Citizen Lab

Chasing Circles

 

We are publishing a new Citizen Lab report today, entitled “Running in Circles: Uncovering The Clients of Cyberespionage firm Circles,” authored by Bill Marczak, John Scott-Railton, Siddharth Rao, Siena Anstis, and Ron Deibert

Background

The global telecommunications ecosystem upon which we are all heavily dependent was not invented from scratch with a single well-thought plan. Instead, it went through successive waves of evolution over decades, intensifying in more recent years as new digital and mobile technologies have been invented. Security has been ad hoc, fragmented and reactive as a result, leaving a hodge-podge of legacy standards and protocols in place some of which are still open to serious exploitation.

Arguably the most significant of these is something called SS7, a protocol developed in 1975 to handle interoperability among wireline telecommunications firms. Back in the ‘70s — prior to the deregulation and privatization measures that swept through the worldwide industry — the telco marketplace was a much different place. It was more like an old boy’s club (and in many respects, still is). There were far fewer firms, and most of those in existence were either state-owned, crown corporations or utility-like monopolies. (The UK’s telco at the time, for example, was entirely state-run and was quaintly called “Post Office Communications”).

Ironically, SS7 was rolled out in 1975 to solve a preexisting flaw in existing “in-band” interoperability protocols that were at the time being exploited by so-called “phone phreaks” using “blue boxes” (instructions for which they shared in popular magazines) to hack their way into free long-distance phone calls. (A young Steve Wozniak, co-founder of Apple, infamously used one such blue box to make a long distance phone call to the Vatican posing as Henry Kissinger and asking to speak to the Pope).

To solve this problem (and protect revenue) SS7 was created as a new “out-of-band” signal protocol. SS7 has remained in place ever since, principally because there’s a lot of older equipment and systems still out there that require some means to function properly. SS7 is still predominantly used in 2G and 3G mobile networks, and even later generation 4G / 5G networks are susceptible to security issues because they need to interconnect with SS7 networks to work for everyone. One of its central functions today is to handle billing and other services as subscribers roam from one network to another network when they travel internationally.

The SS7 protocol’s “authentication” (such as it is) has relied mostly on trust among a small group of insiders. But as the global telco market rapidly diversified and numerous companies of all shapes and sizes have entered into the arena, SS7 has become ripe for exploitation. Access to the SS7 network can allow a malicious actor to track virtually any target’s location, and intercept voice calls and text messages (which, incidentally, can also be used to intercept codes used for two-factor authentication sent via SMS). 

In 2017, a joint investigation undertaken by CBC News and Radio Canada, in cooperation with German security researchers, demonstrated an SS7 attack against a sitting Canadian member of parliament. With only a telephone number, the investigators were able to use SS7 vulnerabilities to track the MP’s movements and intercept his calls over two separate Canadian telco networks. 

Although high-end nation-state intelligence agencies have been quietly benefiting from SS7’s weaknesses for a long time (thanks to their cozy relationships with their national telcos), privatization and deregulation have opened the door to a whole new array of entrants into that club, including criminals and cyber-surveillance firms.

Circles

Our report focuses on one such firm, a company called “Circles,” which was reportedly founded in 2008, and is known for selling systems to government security services to exploit SS7 vulnerabilities. (The company was acquired in 2014 by private equity firm Francisco Partners, who merged it with NSO Group — another regular on the Citizen Lab’s research radar for surveillance abuses). 

Circles’ operations are difficult to investigate and track. Unlike some other types of targeted surveillance, exploiting SS7 vulnerabilities does not leave traces on a target’s device for investigators like ours to discover. Up until recently, what little was known about Circles came from leaked documents or investigating reporting on a few country clients, like Nigeria

Our report opens for the first time a very large window into Circles’ global customer base.

Led by Citizen Lab senior researcher, Bill Marczak, we discovered that Circles’ installations on customers premises leave a distinguishing fingerprint associated with the Check Point firewall that it employs. With that fingerprint as our starting point, we used internet scanning methods, and gathered data from various sources and feeds to identify specific country clients. 

In total, we are able to determine that 25 governments and 17 specific government agencies are likely Circles’ customers: 

Australia, Belgium, Botswana (Directorate of Intelligence and Security Services), Chile (Investigations Police), Denmark (Army Command), Ecuador, El Salvador, Estonia, Equatorial Guinea, Guatemala (General Directorate of Civil Intelligence), Honduras (National Directorate of Investigation and Intelligence), Indonesia, Israel, Kenya, Malaysia, Mexico (Mexican Navy; State of Durango), Morocco (Ministry of Interior), Nigeria (Defence Intelligence Agency), Peru (National Intelligence Directorate), Serbia (Security Information Agency), Thailand (Internal Security Operations Command; Military Intelligence Battalion; Narcotics Suppression Bureau), the United Arab Emirates (Supreme Council on National Security; Dubai Government; Royal Group), Vietnam, Zambia, and Zimbabwe.

A major theme of our work on the commercial surveillance marketplace is how a lack of controls around sales of these technologies to government clients with poor human rights and a lack of public accountability leads to major human rights abuses. Several of Circles’ government clients we identify above are especially disturbing in this regard. For example:

  • We determined that the Security Operations Command (ISOC) of the Royal Thai Army, a unit which has allegedly tortured detainees, is a Circles client.
  • We identified a Circles’ system operated by the Investigations Police of Chile (PDI). Chilean police have a checkered history around extra-legal surveillance against journalists and political opposition. 
  • We identified a single Circles system in Guatemala that appears to be operated by the General Directorate of Civil Intelligence (DIGICI). The DIGICI has used surveillance equipment to conduct illegal surveillance against journalists, businesspeople, and political opponents of the government. Guatemala is presently in the midst of large public protests against government corruption.
  • We identified ten Circles’ deployments in Mexico. Citizen Lab’s prior research has shown Mexico’s government has serially abused NSO Group’s Pegasus spyware to target reporters, human rights defenders, and the families of individuals killed & disappeared by cartels.
  • We identified a Circles’ installation in Nigeria that is likely operated by that country’s Defence Intelligence Agency (DIA). A recent report by Front Line Defenders concluded that Nigeria’s government “has conducted mass surveillance of citizens’ telecommunications.”
  • Our scanning identified what appear to be three active clients in the UAE: the UAE Supreme Council on National Security (SCNS) (المجلس الأعلى للأمن الوطني), the Dubai Government, and a client that may be linked to both Sheikh Tahnoon bin Zayed al-Nahyan’s Royal Group and former Fatah strongman Mohammed Dahlan.

It should be emphasized that Circles’ technology can be deployed against targets both domestically and abroad. In other words, the international reach afforded by Circles’ services allows despots and autocrats to silently target political opposition who may have gone into exile in foreign jurisdictions — a continuation of disturbing trends around transnational repression the Citizen Lab’s research is closely following. Some of the government clients we identified have been suspected of organizing extraterritorial targeted killings of dissidents and political opposition figures.

Unfortunately SS7 exploits are very difficult to guard against. In our report, we urge lawmakers, industry groups, and telecommunications companies to take immediate and meaningful steps to mitigate the long-standing technical weaknesses in SS7. We also urge high risk individuals associated with any of the countries listed above to migrate away from SMS-based two factor authentication immediately for all accounts where it is possible.

Read the full report here: https://citizenlab.ca/2020/12/running-in-circles-uncovering-the-clients-of-cyberespionage-firm-circles/

RESET: Reclaiming the Internet for Civil Society

 

I am really excited to be the 2020 CBC Massey LecturerIt was a great honour to be invited and be among the great authors and thinkers who have inspired me over the years, including MargaretAtwood, Ursula Franklin, Jane Jacobs, Charles Taylor, and so many others.

The lectures will be virtual this year, broadcast on CBC Ideas, November 9-13,  with the final episode airing November 16th, with host Nahlah Ayed. (November 17th update: you can listen to all six lectures here: https://www.cbc.ca/radio/ideas/reset-reclaiming-the-internet-for-civil-society-1.5795345).

I had two principal aims in writing RESET: the first was to summarize what I see as an emerging consensus about the many pathologies of social media and the organization of our entire communications ecosystem; the second was to lay out a principled framework for what to do about them.

RESET is published in the United States and Canada with House of Anansi Press, and in the United Kingdom by September Publishing. Thanks to Misha Glenny, Ziya Tong, Marietje Schaake, Cory Doctorow, and Edward Snowden for the very generous reviews!

“No one has done more than Ron Deibert and his lab to expose the enemies of the internet — shadowy companies whose sole business is to make it unsafe for all of us. No one is better placed to explain the intersection of law and technology that makes these abuses possible — and how we can put an end to them. Reset is the definitive narrative of where we went wrong and a last chance to make things right.” — Edward Snowden

“Tech is at a crossroads between oppression and liberation, and Ronald J. Deibert is our leading expert on the forces steering it in either direction. Reset is a road map revealing the secret alleys and byways that brought us to this juncture, and the ways ahead that we could navigate to a better future.” — Cory Doctorow, bestselling author of Radicalized and Walkaway

“One thing is for sure: your phone knows a lot more about you than you know about it. Ronald J. Deibert expertly cracks open our gadgets and electronics to reveal the who, what, and why behind our communications infrastructure. From digital espionage to big-data policing, Reset is a timely and critical look at how cutting-edge surveillance technologies are being weaponized against civil society. With the rise of authoritarianism around the world, Deibert’s book is a must-read for all who want to ensure that dark power stays in check.” — Ziya Tong, science broadcaster and author of The Reality Bubble

“Ronald J. Deibert is a rare hybrid who combines an advanced understanding of computer technology with a rich background in political science. He is also already a legend in security and tech circles because of his work as the founder and director of Citizen Lab . . . In Reset, Deibert outlines with tremendous economy and verve the major threats that face us as a consequence of our rapidly growing dependency on internet technologies, AI, robotics, and, further down the line, machine-to-machine learning and quantum computing. The clarity of his writing enables Deibert to categorize each aspect of the threat on a profound level that will nonetheless be accessible to any reader . . . Covid-19 has made it clear that our globalized world faces fundamental challenges to the survival of our species, along with most others. If we listen to Ron Deibert, we are still in position to head off another of those threats.” — Misha Glenny, bestselling author of McMafia and DarkMarket

“A reset is needed in the relation between privately run technologies and the public interest. Ron Deibert sketches what meaningful change looks like. Ron has been at the heart of analyzing the harms of technology to human rights, and increasingly to the human condition, for decades. His deep research and clear moral compass make his plea for a ‘reset’ an urgent one. To technology experts this book shines a clear light forward beyond current headline-grabbing incidents. To readers new to the depth of effects of the online information ecosystem, it is essential reading to gain clarity on where our values are at stake, and how we may preserve them.” — Marietje Schaake, International Policy Director of the Cyber Policy Center, Stanford University, and President of the CyberPeace Institute

Reset is a shocking call to action and a persuasively argued book. It is the sort of text one hopes will be read widely … After all, a reset of the basic infrastructure of life will only come through a profound political reckoning — and like the foment of 1968, it may just be a reconceptualization of what we want and why we want it that finally drives change.” — Quill & Quire

Citizen Lab Wins Press Freedom Award for Defense of Internet

The Citizen Lab is the recipient of this year’s press freedom award of the Canadian Committee for World Press Freedom (CCWPF), The 13th annual Press Freedom Award goes to a Canadian person or group who has defended or advanced the cause of freedom of expression. The Citizen Lab team, based at the Munk Centre for International Studies at the University of Toronto, was selected for its ongoing dedication to free expression online through work that exposes cases of Internet censorship and espionage around the world.

From CNBC
Continue reading

Citizen Lab Recipient of Canadian Journalists for Free Expression (CJFE) 2010 Vox Libera Award

The Citizen Lab is proud and humbled by the announcement that we are the recipient of the Canadian Journalists for Free Expression (CJFE) 2010 Vox Libera Award. The announcement stated “The Citizen Lab was selected for its dedication to free expression and access to information online. World leaders in the field of “hacktivism,” the Citizen Lab’s members focus their research on documenting cases of internet espionage and censorship around the world, reinforcing the idea that the Internet should remain a safe, public domain”.

From Digital Journal

Psiphon wins Index on Censorship Economist New Media Award

We were very pleased to hear that Psiphon was the recipient of the Economist New Media Award at the Index on Censorship 2009 Free Expression Award Ceremony in London yesterday.

Details here. Although we are proud to win the award, we feel that this award belongs to the others on the shortlist as well. In particular, it is noteworthy that nominee Hoder is still imprisoned in Iran for merely expressing his opinions.

Tracking GhostNet

Dear Friends and Colleagues

Please find below a link to Tracking GhostNet: Investigating a Cyber Espionage Network, the second major report from the Information Warfare Monitor – a joint project of the SecDev Group (Ottawa) and the Citizen Lab (Munk Centre for International Studies, University of Toronto).

Tracking GhostNet: Investigating a Cyber Espionage Network

This report documents the GhostNet – a suspected cyber espionage network of over 1,295 infected computers in 103 countries, 30% of which are high-value targets, including ministries of foreign affairs, embassies, international organizations, news media, and NGOs.

The report can be downloaded here.

For security reasons, we have redacted parts of the report until affected parties can be notified by the relevant authorities. A full uncensored report will be released in one week.

A New York Times story by John Markoff about the report is here.

This report is the culmination of a 10 month investigation of alleged Chinese cyber spying against Tibetan institutions. It documents a vast suspected cyber espionage network of over 1,295 infected computers in 103 countries, referred to in the report as GhostNet. Close to 30% of the infected hosts are considered high-value political and economic targets, and include computers located at ministries of foreign affairs, embassies, international organizations, news media, and NGOs.

The capabilities of the attack tools used by the GhostNet system were far-reaching, and include the ability to retrieve documents, and turn on web cameras and audio systems. The investigation was able to conclude that Tibetan computer systems were compromised by multiple infections that gave attackers unprecedented access to potentially sensitive information, including documents from the private office of the Dalai Lama.

While our analysis reveals that numerous politically sensitive and high value computer systems were compromised in ways that circumstantially point to China as the culprit, we do not know the exact motivation or the identity of the attacker(s), or how to accurately characterize this network of infections as a whole. One of the characteristics of cyber-attacks of the sort we document here is the ease by which attribution can be obscured. Regardless of who or what is ultimately in control of GhostNet, it is the capabilities of exploitation, and the strategic intelligence that can be harvested from it, which matters most. This report underscores the growing capabilities of cyber attacks, the ease by which cyberspace can be used as a vector for signals intelligence, and the importance of taking information security seriously by security professionals and policy makers worldwide. We look forward to your comments.

Profile of the Citizen Lab

Aired on CBC Radio-Canada’s “Une Heure Sur Terre”
November, 2008

The program provides an overview of the Lab, our research on information warfare, Nart Villeneuve’s Skype report, the OpeNet Initiative, and our psiphon circumvention software project.

Beating Internet Censorship the Canadian Way

from PC World

…”What we’re trying to do with psiphon is build a technology that supports that original notion of innovation that drove the Internet,” explains Lab Director Ronald Deibert.

“[T]he guarantee of uninterrupted access to free information” is what is at stake, says Professor Deibert, whose background and training as a political scientist – not a computer scientist – shows through clearly.

The Citizen Lab started in 2001, as a research and development centre for “politically-motivated hacktivists.” Among other activities, it operates the Open Net Initiative, collaborating with organizations around the world on matters of online access, cyber security and Internet censorship.

Read more here.