocurrency for profit. Its power is in the hands of the local operator — operators that answer to autocratic rulers like Turkey’s Erdogan or Egypt’s el-Sisi.

It is worth noting that Sandvine is owned by Francisco Partners, the same investment group that also happens to own Israeli spyware vendor NSO Group, another company whose misused services have been the subject of numerous Citizen Lab reports.  In response to our letters to these companies, Sandvine and Francisco Partners both claimed that they have stringent business ethics and other internal checks to prevent abuse of their services. Not good enough checks, it seems.

Until its acquisition by Francisco Partners last year, and its subsequent combination with Procera, Sandvine was headquartered in Waterloo, Canada. At the time of the proposed sale, I argued that the takeover warranted closer scrutiny by the federal government. In light of Citizen Lab’s report, I wonder if anything will be done by relevant authorities in Canada and the United States? Targeted injection of spyware at the nation-state level represents a major public safety risk, and technologies that facilitate such injection should be regulated accordingly.

While we wait for governments to act, there’s more that can be done right now to protect users. Properly encrypting websites by default would certainly frustrate these sorts of attacks. However, Google and Firefox stats show around 20-30% of all websites are still not encrypted by default. That needs to change.

Until such time, keep an eye out for the headers of the websites you visit. If it reads “http” without the “s”, and there’s no little lock icon up in the address bar that says “secure,” you too may be vulnerable to this type of attack.

A Year in the Life of a Phishing Operation

It’s often remarked that digital espionage can be undertaken on the cheap. But just how cheap?

In a new Citizen Lab report released this morning, we give one answer. Taking advantage of simple errors committed by the operator of a phishing operation, we were able to get an “inside view” of just what it takes to mount an effective digital spying job.  

For more than 8 months, we quietly observed as the operator set up phishing lures, registered decoy domains disguised as popular email services, made fake login pages, sent targeted emails to individuals and organizations, and maintained the back-end infrastructure for the entire enterprise.

Total estimated cost: $1,068.00  

Running this operation would require only basic system administration and web development skills and although it was sloppy in execution, the phishing campaign was nonetheless successful. At least two accounts we tracked were compromised, with contact lists stolen from the victims used to send out more phishing emails to other targets.  We suspect there were likely other successful compromises beyond these accounts based on decoy documents we collected that appear to be private files likely extracted from compromised accounts.

Who was behind it? While we have no evidence linking the individual(s) running it to a specific government agency or other client, there are a number of clues as to its motivation and possible benefactor.  The bulk of activity we observed was focused on Tibetan organizations, and we were able to verify this targeting with the cooperation of individuals and organizations involved in Tibet-related activism who shared with us phishing emails they received from the operator.

But the operator was interested in more than Tibet. Our analysis of decoy documents, phishing pages, and registered domains used in the operation  shows several non-Tibetan themes that suggest there were other targets.  These themes include the Uyghur ethnic minority group, Epoch Times (a media group founded by members of the persecuted religious organization Falun Gong), themes related to Hong Kong, Burma, the Pakistan Army, the Sri Lankan Ministry of Defence, the Thailand Ministry of Justice, and a controversial Chinese billionaire critical of state corruption.  

Add these up and the common denominator uniting them all is that they fall within the strategic interest of the People’s Republic of China. While we have no evidence to show the operator was working on behalf of a specific Chinese government agency, it’s well known that freelancers and security contractors do so on a regular basis. In November 2017, for example, the US Department of Justice indicted three Chinese nationals working at an Internet security firm for digital theft of commercial secrets. (One wonders what it will take to marshall the political will to bring such an indictment against an individual for hacking a human rights organization). Although the indictment didn’t say so, it’s reported that the Internet security firm (Boyusec) is ultimately working on behalf of the Chinese Ministry of State Security. Such arms-length relationships are beneficial to the state, which can reap the fruits of espionage while retaining a certain degree of plausible deniability.

The sloppiness of the operator may also be suggestive. Who ever was behind this campaign may have just been amateurs who made mistakes. Or they may also have been operating on the assumption that their actions were, if not condoned by some higher authority, then at least implicitly tolerated. In other words: operational security may be inversely correlated with fear of consequences, And in China there are, at present, very few consequences of running a hacking operation for hire — whether the targets are a foreign company’s intellectual property assets or a NGO’s strategic communications plans. Why worry about operational security if getting caught doesn’t matter?

The case also illustrates yet another important lesson: digital espionage operations will only be as sophisticated and expensive in their execution as what it takes for them to work. Someone is not going to bother spending more time and money than necessary if something “on the cheap” like this setup will do the job just as well.

But there’s a flip side to this lesson, one that we hope individuals and organizations will pick up upon in their digital security planning: simple phishing operations can also be simply blunted.  The successful compromises would likely have never happened had the individuals and organizations in question implemented  two-factor authentication — a security feature that requires a second ‘factor’ (like a code on a mobile phone) to access an account. Unfortunately, two-factor authentication is still far from being widely adopted by many users, and is not on by default in almost all popular online platforms.

We need to start thinking of two-factor authentication as the equivalent of a “seat belt” for the Internet: not perfect, but it may help mitigate the impact of a digital crash. Major platform providers should mainstream security features like two factor authentication into their services to help limit the harm done by inexpensive but effective phishing. And just as with seat belts and automobile manufacturers, if the companies can’t do it themselves, perhaps it’s time that regulators step in and require that it be done.

Read the full report here: Spying on a Budget: Inside  Phishing Operation with Targets in the Tibetan Community.

Also, check out a few of our digital security resources to learn more about two factor authentication and other ways to protect yourself online at Net Alert and Security Planner.

A close look at the proposed “CSE Act”

The Citizen Lab is releasing a new report today, in collaboration with our partners at the Canadian Internet Policy & Public Interest Clinic (CIPPIC), entitled, “Analysis of the Communications Security Establishment Act and Related Provisions in Bill C-59.”

The 75 page report provides a detailed overview of Canada’s SIGINT agency, the Communications Security Establishment (CSE), an analysis how the Liberal government’s new proposed national security legislation, Bill C-59, will impact its mandate, operations and oversight, and some recommendations on legislative and other changes.  

The report was researched and written by our SIGINT working group at Citizen Lab that includes (along with myself) Christopher Parsons, Lex Gill, and Bill Robinson, and CIPPIC’s Tamir Israel.  

Agencies like CSE are critical to public safety, foreign policy, and national security.  It is essential that they are well-equipped and trained.  However, their extraordinary and far-reaching capabilities and activities present enormous governance challenges for liberal democratic societies.  Much of CSE’s activities are shrouded in secrecy — the most highly classified of any Canadian government agency.   There are obvious good reasons for that secrecy.  But government secrecy without strong independent oversight is a recipe for the abuse of power.

It is important to recognize that CSE does not act alone.  It is part of a large and very powerful global alliance of SIGINT agencies that share data, infrastructure, and personnel.  Among those partnerships the most important is the “Five Eyes” alliance that includes New Zealand, Australia, the United Kingdom and the United States’ massive National Security Agency. These alliances allow Canada to “punch above its weight,” but they can also further obscure CSE’s activities and distance them from proper domestic oversight.

CSE’s expertise is in the area of data collection and analysis — the “signals” of “signals intelligence”  Whereas at one time this expertise was focused on the interception of a relatively narrow band of diplomatic, military, and government communications, today it’s focused on all of society’s communications, all of the time.  This broad sweep may be necessary and justifiable to identify threatening “needles in haystacks” that could wreak havoc. But it also raises tremendous and largely unprecedented civil liberties’ concerns.  At a time when we have turned our digital lives inside out, and carry around in our pockets devices that track our movements, social relationships, and habits, agencies like CSE have been granted extraordinary powers to collect and monitor it all.  Making sure such agencies are checked with thorough oversight and public accountability measures is critical to liberal democracy.

The proposed Communications Security Establishment Act  ( “CSE Act” ) is a major component of the comprehensive national security reforms proposed by the Trudeau government in Bill C-59. Among the many far-reaching implications of the CSE Act, Bill C-59 would add an entire new “mandate” to CSE to engage in “active cyber operations,” which in other words means granting the CSE authorization to engage in state sponsored hacking.  Although CSE has for many years already engaged in such activities, codifying this mission into law as an entirely new mandate will legitimize and undoubtedly amplify them.  The implications of doing so definitely require broad public debate.   

Having CSE engage in state sponsored hacking will (among other things) further the already harmful and opaque practice of hoarding software vulnerabilities as weapons of warfare and intelligence, as opposed to disclosing them to vendors in the interest of public safety; encourage the poorly regulated market for commercial spyware, whose harmful consequences the Citizen Lab has extensively documented; and contribute to the normalization abroad of the already dangerously escalating militarization of cyberspace, including the spread of state-sponsored disinformation campaigns.  For a heavily networked country so dependent on global communications, Canadians should seriously debate what is most in our national interest: to contribute to an already escalating arms race in cyberspace, or to be a force for mutual restraint and the control of weapons instead?

Our 75 page analysis raises numerous issues of concern for CSE around Bill C-59, as well as outlines over 50 recommendations to improve systems of review, oversight, and control of the CSE and to constrain the CSE’s ability to engage in activities that are problematic, abusive, unconstitutional, or in violation of international human rights norms.

Our post and a link to the full report can be found here

Ethiopian Cyber Espionage with Israel-based Commercial Spyware

Citizen Lab has published a new report today in which we uncover a major global cyber espionage campaign targeting numerous individuals in the United States, United Kingdom, Canada, Germany, and more than a dozen other countries.  Strong circumstantial evidence points to Ethiopia, with the surveillance technology supplied by an Israel-based company, Cyberbit Solutions.

WIRED has published an opinion piece I wrote that summarizes the report’s findings and puts them in a larger context, which can be found here.  Reuters also published a good overview here.

The full, very detailed report entitled, “Champing at the Cyberbit: Ethiopian Dissidents Targeted with New Commercial Spyware,” and authored by Citizen Lab’s Bill Marczak, Geoffrey Alexander, Sarah McKune, John Scott-Railton, and myself, can be found here.

Among the report’s notable details: public logfiles located by Citizen Lab’s Bill Marczak allowed us to track Cyberbit employees as they carried infected laptops around the world, apparently providing demonstrations of the spyware to the Royal Thai Army, Uzbekistan’s National Security Service, Zambia’s Financial Intelligence Centre, the Philippine President’s Malacañang Palace, ISS World Europe 2017 in Prague, and Milipol 2017 in Paris. Cyberbit also appears to have provided other demos of PSS in France, Vietnam, Kazakhstan, Rwanda, Serbia, and Nigeria.  Bill’s extraordinary detective work here is spectacular. Special shout to to Geoff Alexander, who did some excellent supportive work reverse engineering malware samples.

A graphic (put together thanks to John Scott Railton, as usual) that shows the locations of these demonstrations can be found here.

The operators also tried to infect Citizen Lab lead technical researcher on the project, Bill Marczak, as outlined in this Motherboard piece.  As Daily Beast reporter, Joseph Cox, noted, that’s “one of the dumbest things you can possibly do with your nation-state malware.”

A companion piece (led by Citizen Lab’s Sarah Mckune) detailing legal and regulatory issues raised by our report can be found here. Great to see support from Human Rights Watch, who wrote a lengthy post and a letter to Cyberbit.

Citizen Lab Submission to UN SR on Online Violence Against Women

In March 1994, the United Nations Commission on Human Rights appointed a “Special Rapporteur on violence against women, including its causes and consequences”.  The current Special Rapporteur is Dr. Dubravka Šimonović.

Recently,  Dr. Šimonović issued a call for submissions on the topic of “online violence against women” and Citizen Lab decided to make such a submission.

Over the years, Citizen Lab research has touched on many subjects that are relevant to the topic of online violence against women and girls, and we are committed to integrating a gender and diversity based analysis into our work.  As our submission notes, “Citizen Lab research has exposed efforts to target women in digital espionage campaigns, revealed the use of surveillance tools against those seeking justice for slain women’s rights advocates, mapped Internet censorship systems that filter out information related to women’s rights and sexuality, and supported partners in the Global South who study online threats faced by women human rights defenders”.

Based on these experiences, we have become concerned about the ways in which the very real vulnerabilities of women and girls in online and offline spaces are exploited to justify new, expansive, and sometimes unaccountable censorship and surveillance powers.  We see little evidence that these powers will mitigate the problems affecting women and other at-risk communities.  In fact, sometimes they can actually make matters worse, as in the case of the massive security vulnerabilities we discovered in South Korean child monitoring applications that actually put parents and their minor children at greater risk had they not used the application in the first place.

In order to assist the UN Special Rapporteur, we make several recommendations which we hope will inform the report she is preparing on the topic, to be presented at the next Human Rights Council in June 2018.  These recommendations stress the importance of robust digital security to protect women and girls online; the importance of proper oversight, transparency, and public accountability with respect to sharing of user data and removal of content undertaken by social media and other companies when requested by governments or otherwise; the need for better regulation of the commercial spyware market, the abuses around which include so-called “stalkerware” used by spouses to track their partners; and finally the importance of education, training, and capacity- building so that all stakeholders are more literate in all of the areas above.

The authors of the submission include researchers from the Citizen Lab (Ron Deibert, Lex Gill, Irene Poetranto, Amitpal Singh), Chelsey Legge from the International Human Rights Program at the University of Toronto, and Tamir Israel from the Canadian Internet Policy and Public Interest Clinic.

The full report can be found here.

Canada’s new national security bill: one step forward, two steps back?

Over the last year, the Canadian government has been engaged in extensive public consultations meant to address widespread concerns around C-51 (the anti-terror law implemented by Prime Minister Harper’s government) as well as a range of other national security practices, policies, and oversight and public accountability issues raised by Canadians.  (I participated in some of these consultations and found them to be informative and useful, for the most part).

The outcome of those consultations is a new proposed national security legislation, Bill C-59.  Bill C-59 is arguably the most comprehensive reform of Canada’s national security laws in decades.   While it contains a lot that is positive — particularly in the area of some new forms of oversight and accountability — there is also quite a bit in Bill C-59 that I and many others have found troubling.

Today, a letter is being released, signed by over 40 individuals and organizations, that publicly raises issues with Bill C-59.  Some of my colleagues and I at Citizen Lab — who together are part of an internal working group on signals intelligence — are among the signatories.

To accompany the joint public letter, we have also written a blog post that fleshes out in more detail some of our concerns.   You can read that letter here:

Generally speaking, it is exceedingly difficult for members of the public to hold national security organizations to account.  National security agencies operate in the shadows, and are governed by what can be, at times, confusing and opaque laws, methods, and practices.  Unless you’re a specialist or an insider, it can be frustratingly difficult to know just what is going on that might warrant a citizen’s concern.  In an age when we are effectively turning our digital lives inside out on the one hand, while entrusting to some of these agencies enormous resources, capabilities, and responsibilities on the other, this gap in understanding is a major problem for liberal democracy.

Our internal working group on signals intelligence — myself, Christopher Parsons, Bill Robinson, and Lex Gill — aims to help rectify that confusion.  We are working on a series of outputs and public engagements, of which this is the first, which we hope helps better inform Canadians on these critical issues.


Korean Child Monitoring Applications: Insecure by Design

Nearly every day it seems, a friend asks about how to cope with a digital security risk.  Among those with the most acute concerns are parents of minor children, many of whom now carry with them mobile devices.  Parents ask how they can protect their children from inappropriate content, whether their child’s use of their mobile device exposes them to bullying, monitoring, or other threats, and what they can do to mitigate those risks.

These are legitimate concerns for which serious solutions are required.  

Unfortunately, as our new report shows, sometimes good intentions can lead to very bad outcomes — especially when bad public policy is combined with poor software design and engineering.

In April 2015, South Korea became the first country in the world to mandate that all phones registered to individuals under the age of 19 be equipped with monitoring and filtering apps that block content deemed  “harmful.”   At the time, Korea’s telecommunications regulatory body, the Korean Communications Commission (KCC), funded and promoted an app called “Smart Sheriff,” produced by the Korean Mobile Internet Business Association (MOIBA).

Followers of the Citizen Lab may remember that, in collaboration with Cure53, we published a detailed security audit of Smart Sheriff in September 2015 that found the app contained more than 26 serious security vulnerabilities.   We disclosed these vulnerabilities to MOIBA, and eventually Smart Sheriff was withdrawn from the market in November 2015.   

Our latest report, done in collaboration again with Cure53 and our colleagues at OpenNet Korea, analyzes two other  child monitoring applications produced by MOIBA, called Cyber Security Zone and Smart Dream.

To say our findings are disturbing is an understatement.

To our astonishment, our analysis of “Cyber Security Zone” found that it was actually a rebranded version of Smart Sheriff, containing many of the same privacy and security vulnerabilities we identified back in September 2015.   In other words, rather than digest our detailed security audit and start from scratch with proper engineering design principles in mind, MOIBA simply changed the name and slapped on a new logo!

Smart Dream, also produced by MOIBA, is an application that allows concerned parents to monitor their children’s messaging and online history.  What we found is that the application’s poor design actually exposes those children to numerous serious security and privacy risks.

Among the problems we identified:

  • We found both applications were susceptible to a “man-in-the-middle” attack, meaning that someone with access to any network through which the application’s communications passes could easily intercept those communications and acquire passwords, login information, and other sensitive details of children or parents using the apps.  To give you a concrete example, this could be someone with malicious intent operating the local cafe’s wifi hotspot next to the child’s school.
  • Both applications were designed with poor encryption, which means they both leak highly sensitive user data, such as phone numbers, device IDs, and dates of birth of children.
  • If an attacker knew the phone number of a user (see above) we found that they could also insert fake content, making it appear that children were visiting websites or sending messages they were not. Imagine the cyber-bullying possibilities of that vulnerability?
  • We found a security vulnerability in Smart Dream that allows an attacker to collect every single text message and search query of every minor child using the application stored on the Smart Dream server.

In short, what we found was — rather than protecting minor children —  both applications actually put minor children, and their parents, at much greater risk than had they not used the applications in the first place.  

That MOIBA knew of the security vulnerabilities of Smart Sheriff going back to our 2015 report, and simply pushed out a rebranded version containing the same flaws, is grossly irresponsible.

The fact that the applications were funded by a Korean regulatory body and promoted by a respected Korean industry group only makes matters worse. Concerned Korean parents looking to protect their children and follow a law that makes installation of these type of applications mandatory, would naturally expect to receive honest and trustworthy advice from such institutions.  Unfortunately, they were deeply misled.  

We have communicated for weeks with MOIBA about our findings, working with them to ensure that the applications’ problems are fixed. However, given MOIBA’s track record we have no expectation that MOIBA will reform itself and begin undertaking application development with best security practices from the ground up.

We are releasing our report as part of our “NetAlert” series, which includes a cartoon developed by illustrator and designer Jason Li that nicely summarizes the findings and risks and makes recommendations to parents, policymakers, and developers in both English and Korean.  

Parents who are concerned about their children’s safety while using mobile devices may decide to install applications such as these.  If they do, it is critical that they use applications that are thoroughly audited to ensure they conform to secure engineering design principles.   In other words, do not use Smart Dream, Cyber Security Zone, or any other application developed by MOIBA.

Read the report here:

Mexican Surveillance Abuse Continues

We are publishing yet another update to the ongoing investigations Citizen Lab has been conducting, in partnership with R3D, SocialTic, and Article 19, on abuse of commercial spyware in Mexico.  

Our latest report shows that the Claudio X. González, director of the Mexican anti-corruption organization Mexicanos Contra la Corrupción y la Impunidad (MCCI), was targeted with SMS messages containing links to the exploit infrastructure of the Israeli spyware company, NSO Group.   Had the links been clicked on, González’s phone would have been silently commandeered allowing the operators to surreptitiously turn on the camera and microphone, read emails and texts (even those that are encrypted), and track his movements.

This most recent case brings the total number to 22 individuals that we have confirmed being targeted with NSO Group spyware in Mexico.  NSO Group claims it restricts sale of its powerful spyware to government agencies to combat terrorism and track criminals.  Our investigations have shown that it has been used instead to target an alarming number of people who are exercising their political rights and / or doing their jobs as lawyers, journalists, and investigators.   As for who is responsible, we have no specific evidence. However, leaked documents show the Mexican Attorney General’s office is a client of NSO Group and the President of Mexico has gone on record with the admission that it has purchased NSO Group technology.  It is also highly incriminating of the Mexican government that many of the targets we confirmed, including the latest, share a common characteristic: investigations into official Mexican government corruption.

The spyware market is very lucrative and growing, but also replete with abuse.  NSO Group’s US-based majority owner, Francisco Partners, was recently reportedly looking to sell partial ownership of NSO Group to another investment firm, Blackstone Group, for $400 million.  When we learned of the possible sale, we published an open letter to Blackstone Group informing them of our research on the abuse of NSO Group’s spyware in Mexico and elsewhere, and urging them to exercise due diligence over the company’s behavior should the sale go through. Reports of the deal also attracted critical attention from a range of organizations, including Mexican NGOs involved in investigating NSO, Access Now, and Business and Human Rights.  On August 15 2017, Reuters reported that the Blackstone Group deal had fallen through.

The research on the use of NSO Group in Mexico is led by Citizen Lab senior researcher, John Scott-Railton.  Our ability to positively identify NSO Group’s spyware is based on careful network scanning and reverse engineering, undertaken by Citizen Lab’s Bill Marczak.  Using the technical indicators collected from this research, Scott-Railton engages with local advocacy partners to help identify targets in civil society who are willing to cooperate in the research.  We then compare the domains contained in the links in the SMS messages sent to the targets to known NSO Group infrastructure. Overall, this case is a good example of the general mission of the Citizen Lab, which aims to use mixed methods research to highlight digital security issues that arise out of human rights concerns, and then engage in high-level policy and legal engagement to try to mitigate the problem.

As to how this type of abuse can ultimately be solved, there is no simple remedy.  Companies like NSO Group are not violating any law by selling their technology to countries like Mexico.  And if a corrupt government client chooses to use that technology for abusive purposes, there is little that can be done to prevent it.

But that does not mean the situation is hopeless.  Companies like NSO Group can be encouraged to undertake more responsible “know your customer” practices to prevent abuse of their product. That pressure can come from the countries within which they are domiciled as companies (e.g., Israel) who can pass more strict export control regulations that require NSO Group to undertake due diligence. It can come from ownership groups and investment firms that control the purse strings and who themselves are sensitive to public criticism (as our open letter and the other campaigns described above may demonstrate). It can come from legal action in cases in which local laws are violated, as in the targeting of US citizens we discovered in the Mexico NSO Group case (which would be a violation of the U.S. criminal code).  

However, all the above depends in the first instance on patient, evidence-based research of the sort we are undertaking in collaboration with our Mexican partners.

Read the full report here:

Yet More Evidence of Gross Misuse of NSO Group Spyware In Mexico

The Citizen Lab’s investigation into the abuse of commercial spyware in Mexico continues with yet more troubling findings. Today, we are releasing a new report that affirms two additional individuals’ phones were targeted with Israeli-based NSO Group’s sophisticated Pegasus spyware technology.  

As in some of the prior cases we researched, the individuals in question — Karla Micheel Salas and David Peña — are lawyers representing family members of individuals involved in horrific targeted killings.  Specifically, this case concerns the torture and murder in July 2015 of Nadia Vera and Rubén Espinosa, an activist and journalist respectively, alongside three of their acquaintances.  There were also reports of sexual assault and torture against some of the victims prior to the murders.

Vera and Espinosa had been critical of the then governor of the Mexican state of Veracruz, Javier Duarte, and had received numerous threats in the course of their work. Under Duarte’s reign as governor, Veracruz became the most dangerous place in Mexico for journalists, with 17 killed during his term. Facing numerous and ongoing threats, Vera and Espinosa fled Veracruz to Mexico City, hoping the distance would protect them. Unfortunately, they (along with three people present at the scene: Yesenia Quiroz Alfaro, Mile Virginia Martin, and Alejandra Negrete) were brutally murdered.

Protests followed the Mexico City Attorney General’s investigation into the murder, which was widely perceived as inadequate.  The families of the slain individuals contracted Salas and Peña to push for an investigation.  In September and October 2015, Salas and Peña received text messages containing what we confirmed were links to the NSO Group’s exploit infrastructure which, if clicked on, would have silently infected their phones, allowing the operators to surreptitiously track their movements, phone calls, emails, and SMS’s, as well as record their voices and take pictures. (Watch Citizen Lab’s John Scott-Railton describe how NSO’s spyware works in this video).

While part of the story of these cases concerns the brutal environment for journalists in Mexico, the other part concerns the gross abuse of highly sophisticated surveillance technologies sold by companies like NSO Group.

In spite of the fact that Mexico was widely known to be a country struggling with corruption and abuse, and in spite of the well-known targeting of journalists, advocacy groups, lawyers and others using extrajudicial means, NSO Group went ahead and sold its technology to the Mexican government.  Clearly, there is a serious control problem around commercial spyware that needs to be urgently addressed lest such cases continue to mount.  Indeed, as we outline in our latest report, investigative reporting in the context of Panama has revealed that the former president of Panama, Ricardo Martinelli, used $13.5 million worth of NSO Group services to illegally spy on more than 150 opponents, including several U.S. citizens in the U.S. Embassy and in the United States proper.  Panama authorities are seeking to extradite Martinelli from the United States, where he fled from these charges.

One way to prevent such abuses is to encourage ownership groups to exercise greater due diligence over companies like NSO Group.  Over the last several weeks, it has been reported that the US-based investment firm Blackstone Group is exploring partial acquisition of the NSO Group.  Last week, Citizen Lab wrote to Blackstone Group with a detailed list of questions they should consider prior to the sale, as well as others concerning corporate social responsibility measures they should adopt, should the purchase go through. We hope these questions serve as a baseline for an industry that has yet to develop the type of mature due diligence practices as found in mining, oil, textiles, and other industries (however flawed those may still be).

Meanwhile, we fully expect to find more cases of the abuse of NSO Group technology, not just in Mexico but in other jurisdictions, where corrupt public officials with access to their spyware illegitimately turn it on those who present obstacles to their unscrupulous aims.

As before, the Citizen Lab’s research into Mexican surveillance has been led by senior researcher John Scott-Railton, working in close consultation with our partners in Mexico, R3D, SocialTic, and Article 19.

Read the report here:


Letter to Blackstone Group Regarding Possible Acquisition of NSO Group

For the last year, Citizen Lab has written five separate reports that document extensive abuse of, and lack of controls around the use of spyware manufactured by the Israeli cyber warfare company, NSO Group.   

These reports are part of a larger interest we have at the Citizen Lab in the lack of controls around the spyware market, from weak or nonexistent export controls of countries in which spyware companies are headquartered, to opaqueness around the market for cyber security, to an absence of due diligence on the part of companies themselves to know their clients.

A growing number of our reports has shown how the products and services of this largely unregulated market end up facilitating abuses in which journalists, human rights defenders, and others end up being targeted by powerful software ostensibly limited to governments to fight terrorists and investigate crime.

In a previous publication, my colleague Sarah McKune and I outlined a checklist of measures that could be taken to reign in the abuse of commercial spyware.  As part of that more comprehensive approach, we have suggested that the industry should be encouraged to adopt “voluntary yet genuine accountability frameworks and human rights-oriented policies and practices.”

To that end, we are today sending a letter to the Blackstone Group, an American private equity, asset management, and financial services firm in the process of considering acquiring a large stake in the NSO Group.  

Should Blackstone Group’s acquisition of NSO Group proceed, we hope our letter will encourage them to exercise stronger due diligence over NSO Group’s sales, and help ensure that the company itself better manages the end-uses of its products.

Read the letter here:

PDF here: