You Should Not Trust The Media

In December 2013, a journalist named Andrew Dwight emailed Rori Donaghy, a journalist with Middle East Eye and a founder of the Emirates Center for Human Rights, which focuses on abuses in the United Arab Emirates.

“I have been trying to reach you for comment and I am hoping that this e-mail reaches the intended recipient,” Dwight wrote, explaining that he was working on a book about his experiences from the Middle East. “My focus is on human factors and rights issues in seemingly non-authoritarian regimes (that are, in reality, anything but). I was hoping that I might correspond with you and reference some of your work.”

The email concluded with a link to an article Dwight wanted to discuss. Donaghy clicked on it, but it wasn’t an innocent connection to a webpage. That link was instead part of an elaborate Internet infrastructure set up to scan computers for vulnerabilities, allowing hackers to later target them with so-called spyware, software that can be used to monitor a computer and its users.

The email from Dwight was a ruse; one piece of a larger campaign that researchers say went after activists and opposition figures online. In fact, Dwight never existed. He was a persona created to win Donaghy’s trust and get him to click on links that surveyed his computer.

Dwight’s creators — hackers likely working on behalf of the UAE government, according to the University of Toronto’s Citizen Lab — made him a journalist for a reason: It’s a remarkably effective tool for spreading spyware. Around the world, authoritarian governments are increasingly using a basic tool of journalism — unsolicited emails to a source or expert — against their opponents by hiding that kind of malware in emails purportedly coming from both real reporters and fake ones like Dwight.

The Citizen Lab, a research group that has done groundbreaking work on digital surveillance, has documented hacking campaigns tied to the governments of the UAE, Iran, Bahrain, and Latin America’s left-leaning dictators in which their spies have posed as reporters in emails and phone calls in order to convince dissidents to click on links and open documents containing spyware.

The tactic provides an easy ruse for government sleuths. Security experts will tell you to be suspicious of unsolicited emails, but writing an unsolicited email is a basic aspect of reporting. Journalists will write to activists and experts they have never met, seeking interviews and expertise. It is an infinitely adaptable cover story, and the autocrats and monarchs of the world are catching on.

In a report released recently, the Citizen Lab documents how an UAE hacking group active from 2012 until the present tried to infect the computers of Emirati journalists, activists, and dissidents with spyware via Dwight’s fake persona and other methods.

The Citizen Lab is careful to note that it can’t definitively prove that the hackers, which targeted more than two-dozen individuals besides Donaghy, worked on behalf of the UAE, but it lays out compelling circumstantial evidence that the country sponsored the attackers.

The hacking group, dubbed “Stealth Falcon,” displayed a level of operational security consistent with a state-sponsored group. Of 27 Twitter accounts targeted by the group, “24 primarily engaged in political activities, or were otherwise critical of the UAE government,” the Citizen Lab found. The group consistently displayed a high level of knowledge about its targets and used that information to write intricate spearfishing emails. Moreover, the Citizen Lab observed a Twitter account tweet a link associated with Stealth Falcon while that account was likely under government control.

Bill Marczak, a senior research fellow at the Citizen Lab and the lead author on the UAE report, called the impersonation of journalists “very effective” for government surveillance campaigns. Sharing links and documents is fundamental to the work of journalists and civil society workers. “This is something that’s natural to how you are interacting online,” he told this reporter, who had written himself an unsolicited email seeking to set up an interview.

The Emirati Embassy in Washington didn’t return a request for comment on the report.

Other journalists have also found themselves targeted by hackers posing as reporters. In August 2015, Jillian York, the director of international freedom of expression at the Electronic Frontier Foundation, woke up to a call from a man posing as a Reuter’s journalist. That man told York that he would soon be sending her some materials that he wanted to discuss and checked that he had the right address for her.

That phone call was the first step in a sophisticated campaign to steal Google credentials for members of the Iranian diaspora that the Citizen Lab traced to Iranian hackers. York was targeted likely as a result of her work with Iranian activist groups.

The fake Reuters reporters likely hoped that he could establish his credibility with a phone call and then trick York into providing her Google username and password. Shortly after the call, the fake reporter sent her an email with what looked like a PDF hosted by Google. By clicking on the link, York would have been taken to a spoofed Google login page, which the hackers would have used to steal her username and password.

But hackers aren’t just creating fake journalist personas to spread spyware. In 2012, hackers working in Bahrain impersonated Al Jazeera journalist Melissa Chan to send emails to activists laced with malware that allowed them to take over their computers. It is unclear, Marczak said, whether the email from Chan infected the computers of any activists.

In a seven-year hacking campaign in Latin America that the Citizen Lab named “Packrat,” hackers went a step further: creating fake news outlets complete with fake articles to bolster their perceived credibility.

That hacking campaign succeeded in installing spyware on the phone of Alberto Nisman, the principal investigator of the 1994 bombing of a Jewish community center in Buenos Aires. He was found dead in his home just hours before he was set to deliver a report on allegations that then-President Cristina Fernández de Kirchner had sought to cover up Iran’s role in the attack.

In China, researchers have observed what is now a strikingly similar pattern of obfuscation in the government’s treatment of Tibetan activists. “We tracked a series of emails designed to trick Tibetan journalists into entering their Google credentials into a phishing page,” said Masashi Crete-Nishihata, the Citizen Lab’s research manager. “One of the messages was made to appear as if it came from the press secretary of the Central Tibetan Administration.”

Just as the Internet has enabled a freer flow of information between journalists and their sources, it has also enabled far greater government surveillance. “This is the flip side of the Internet’s ability to mobilize resources,” said John Scott-Railton, a senior researcher at the Citizen Lab.

But the impersonation of reporters by hackers working on behalf of governments is not limited to authoritarian regimes. In 2007, police in Washington State were trying and failing to identify the source of emailed bomb threats against a local high school when the FBI settled on a novel strategy to identify the suspect.

An agent for the bureau posed as an Associated Press reporter and began exchanging emails with the accounts used to send the threats. The agent sent the suspect a fake AP article about him that contained malware designed to reveal his location.

When the suspect clicked on the link, the software downloaded. Two days after clicking it, police arrested a 10th-grader at Timberline High School, the target of the threats.

Foreign Policy: http://ow.ly/6YtW3010z4p

« Seven Cyber-Security Myths Debunked
RoboCop Is Real »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

CyberDefenses

CyberDefenses

CyberDefenses services combine best-in-class cybersecurity oversight, managed services and training to help our clients truly address their cybersecurity challenges.

CyTech Services

CyTech Services

CyTech provides unique services and solutions complemented with professional subject matter experts to both the Federal and Commercial sectors.

European Cyber Security Organisation (ECSO)

European Cyber Security Organisation (ECSO)

The main objective of ECSO is to support all types of initiatives or projects that aim to develop, promote and encourage European cybersecurity.

Exida

Exida

Exida is a leading product certification and knowledge company specializing in industrial automation system safety, security, and availability.

SecurityScorecard

SecurityScorecard

SecurityScorecard provides the most accurate security ratings & continuous risk monitoring for vendor and third party risk management.

V-Key

V-Key

V-Key is a global leader in software based digital security, providing solutions for mobile identity, authentication, authorization, and mobile payments for major banks.

Kivu Consulting

Kivu Consulting

Kivu Consulting combines technical and legal expertise to deliver data breach response, investigative, discovery and forensic solutions worldwide.

Slovak Security Policy Institute (SSPI)

Slovak Security Policy Institute (SSPI)

Slovak Security Policy Institute is an independent non-governmental organization that focuses on research and analysis of security challenges including defence and cyber security.

Center for Long-Term Cybersecurity (CLTC)

Center for Long-Term Cybersecurity (CLTC)

The Center for Long-Term Cybersecurity is developing and shaping cybersecurity research and practice based on a long-term vision of the internet and its future.

Jeffer Mangels Butler & Mitchell LLP (JMBM)

Jeffer Mangels Butler & Mitchell LLP (JMBM)

JMBM is a full service law firm providing counseling and litigation services in a wide range of areas including cyber security.

Center for Research on Scientific & Technical Information (CERIST)

Center for Research on Scientific & Technical Information (CERIST)

CERIST is a scientific and technical research centre with activities focused in the area of networks, information systems and IT security.

Absa Cybersecurity Academy

Absa Cybersecurity Academy

Absa Cybersecurity Academy is an initiative aimed at empowering marginalised South African youths to become certified cybersecurity specialists.

Control System Cyber Security Association International (CS2AI)

Control System Cyber Security Association International (CS2AI)

CS2AI is the premier global not for profit workforce development organization supporting professionals of all levels charged with securing control systems.

Unlimited Technology

Unlimited Technology

Unlimited Technology offers a wide range of talent and experience, from assessing your requirements to implementing technologically advanced security solutions to best fit your needs.

Noname Security

Noname Security

Noname Security detects and resolves API vulnerabilities and misconfigurations before they are exploited.

AnzenSage

AnzenSage

AnzenSage is a cybersecurity advisory consultancy specializing in security risk resilience for the food sector: agriculture, food manufacturing, food supply chain, vineyards, and wineries.