Mexican Surveillance Abuse Continues

We are publishing yet another update to the ongoing investigations Citizen Lab has been conducting, in partnership with R3D, SocialTic, and Article 19, on abuse of commercial spyware in Mexico.  

Our latest report shows that the Claudio X. González, director of the Mexican anti-corruption organization Mexicanos Contra la Corrupción y la Impunidad (MCCI), was targeted with SMS messages containing links to the exploit infrastructure of the Israeli spyware company, NSO Group.   Had the links been clicked on, González’s phone would have been silently commandeered allowing the operators to surreptitiously turn on the camera and microphone, read emails and texts (even those that are encrypted), and track his movements.

This most recent case brings the total number to 22 individuals that we have confirmed being targeted with NSO Group spyware in Mexico.  NSO Group claims it restricts sale of its powerful spyware to government agencies to combat terrorism and track criminals.  Our investigations have shown that it has been used instead to target an alarming number of people who are exercising their political rights and / or doing their jobs as lawyers, journalists, and investigators.   As for who is responsible, we have no specific evidence. However, leaked documents show the Mexican Attorney General’s office is a client of NSO Group and the President of Mexico has gone on record with the admission that it has purchased NSO Group technology.  It is also highly incriminating of the Mexican government that many of the targets we confirmed, including the latest, share a common characteristic: investigations into official Mexican government corruption.

The spyware market is very lucrative and growing, but also replete with abuse.  NSO Group’s US-based majority owner, Francisco Partners, was recently reportedly looking to sell partial ownership of NSO Group to another investment firm, Blackstone Group, for $400 million.  When we learned of the possible sale, we published an open letter to Blackstone Group informing them of our research on the abuse of NSO Group’s spyware in Mexico and elsewhere, and urging them to exercise due diligence over the company’s behavior should the sale go through. Reports of the deal also attracted critical attention from a range of organizations, including Mexican NGOs involved in investigating NSO, Access Now, and Business and Human Rights.  On August 15 2017, Reuters reported that the Blackstone Group deal had fallen through.

The research on the use of NSO Group in Mexico is led by Citizen Lab senior researcher, John Scott-Railton.  Our ability to positively identify NSO Group’s spyware is based on careful network scanning and reverse engineering, undertaken by Citizen Lab’s Bill Marczak.  Using the technical indicators collected from this research, Scott-Railton engages with local advocacy partners to help identify targets in civil society who are willing to cooperate in the research.  We then compare the domains contained in the links in the SMS messages sent to the targets to known NSO Group infrastructure. Overall, this case is a good example of the general mission of the Citizen Lab, which aims to use mixed methods research to highlight digital security issues that arise out of human rights concerns, and then engage in high-level policy and legal engagement to try to mitigate the problem.

As to how this type of abuse can ultimately be solved, there is no simple remedy.  Companies like NSO Group are not violating any law by selling their technology to countries like Mexico.  And if a corrupt government client chooses to use that technology for abusive purposes, there is little that can be done to prevent it.

But that does not mean the situation is hopeless.  Companies like NSO Group can be encouraged to undertake more responsible “know your customer” practices to prevent abuse of their product. That pressure can come from the countries within which they are domiciled as companies (e.g., Israel) who can pass more strict export control regulations that require NSO Group to undertake due diligence. It can come from ownership groups and investment firms that control the purse strings and who themselves are sensitive to public criticism (as our open letter and the other campaigns described above may demonstrate). It can come from legal action in cases in which local laws are violated, as in the targeting of US citizens we discovered in the Mexico NSO Group case (which would be a violation of the U.S. criminal code).  

However, all the above depends in the first instance on patient, evidence-based research of the sort we are undertaking in collaboration with our Mexican partners.

Read the full report here: https://citizenlab.ca/2017/08/nso-spyware-mexico-corruption/

Yet More Evidence of Gross Misuse of NSO Group Spyware In Mexico

The Citizen Lab’s investigation into the abuse of commercial spyware in Mexico continues with yet more troubling findings. Today, we are releasing a new report that affirms two additional individuals’ phones were targeted with Israeli-based NSO Group’s sophisticated Pegasus spyware technology.  

As in some of the prior cases we researched, the individuals in question — Karla Micheel Salas and David Peña — are lawyers representing family members of individuals involved in horrific targeted killings.  Specifically, this case concerns the torture and murder in July 2015 of Nadia Vera and Rubén Espinosa, an activist and journalist respectively, alongside three of their acquaintances.  There were also reports of sexual assault and torture against some of the victims prior to the murders.

Vera and Espinosa had been critical of the then governor of the Mexican state of Veracruz, Javier Duarte, and had received numerous threats in the course of their work. Under Duarte’s reign as governor, Veracruz became the most dangerous place in Mexico for journalists, with 17 killed during his term. Facing numerous and ongoing threats, Vera and Espinosa fled Veracruz to Mexico City, hoping the distance would protect them. Unfortunately, they (along with three people present at the scene: Yesenia Quiroz Alfaro, Mile Virginia Martin, and Alejandra Negrete) were brutally murdered.

Protests followed the Mexico City Attorney General’s investigation into the murder, which was widely perceived as inadequate.  The families of the slain individuals contracted Salas and Peña to push for an investigation.  In September and October 2015, Salas and Peña received text messages containing what we confirmed were links to the NSO Group’s exploit infrastructure which, if clicked on, would have silently infected their phones, allowing the operators to surreptitiously track their movements, phone calls, emails, and SMS’s, as well as record their voices and take pictures. (Watch Citizen Lab’s John Scott-Railton describe how NSO’s spyware works in this video).

While part of the story of these cases concerns the brutal environment for journalists in Mexico, the other part concerns the gross abuse of highly sophisticated surveillance technologies sold by companies like NSO Group.

In spite of the fact that Mexico was widely known to be a country struggling with corruption and abuse, and in spite of the well-known targeting of journalists, advocacy groups, lawyers and others using extrajudicial means, NSO Group went ahead and sold its technology to the Mexican government.  Clearly, there is a serious control problem around commercial spyware that needs to be urgently addressed lest such cases continue to mount.  Indeed, as we outline in our latest report, investigative reporting in the context of Panama has revealed that the former president of Panama, Ricardo Martinelli, used $13.5 million worth of NSO Group services to illegally spy on more than 150 opponents, including several U.S. citizens in the U.S. Embassy and in the United States proper.  Panama authorities are seeking to extradite Martinelli from the United States, where he fled from these charges.

One way to prevent such abuses is to encourage ownership groups to exercise greater due diligence over companies like NSO Group.  Over the last several weeks, it has been reported that the US-based investment firm Blackstone Group is exploring partial acquisition of the NSO Group.  Last week, Citizen Lab wrote to Blackstone Group with a detailed list of questions they should consider prior to the sale, as well as others concerning corporate social responsibility measures they should adopt, should the purchase go through. We hope these questions serve as a baseline for an industry that has yet to develop the type of mature due diligence practices as found in mining, oil, textiles, and other industries (however flawed those may still be).

Meanwhile, we fully expect to find more cases of the abuse of NSO Group technology, not just in Mexico but in other jurisdictions, where corrupt public officials with access to their spyware illegitimately turn it on those who present obstacles to their unscrupulous aims.

As before, the Citizen Lab’s research into Mexican surveillance has been led by senior researcher John Scott-Railton, working in close consultation with our partners in Mexico, R3D, SocialTic, and Article 19.

Read the report here: https://citizenlab.ca/2017/08/lawyers-murdered-women-nso-group/

 

Letter to Blackstone Group Regarding Possible Acquisition of NSO Group

For the last year, Citizen Lab has written five separate reports that document extensive abuse of, and lack of controls around the use of spyware manufactured by the Israeli cyber warfare company, NSO Group.   

These reports are part of a larger interest we have at the Citizen Lab in the lack of controls around the spyware market, from weak or nonexistent export controls of countries in which spyware companies are headquartered, to opaqueness around the market for cyber security, to an absence of due diligence on the part of companies themselves to know their clients.

A growing number of our reports has shown how the products and services of this largely unregulated market end up facilitating abuses in which journalists, human rights defenders, and others end up being targeted by powerful software ostensibly limited to governments to fight terrorists and investigate crime.

In a previous publication, my colleague Sarah McKune and I outlined a checklist of measures that could be taken to reign in the abuse of commercial spyware.  As part of that more comprehensive approach, we have suggested that the industry should be encouraged to adopt “voluntary yet genuine accountability frameworks and human rights-oriented policies and practices.”

To that end, we are today sending a letter to the Blackstone Group, an American private equity, asset management, and financial services firm in the process of considering acquiring a large stake in the NSO Group.  

Should Blackstone Group’s acquisition of NSO Group proceed, we hope our letter will encourage them to exercise stronger due diligence over NSO Group’s sales, and help ensure that the company itself better manages the end-uses of its products.

Read the letter here: https://citizenlab.ca/2017/07/open-letter-to-blackstone-possible-nso-acquisition/

PDF here: https://citizenlab.ca/wp-content/uploads/2017/07/Blackstone_open_letter_NSO_group_citizen_lab.pdf

 

International Investigation Into Mexican Mass Disappearance Under Surveillance

The Mexican surveillance scandal in which the Citizen Lab is involved now widens substantially.

Our latest report confirms that a phone belonging to an international group of experts from several countries assembled by the Inter-American Commission on Human Rights (known as the GIEI), charged with investigating the 2014 Iguala Mass Disappearance, was targeted with infection attempts using spyware developed by the NSO group, an Israeli “cyber warfare” company.

The infection attempts we documented took place in early March 2016, shortly before the publication of GIEI’s final report on their investigation.

For those who do not know, the 2014 Iguala Mass Disappearance refers to a horrific episode in which 43 students from the Ayotzinapa Rural Teachers’ College were disappeared while travelling to Mexico City to participate in an event commemorating yet another tragic episode in Mexico, the Tlatelolco Massacre. The Mexican government’s inadequate response to the mass disappearance, and suspicions that Mexican government agencies themselves were implicated, led to calls for the creation of the independent international investigation.

While carrying out their investigations, the GIEI experts faced numerous threats and harassment, and eventually a public falling-out with the Mexican attorney general’s office. Just prior to the release of their public report in March 2016, we determined that a phone belonging to the investigators was targeted with SMS messages containing links to NSO Group exploit infrastructure.

While we cannot definitively attribute the targeting we discovered to a particular Mexican government agency or individual, it is highly significant that leaked documents show numerous Mexican government agencies, including the Mexican attorney general’s office itself, purchased NSO Group spyware.

This latest report of ours adds to the growing number of cases clearly showing the abuse of commercial spyware in the context of Mexico.   So far we have positively determined that technology sold by an Israeli-based company ostensibly restricted to governments for anti-terror, criminal, and national security investigations has been used instead to target health scientists and anti-obesity activists, anti-corruption NGOs, journalists (and their family), opposition politicians, and now members of an independent international inquiry into the massacre of 43 students.

These findings will undoubtedly deepen the surveillance crisis in Mexico.  But what’s going on in that country is symptomatic of a much wider global problem. Surveillance companies are making millions selling their products to governments that lack oversight and public accountability who are then turning these powerful and highly invasive tools on civil society to further their corrupt aims.

Addressing this problem will require a comprehensive policy response across multiple domains, from the domestic to the international.  My colleague Sarah McKune and I have outlined recommendations to bring more accountability to the commercial spyware trade in the form of a checklist, which can be found here.  We hope our documentation of cases of abuse such as these will inspire such comprehensive responses.

We are grateful for the cooperation of the GIEI experts, and our Mexican colleagues, R3D, SocialTic, and Article19, without whom this investigation could not be undertaken.

Read the full report here: https://citizenlab.org/2017/07/mexico-disappearances-nso/

More Than Meets the Eye

Every day we hear warnings not to open attachments, click on links, or enter our credentials into websites that do not look trustworthy.  But what if they do look legit?  How do we tell?

Our latest report shows not only the lengths to which an espionage operation will go to fool users, but it also provides a good example of how difficult it may be for the average user to discern one from the other.

Authored by the Citizen Lab’s Jakub Dalek, Geoffrey Alexander, Masashi Crete-Nishihata, and Matt Brooks, our report, entitled “Insider Information: An intrusion campaign targeting Chinese language news sites,” details a campaign of reconnaissance, phishing, and targeted malware at the heart of which are carefully-crafted mimics of several prominent Chinese-language news websites.

Our investigation began when staff members of China Digital Times — a popular China-focused news portal founded by UC-Berkeley professor and prominent human rights activist Xiao Qiang — began receiving unsolicited emails with promises of controversial material.  The emails contained a link to what appears to be the legit China Digital Times website. However, it is not.  The operators behind this campaign had copied the entire website and then hosted it on a slightly altered domain.  Instead of “chinadigitaltimes.net” the operators used the domain “chinadagitaltimes.net.”

Can you spot the difference?  

If you noticed the substitution of “a” for “i” in the word digital, you are correct!

Other than the misspelled domain, the legitimate and fake news websites are identical, with one additional key difference: the operators also coded a few lines of javascript into the fake news domain that trigger a popup window asking the visitor to enter in their email and password into a fake WordPress login page.  Had the targets done so, they would have then been redirected back to the legitimate China Digital Times website, oblivious to the fact that their credentials to administer the website were successfully stolen by the operators, allowing them to effectively manage and edit the legitimate website itself.

By analyzing the server used to host the fake website, Citizen Lab researchers were also able to identify several other fake websites that used content from Chinese language news websites that the operators had also mimicked, presumably for phishing.  We also found that some of the servers controlled by the operators were used to stage malware.

It is noteworthy that all of the fake websites our researchers discovered in this campaign are meant to mimic news websites that publish content critical of the Chinese government.  It is possible the operators behind this campaign are “hackers for hire” — typical of the way in which a lot of cyber espionage is outsourced in China.  However, we are unable to positively attribute this campaign to a specific state agency.

I expect we will see more cases such as these in which legitimate news sites are doctored and manipulated to push disinformation or facilitate cyber espionage.  With each of us bombarded with data from social media on a daily basis, discerning “fake” from “real” or “malicious” from “benign” will become more ever more challenging and time-consuming. Cases such as these illustrate the importance of educating users, especially those working in high-risk areas such as investigative journalism, about the importance of integrating information security and digital hygiene into their daily routines.

One final note in this regard: hats go off to China Digital Times staff not only for spotting the malicious emails but also for sharing them with Citizen Lab for further analysis, which led to the discovery of the wider campaign.  Cooperation of this sort is essential for research to progress, and for journalists and the entire human rights community to be aware of the type of threats they mutually face.

Mexico Wages Cyber Warfare Against Journalists, and their minor children

For years, Citizen Lab has been sounding alarms about the abuse of commercial spyware. We have produced extensive evidence showing how surveillance technology, allegedly restricted to government agencies for criminal, terrorism, and national security investigations, ends up being deployed against civil society.

Today’s report not only adds to the mountain of such evidence, it details perhaps the most flagrant and disturbing example of the abuse of commercial spyware we have yet encountered.

Working with Mexican civil society partners R3D, Social Tic, and Article 19, our team — led by John Scott Railton — identified more than 75 SMS messages sent to the phones of 12 individuals, most of whom are journalists, lawyers, and human rights defenders. 10 are Mexican, one was a minor child at the time of targeting, and one is a US citizen.

These SMS messages contained links to the exploit infrastructure of a secretive Israeli cyber warfare company, NSO Group.  Had they been clicked on, the links would activate exploits of what were, at the time, undisclosed software vulnerabilities in the targets’ Android or iPhone devices.  Known in NSO Group’s marketing as “Pegasus”, this exploit infrastructure allows operators to surreptitiously monitor every aspect of a target’s device: turn on the camera, capture ambient sounds, intercept or spoof emails and text messages, circumvent end-to-end encryption, and track movements.

We first encountered NSO Group in August 2016 when UAE human rights defender Ahmed Mansoor shared with Citizen Lab researchers suspicious SMS messages he received containing links to NSO infrastructure. When we published our report on Mansoor, we had some evidence of targeting in Mexico that subsequently led to a follow-up report earlier this year on the use of NSO’s surveillance technology to target Mexican health advocates and food scientists.

The targeting we outline in our latest report, which runs from January 2015 to August 2016, involves a much wider campaign. It includes 12 individuals who share a common trait:  investigations into Mexican government corruption, forced disappearances, or other human rights abuses. All of the individuals who cooperated in our research consented to be named in the report. The August 2016 endpoint coincides with the time of our disclosure to Apple about NSO’s exploits, which led to the shutdown of NSO’s infrastructure (or at least that particular phase of it).  

Among the noteworthy aspects of this latest case are the persistent and brazen attempts by the operators to trick recipients into clicking on links.  Each of the targets received a barrage of SMS messages that included crude sexual taunts, alleged pictures of inappropriate, threatening, or suspicious behavior, and other ruses.  Many received fake AMBER Alert notices about child abductions as well as fake communications from the US Embassy in Mexico.

What is most disturbing is that the minor child of one of the targets — Emilio Aristegui, son of journalist Carmen Aristegui — received at least 22 SMS messages from the operators while he was attending school in the United States.  Presumably these attempts to infect Emilio’s phone were intended as a backdoor to his mother’s phone. But it is also possible the operators had a more sinister motivation.  The attempts to infect both Carmen and Emilio took place at the same time Carmen Aristegui was investigating a major corruption scandal involving the President of Mexico.

Our report makes it clear that the NSO Group, like competitor companies Hacking Team and FinFisher, is unable or unwilling to control the abuse of its products.  Time and again, companies like these, when presented with evidence of abuse, effectively pass the buck, claiming that they only sell to “government agencies” to use their products for criminal, counterintelligence, or anti-terrorism purposes.  The problem is that many of those government clients are corrupt and lack proper oversight; what constitutes a “crime” for officials and powerful elites can include any activity that challenges their position of power — especially investigative journalism.

Mexico is a case in point.  Ranked by the Economist’s Intelligence Unit as a “flawed democracy”, Mexico’s government agencies are riven with corruption.  Mexico is one of the most dangerous places to be a journalist not only because of violence related to the drug cartels but also because of threats from government officials.   As Reporters Without Borders notes, “[w]hen journalists cover subjects linked to organized crime or political corruption (especially at the local level), they immediately become targets and are often executed in cold blood.”

In spite of these glaring insecurity and accountability issues, the NSO Group went ahead and sold its products to multiple Mexican government agencies, according to leaked documents reported on in the New York Times.  Other leaked documents show that Mexico was at one time another commercial spyware company’s (Hacking Team) largest single country client.  Should it come as any surprise that these powerful surveillance technologies would end up being deployed against those who aim to expose corrupt Mexican officials?

What is to be done about these abuses? In a recent publication, Citizen Lab senior researcher Sarah McKune and I outlined a “checklist of measures” that could be taken to hold the commercial spyware market accountable, including application of relevant criminal law. It is noteworthy in this regard that while in the United States, the minor child Emilio Arestigui received SMS messages purporting to be from the US Embassy.  Impersonating the US Government is a violation of the US Criminal Code, and the targeting may very well constitute a violation of the US Wiretap Act.  At the very least, it is a violation of diplomatic norms.  How will the United States Government respond?

NSO Group is an Israeli company, and thus subject to Israeli law.  In the past, Israel has prided itself on strict export controls around commercial surveillance technology.  Yet this latest example shows yet again the ineffectiveness of those controls.  Will Israeli lawmakers tighten regulations around NSO Group in response?

Among the checklist of measures McKune and I identified is the importance of evidence-based research on the commercial spyware market to help track abuses and raise awareness.  It is important to underline that the work undertaken in this report could not have been done without the close collaboration between Citizen Lab researchers and Mexican civil society groups, R3D, SocialTic, and Article 19.   Collaborations like these are essential to exposing the negative externalities of the commercial spyware market, documenting its harms, and shedding light on abuse.

I suspect it will not be the last collaboration of this sort.

Read the full report, “Reckless Exploit: Journalists, Lawyers, Children Targeted in Mexico with NSO Spyware,” authored by John Scott-Railton, Bill Marczak, Bahr Abdulrazzak, Masashi Crete-Nishihata, and me, here: https://citizenlab.org/2017/06/reckless-exploit-mexico-nso

 

From Russia, with Tainted Love

I am pleased to announce a new Citizen Lab report, entitled “Tainted Leaks: Disinformation and Phishing With a Russian Nexus.” The report is authored by the Citizen Lab’s Adam Hulcoop, John Scott-Railton, Peter Tanchak, Matt Brooks, and myself, and can be found here.

Our report uncovers a major disinformation and cyber espionage campaign with hundreds of targets in government, industry, military and civil society. Those targets include a large list of high profile individuals from at least 39 countries (including members of 28 governments), as well as the United Nations and NATO. Although there are many government, military, and industry targets, our report provides further evidence of the often-overlooked targeting of civil society in cyber espionage campaigns.  Civil society — including journalists, academics, opposition figures, and activists — comprise the second largest group (21%) of targets, after government.

Other notable targets include:

  • A former Russian prime minister
  • A former U.S. Deputy Under Secretary of Defense and a former senior director of the U.S. National Security Council
  • The Austrian ambassador to a Nordic country and the former ambassador to Canada for a Eurasian country
  • Senior members of the oil, gas, mining, and finance industries of the former Soviet states
  • United Nations officials
  • Military personnel from Albania, Armenia, Azerbaijan, Georgia, Greece, Latvia, Montenegro, Mozambique, Pakistan, Saudi Arabia, Sweden, Turkey, Ukraine, and the United States, as well as NATO officials
  • Politicians, public servants and government officials from Afghanistan, Armenia, Austria, Cambodia, Egypt, Georgia, Kazakhstan, Kyrgyzstan, Latvia, Peru, Russia, Slovakia, Slovenia, Sudan, Thailand, Turkey, Ukraine, Uzbekistan and Vietnam

While we have no “smoking gun” that provides definitive proof linking what we discovered to a particular government agency (a common challenge in open source investigations like ours) our report nonetheless provides clear evidence of overlap with what has been publicly reported by numerous industry and government reports about Russian cyber espionage. This overlap includes technical details associated with the successful breach in 2016 of the email account of John Podesta, the former chairman of Hillary Clinton’s unsuccessful presidential campaign.

As is often the case with Citizen Lab research on targeted threats, our report began with a “patient zero” — in this case, the prominent journalist, David Satter.  Satter is a well-known author on Russian autocracy. He was banned from Russia in 2013 for his investigative reporting on corruption and abuse of power associated with the Putin regime.  In October 2016, Satter’s Gmail account was successfully phished.  Documents stolen from his account then appeared on the website of CyberBerkut, a self-described pro-Russian hacktivist group.   Using the genuine documents obtained with Satter’s consent, our report details the disinformation campaign that was orchestrated around his stolen emails to give the false impression that Satter was part of a CIA-backed plot to discredit Putin and his adversaries and engineer a “colour revolution.”  The disinformation was also aimed at providing a false association between Satter, western NGOs, and prominent Russian opposition figures, most notably the prominent Russian anti-corruption activist, Alexei Navalny.

A very detailed technical analysis of the infrastructure and methods used in the phishing attack on Satter, led by Citizen Lab’s Adam Hulcoop, then allowed us to unravel and ultimately identify a much larger group of over 200 individuals across 39 countries targeted by the same operators.  Not since our Tracking Ghostnet report in 2009 do I recall us discovering such an extensive list of high-profile targets of a single cyber espionage campaign.

Why target civil society? For many powerful elites, a vibrant civil society is the antithesis to their corrupt aims.   In the case of Russia, the motivations behind cyber espionage are as much about securing Putin’s kleptocracy as they are geopolitical competition.  It often matters just as much for the Kremlin to know what critical exposé is going to be published on Putin’s inner circle, or what demonstration is going to be organized in the streets of St. Petersburg, as it does what happens in corporate boardrooms or government headquarters abroad. This means journalists, activists, and opposition figures — both domestically and around the world — bear a large burden of the spying.

Our report also offers a detailed glimpse of the new frontier of digital disinformation.  Tainted leaks, such as those analyzed in our report, present complex challenges to the public.  Fake information scattered amongst genuine materials — “falsehoods in a forest of facts” as Citizen Lab’s John Scott-Railton referred to them —  is very difficult to distinguish and counter, especially when it is presented as a salacious “leak” integrated with what otherwise would be private information.

Russia has a long history of experience with what is known as dezinformatsiya, going back even to Soviet times.  The prospect of a country with its superpower resources engaging in systematic “tainted leak” operations generated with data stolen by affiliated cyber criminal “proxy” groups is daunting.  Even more daunting is the prospect that the model of its success will breed similar campaigns undertaken by other governments.  To the extent it is both cheap and effective, and provides plausible deniability when outsourced to the shady underworld, it will almost certainly inspire other governments to follow suit.

With digital insecurity and data breaches now a pervasive and growing problem, it is highly likely digital disinformation operations are going to become widespread. Indeed, we could be on the cusp of a new era of superpower-enabled, digital disinformation.  The public’s faith in media (which is already very low), and the ability of civil society to do its job effectively, will both invariably suffer as collateral damage.

Our hope is that in studying closely and publishing the details of such tainted leak operations, our report will help us better understand how to recognize and mitigate them.  We also hope that in highlighting the large number of civil society members targeted in yet another cyber espionage campaign, the “silent epidemic” can be properly addressed by policymakers, industry, and others.

One final note concerning notification: we chose not to identify targeted or victimized individuals without their consent in order to protect their privacy.  Instead, we have notified the email service provider and relevant Computer Emergency Response Teams.

Report URL: https://citizenlab.org/2017/05/tainted-leaks-disinformation-phish/

 

Taming the “Wild West” Commercial Spyware Market

Today, my colleague Sarah McKune and I co-authored an article, entitled “Who’s Watching Little Brother? A Checklist for Accountability in the Industry Behind Government Hacking.”  A blog post about the report can be found here, and the article is available in PDF here.

The report outlines a “checklist” for regulating the commercial spyware market.  As we have reported on numerous occasions as part of Citizen Lab’s research, there is ample evidence of growing abuses surrounding the commercial spyware market. In spite of the pledges made by some in the industry — that self-regulation works, that they are just following “local laws” — we have shown how companies like Finfisher, Hacking Team, and NSO Group supply their products and services to governments that use them to target journalists, human rights defenders, and even anti-obesity activists. We have tracked the proliferation of some of these services to some of the world’s most autocratic regimes.  It is obvious that these abuses are going to grow unless something is done to mitigate these trends.

Unfortunately, debate until now about what to do about these abuses has revolved in binary form around either export controls or an unregulated wild west.  In our article, we develop instead a checklist for a “web of constraints” around the industry that involves multiple strategies and different mechanisms, including application of existing laws.  We hope that these checklist provides a helpful roadmap for policymakers and others who want to do something about the excesses of this industry and we look forward to feedback.

Read the article here: https://citizenlab.org/wp-content/uploads/2017/03/citizenlab_whos-watching-little-brother.pdf [PDF]

 

 

Mexico, NSO Group, and the Soda Tax

I am pleased to announce a new Citizen Lab report, entitled “Bitter Sweet: Supporters of Mexico’s Soda Tax Targeted With NSO Exploit Links,” authored by John Scott-Railton, Bill Marczak, Claudio Guarnieri, and Masashi Crete-Nishihata.

The full report is here:  https://citizenlab.org/2017/02/bittersweet-nso-mexico-spyware/

New York Times has an exclusive here: https://www.nytimes.com/2017/02/11/technology/hack-mexico-soda-tax-advocates.html

In recent years, the research of the Citizen Lab and others has revealed numerous disturbing cases involving the abuse of commercial spyware: sophisticated products and services ostensibly restricted in their sales to government clients and used solely for legitimate law enforcement.

Contrary to what companies like Hacking Team, Gamma Group, NSO Group and others claim about proper industry self regulation, we have repeatedly uncovered examples where governments have used these powerfully invasive tools to target human rights defenders, journalists, and legitimate political opposition.

To this list, we can now add research scientists and health advocates.

The “Bitter Sweet” case has its origins in a prior Citizen Lab investigation — our Million Dollar Dissident report, in which we found that a UAE-based human rights defender, Ahmed Mansoor, was targeted by UAE authorities using the sophisticated “Pegasus” spyware suite, sold by Israeli cyber warfare company, NSO Group.

As part of that report, we published technical indicators — essentially digital signatures associated with the NSO Group’s infrastructure and operations — and encouraged others to use them to find evidence of more targeting.  When we published our report in August 2016, we knew there was at least one Mexican targeted — a journalist — and so suspected there might be some targeting there.

Shortly after the publication of our report, Citizen Lab was contacted by Access Now, which had received a request for assistance on its digital helpline from two Mexican NGOs working on digital rights and security, R3D and SocialTIC.  Together, we worked to track down suspicious messages received by Mexicans, which led us to the Bitter Sweet case.

The title of our report refers to the fact that all of those whom we found targeted in this campaign were involved in a very high-profile “soda tax” campaign in Mexico. A soda tax is part of an anti obesity effort to add taxes to lower consumption of sugary drinks and sodas.  Although many in Mexico are behind the campaign, some in the beverage industry and their stakeholders are obviously not.

In the midst of controversy around the soda tax campaign, at least three prominent research scientists and health advocates received similar (in some cases, identical) suspicious SMS messages that included telltale signs of NSO Group’s attack infrastructure. Had any of them clicked on the links, their iPhones would have been silently compromised, allowing the perpetrators to listen in on their calls, read their emails and messages, turn on their camera, and track their movements — all without their knowledge.

What is most remarkable about the targeting are the steps the perpetrators took to try to trick the scientists and advocates to click on the links.  For example, one of the targets, Dr. Simon Barquera, a well respected researcher at the Mexican Government’s Instituto Nacional de Salud Pública, received a series of increasingly inflammatory messages.  The first SMSs concerned fake legal cases in which the scientist was supposedly involved.  Those following got more personal: a funeral, allegations his wife was having an affair (with links to alleged photos), and then, most shocking, that his daughter, who was named in the SMS, had been in an accident, was in grave condition, and that Dr. Barquera should click a link to see which hospital emergency room into which she was admitted.

While we can’t attribute this campaign to a particular company or government agency, it is obvious those behind the targeting have a stake in getting rid of the soda tax, and that points to the beverage industry and their investors and backers in the Mexican government. It is important to point out that Mexico is on record purchasing NSO Group’s services and NSO Group itself asserts it only sells to legitimate government representatives.  But clearly the NSO’s “lawful intercept” services are not being used in Mexico to fight crime or hunt terrorists, unless those who are advocating against obesity are considered criminal terrorists. We feel strongly that both the Mexican and the Israeli governments (the latter approves exports of NSO products) undertake urgent investigations.

Finally, our report shows the value of careful documentation of suspicious incidents, and ongoing engagement between researchers, civil society organizations, and those who are targeted by malicious actors who wish to do harm.  The epidemic of targeted digital attacks facing civil society will require an all-of-society defence.  The cooperation shown on this investigation by Citizen Lab researchers, Access, R3D, and SocialTIC is a model of how it can be done.

The Easy and Affordable Way to Undertake Cyber Espionage

I am pleased to announce a new Citizen Lab report, entitled “Nile Phish: Large-Scale Phishing Campaign Targeting Egyptian Civil Society,” authored by the Citizen Lab’s John Scott-Railton, Bill Marczak, and Etienne Maynier, in collaboration with Ramy Raoof of the Egyptian Initiative for Personal Rights.

The full report is here:  https://citizenlab.org/2017/02/nilephish-report/

When most of us think of state cyber espionage, what likely comes to mind are extraordinary technological capabilities: rare un-patched software vulnerabilities discovered by teams of highly skilled operators, or services purchased for millions from shadowy “cyber warfare” companies.  To be sure, some cyber espionage fits this description, as any perusal through the Snowden disclosures or our recent “Million Dollar Dissident” report will show. But not all of them do.  More often than not, cyber espionage can be surprisingly low-tech and inexpensive, and yet no less effective, than the glitzy stereotypes.

The Egyptian “Nile Phish” campaign is a case in point.

An authoritarian country racked with domestic insecurity and political turmoil, the Egyptian government has mounted a growing crackdown on civil society.  Part of that crackdown involves investigations of alleged “foreign funding” of Egyptian NGOs — known within Egypt as “Case 173.”

Beginning in November 2016, Egyptian NGOs and their staff under Case 173 investigation simultaneously began receiving identical, legitimate looking emails in their inboxes.  Fortunately, technical staff at one such NGO, the Egyptian Initiative for Personal Rights, suspected something wasn’t right, and reached out to us at the Citizen Lab for further investigation.

With EIPR’s assistance, we began analyzing the suspicious emails and discretely contacting other Egyptian organizations and individuals who received them.  What we discovered was an elaborate, coordinated, and multi-phased “phishing” campaign in which legitimate looking emails are sent to unsuspecting users in an attempt to trick them into entering their passwords into fraudulent websites controlled by the operators.

If this type of activity sounds familiar, it is because phishing is widely used as a tactic in the world of everyday cyber crime.  Just yesterday, I received a warning from the University of Toronto’s IT support unit about a malicious email sent to faculty and staff with a notice about a non-existent “Campus Security Notification.”  It may also sound familiar because it was precisely this type of phishing tactic that Russian hackers used to compromise the gmail account of the chairman of the 2016 Hillary Clinton campaign, John Podesta (illustrating the principle that even Great Powers sometimes pick cheap seats as long as it gets them where they want to go).

In the case of #NilePhish, Egyptian NGOs and individuals received emails with an invitation to attend a workshop about Case 173.  The operators used language from a real NGO statement that had been circulating among the community, and included as co-sponsors some of the very NGOs that were targeted.  A second wave of phishing emails included what purported to be a list of individuals subject to a travel ban under Case 173 (who among Egyptian civil society wouldn’t be tempted to check if they were included on that list?).  Alongside these carefully crafted emails — and seemingly just to mix things up — generic phishing attempts were sent with email security or fake courier delivery notifications.

Led by John Scott Railton, our team analyzed the emails and the server infrastructure in detail.  Dozens of fake but legitimate sounding domains were used by the operators to host websites that appeared to be Dropbox login pages or Gmail “failed login” warning messages.  Emails were sent from addresses like fedex_tracking[@]outlook.sa and dropbox.notfication[@]gmail.com.

Because of mistakes made on the part of the attackers, and our team’s use of multiple data sources and methods that are outlined in the report, we were able to eventually link more than 90 messages sent to seven NGOs and individuals as part of a single concerted campaign.  While we were unable to definitively attribute the campaign to an Egyptian government agency, strong circumstantial evidence exists that support it.  For example, we observed phishing against the colleagues of the Egyptian lawyer Azza Soliman, within hours of her arrest in December 2016. The phishing claimed to be a copy of her arrest warrant.  It is highly unlikely a random cyber criminal would be privy to such details, but quite likely someone connected to her arrest is.

Phishing may be an example of “poor man’s” cyber espionage, but the reason it’s used by everyone from Ukrainian securities fraudsters to Russian hackers to para-state groups is because it works.   From a government perspective, why bother with expensive wire transfers, complicated end user license agreements, third party resellers, and export controls, when a handful of cleverly constructed emails and websites will do the job?

The flip side is that there are cheap and easy ways to defend against phishing: users can be educated not to click on links or open emails that look legitimate and to spot giveaways of their malicious nature; tech companies can put in place two-factor authentication for access to their services by default; and NGOs can employ dedicated technologists who can manage their networks and alert their staff to the latest alerts.

Fortunately for Egyptian civil society, EIPR is just such an organization.

#NilePhish is ongoing, and we strongly suspect that there may be other targets of this campaign we have not yet identified.  We hope that the detailed indicators we are publishing can be used by systems administrators and others to find more evidence of targeting and alert potential victims.

Read the full report here: https://citizenlab.org/2017/02/nilephish-report/

Read EIPR’s report on #NilePhish in Arabic: http://eipr.org/nilephish