You Should Not Trust The Media

In December 2013, a journalist named Andrew Dwight emailed Rori Donaghy, a journalist with Middle East Eye and a founder of the Emirates Center for Human Rights, which focuses on abuses in the United Arab Emirates.

“I have been trying to reach you for comment and I am hoping that this e-mail reaches the intended recipient,” Dwight wrote, explaining that he was working on a book about his experiences from the Middle East. “My focus is on human factors and rights issues in seemingly non-authoritarian regimes (that are, in reality, anything but). I was hoping that I might correspond with you and reference some of your work.”

The email concluded with a link to an article Dwight wanted to discuss. Donaghy clicked on it, but it wasn’t an innocent connection to a webpage. That link was instead part of an elaborate Internet infrastructure set up to scan computers for vulnerabilities, allowing hackers to later target them with so-called spyware, software that can be used to monitor a computer and its users.

The email from Dwight was a ruse; one piece of a larger campaign that researchers say went after activists and opposition figures online. In fact, Dwight never existed. He was a persona created to win Donaghy’s trust and get him to click on links that surveyed his computer.

Dwight’s creators — hackers likely working on behalf of the UAE government, according to the University of Toronto’s Citizen Lab — made him a journalist for a reason: It’s a remarkably effective tool for spreading spyware. Around the world, authoritarian governments are increasingly using a basic tool of journalism — unsolicited emails to a source or expert — against their opponents by hiding that kind of malware in emails purportedly coming from both real reporters and fake ones like Dwight.

The Citizen Lab, a research group that has done groundbreaking work on digital surveillance, has documented hacking campaigns tied to the governments of the UAE, Iran, Bahrain, and Latin America’s left-leaning dictators in which their spies have posed as reporters in emails and phone calls in order to convince dissidents to click on links and open documents containing spyware.

The tactic provides an easy ruse for government sleuths. Security experts will tell you to be suspicious of unsolicited emails, but writing an unsolicited email is a basic aspect of reporting. Journalists will write to activists and experts they have never met, seeking interviews and expertise. It is an infinitely adaptable cover story, and the autocrats and monarchs of the world are catching on.

In a report released recently, the Citizen Lab documents how an UAE hacking group active from 2012 until the present tried to infect the computers of Emirati journalists, activists, and dissidents with spyware via Dwight’s fake persona and other methods.

The Citizen Lab is careful to note that it can’t definitively prove that the hackers, which targeted more than two-dozen individuals besides Donaghy, worked on behalf of the UAE, but it lays out compelling circumstantial evidence that the country sponsored the attackers.

The hacking group, dubbed “Stealth Falcon,” displayed a level of operational security consistent with a state-sponsored group. Of 27 Twitter accounts targeted by the group, “24 primarily engaged in political activities, or were otherwise critical of the UAE government,” the Citizen Lab found. The group consistently displayed a high level of knowledge about its targets and used that information to write intricate spearfishing emails. Moreover, the Citizen Lab observed a Twitter account tweet a link associated with Stealth Falcon while that account was likely under government control.

Bill Marczak, a senior research fellow at the Citizen Lab and the lead author on the UAE report, called the impersonation of journalists “very effective” for government surveillance campaigns. Sharing links and documents is fundamental to the work of journalists and civil society workers. “This is something that’s natural to how you are interacting online,” he told this reporter, who had written himself an unsolicited email seeking to set up an interview.

The Emirati Embassy in Washington didn’t return a request for comment on the report.

Other journalists have also found themselves targeted by hackers posing as reporters. In August 2015, Jillian York, the director of international freedom of expression at the Electronic Frontier Foundation, woke up to a call from a man posing as a Reuter’s journalist. That man told York that he would soon be sending her some materials that he wanted to discuss and checked that he had the right address for her.

That phone call was the first step in a sophisticated campaign to steal Google credentials for members of the Iranian diaspora that the Citizen Lab traced to Iranian hackers. York was targeted likely as a result of her work with Iranian activist groups.

The fake Reuters reporters likely hoped that he could establish his credibility with a phone call and then trick York into providing her Google username and password. Shortly after the call, the fake reporter sent her an email with what looked like a PDF hosted by Google. By clicking on the link, York would have been taken to a spoofed Google login page, which the hackers would have used to steal her username and password.

But hackers aren’t just creating fake journalist personas to spread spyware. In 2012, hackers working in Bahrain impersonated Al Jazeera journalist Melissa Chan to send emails to activists laced with malware that allowed them to take over their computers. It is unclear, Marczak said, whether the email from Chan infected the computers of any activists.

In a seven-year hacking campaign in Latin America that the Citizen Lab named “Packrat,” hackers went a step further: creating fake news outlets complete with fake articles to bolster their perceived credibility.

That hacking campaign succeeded in installing spyware on the phone of Alberto Nisman, the principal investigator of the 1994 bombing of a Jewish community center in Buenos Aires. He was found dead in his home just hours before he was set to deliver a report on allegations that then-President Cristina Fernández de Kirchner had sought to cover up Iran’s role in the attack.

In China, researchers have observed what is now a strikingly similar pattern of obfuscation in the government’s treatment of Tibetan activists. “We tracked a series of emails designed to trick Tibetan journalists into entering their Google credentials into a phishing page,” said Masashi Crete-Nishihata, the Citizen Lab’s research manager. “One of the messages was made to appear as if it came from the press secretary of the Central Tibetan Administration.”

Just as the Internet has enabled a freer flow of information between journalists and their sources, it has also enabled far greater government surveillance. “This is the flip side of the Internet’s ability to mobilize resources,” said John Scott-Railton, a senior researcher at the Citizen Lab.

But the impersonation of reporters by hackers working on behalf of governments is not limited to authoritarian regimes. In 2007, police in Washington State were trying and failing to identify the source of emailed bomb threats against a local high school when the FBI settled on a novel strategy to identify the suspect.

An agent for the bureau posed as an Associated Press reporter and began exchanging emails with the accounts used to send the threats. The agent sent the suspect a fake AP article about him that contained malware designed to reveal his location.

When the suspect clicked on the link, the software downloaded. Two days after clicking it, police arrested a 10th-grader at Timberline High School, the target of the threats.

Foreign Policy: http://ow.ly/6YtW3010z4p

« Seven Cyber-Security Myths Debunked
RoboCop Is Real »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

DigitalStakeout

DigitalStakeout

DigitalStakeout enables cyber security professionals to reduce cyber risk to their organization with proactive security solutions, providing immediate improvement in security posture and ROI.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

Oracle Cloud Security

Oracle Cloud Security

Oracle’s cloud security solutions enable organizations to implement and manage consistent security policies across the hybrid data center.

KE-CIRT/CC

KE-CIRT/CC

KE-CIRT/CC is the national Computer Incident Response Team for Kenya.

Valtori

Valtori

Government ICT Centre Valtori provides sector-independent ICT services for the central government, while taking into account the special requirements related to security and preparedness.

United Nations Office on Drugs & Crime (UNODC)

United Nations Office on Drugs & Crime (UNODC)

UNODC promotes long-term and sustainable capacity building in the fight against cybercrime through supporting national structures and action.

Armorblox

Armorblox

Armorblox stops targeted email attacks such as 0-day credential phishing, payroll fraud, vendor fraud, and other threats that get past legacy security controls.

Center for Applied Cybersecurity Research (CACR) - University of Indiana

Center for Applied Cybersecurity Research (CACR) - University of Indiana

CACR serves Indiana and the nation by tackling cyber risk in research and other unusual environments through agile, holistic, principle-based cybersecurity.

Vulcan Cyber

Vulcan Cyber

At Vulcan, we’re modernizing the way enterprises reduce their cyber risk. From detection to resolution, we automate and orchestrate the vulnerability remediation process dynamically and at scale.

Mitiga

Mitiga

Mitiga uniquily combines the top cybersecurity minds in Incident Readiness and Response with a cloud-based platform for cloud and hybrid environments.

DoControl

DoControl

DoControl gives organizations the automated, self-service tools they need for SaaS applications data access monitoring, orchestration, and remediation.

tTech

tTech

tTech is the first and foremost company providing outsourced Information Technology solutions to businesses in Jamaica.

Tenet3

Tenet3

Tenet3's vision is to make optimal cyber strategy development tractable, data driven, with concrete success metrics. The result is cost effective cyber resilience for our customers.

Cyber-Security Council Germany

Cyber-Security Council Germany

The German Cyber Security Council's objective is to consult businesses, government agencies and political decision-makers and to support them against cybercrime.

ThrottleNet

ThrottleNet

ThrottleNet provides world-class managed IT services and cybersecurity to organizations in St. Louis and throughout Missouri.

Lineaje

Lineaje

Lineaje solves critical Software Supply Chain security problems faced by every organization that builds, uses or sells software.

Trovent Security

Trovent Security

Trovent was founded with a clear goal: to support medium-sized companies in significantly increasing their IT security level.

Axiotrop

Axiotrop

AXIOTROP is a Cybersecurity firm offering leading services in assessment, remediation, and validation to protect the confidentiality, integrity, and availability of regulated information.