You Should Not Trust The Media

In December 2013, a journalist named Andrew Dwight emailed Rori Donaghy, a journalist with Middle East Eye and a founder of the Emirates Center for Human Rights, which focuses on abuses in the United Arab Emirates.

“I have been trying to reach you for comment and I am hoping that this e-mail reaches the intended recipient,” Dwight wrote, explaining that he was working on a book about his experiences from the Middle East. “My focus is on human factors and rights issues in seemingly non-authoritarian regimes (that are, in reality, anything but). I was hoping that I might correspond with you and reference some of your work.”

The email concluded with a link to an article Dwight wanted to discuss. Donaghy clicked on it, but it wasn’t an innocent connection to a webpage. That link was instead part of an elaborate Internet infrastructure set up to scan computers for vulnerabilities, allowing hackers to later target them with so-called spyware, software that can be used to monitor a computer and its users.

The email from Dwight was a ruse; one piece of a larger campaign that researchers say went after activists and opposition figures online. In fact, Dwight never existed. He was a persona created to win Donaghy’s trust and get him to click on links that surveyed his computer.

Dwight’s creators — hackers likely working on behalf of the UAE government, according to the University of Toronto’s Citizen Lab — made him a journalist for a reason: It’s a remarkably effective tool for spreading spyware. Around the world, authoritarian governments are increasingly using a basic tool of journalism — unsolicited emails to a source or expert — against their opponents by hiding that kind of malware in emails purportedly coming from both real reporters and fake ones like Dwight.

The Citizen Lab, a research group that has done groundbreaking work on digital surveillance, has documented hacking campaigns tied to the governments of the UAE, Iran, Bahrain, and Latin America’s left-leaning dictators in which their spies have posed as reporters in emails and phone calls in order to convince dissidents to click on links and open documents containing spyware.

The tactic provides an easy ruse for government sleuths. Security experts will tell you to be suspicious of unsolicited emails, but writing an unsolicited email is a basic aspect of reporting. Journalists will write to activists and experts they have never met, seeking interviews and expertise. It is an infinitely adaptable cover story, and the autocrats and monarchs of the world are catching on.

In a report released recently, the Citizen Lab documents how an UAE hacking group active from 2012 until the present tried to infect the computers of Emirati journalists, activists, and dissidents with spyware via Dwight’s fake persona and other methods.

The Citizen Lab is careful to note that it can’t definitively prove that the hackers, which targeted more than two-dozen individuals besides Donaghy, worked on behalf of the UAE, but it lays out compelling circumstantial evidence that the country sponsored the attackers.

The hacking group, dubbed “Stealth Falcon,” displayed a level of operational security consistent with a state-sponsored group. Of 27 Twitter accounts targeted by the group, “24 primarily engaged in political activities, or were otherwise critical of the UAE government,” the Citizen Lab found. The group consistently displayed a high level of knowledge about its targets and used that information to write intricate spearfishing emails. Moreover, the Citizen Lab observed a Twitter account tweet a link associated with Stealth Falcon while that account was likely under government control.

Bill Marczak, a senior research fellow at the Citizen Lab and the lead author on the UAE report, called the impersonation of journalists “very effective” for government surveillance campaigns. Sharing links and documents is fundamental to the work of journalists and civil society workers. “This is something that’s natural to how you are interacting online,” he told this reporter, who had written himself an unsolicited email seeking to set up an interview.

The Emirati Embassy in Washington didn’t return a request for comment on the report.

Other journalists have also found themselves targeted by hackers posing as reporters. In August 2015, Jillian York, the director of international freedom of expression at the Electronic Frontier Foundation, woke up to a call from a man posing as a Reuter’s journalist. That man told York that he would soon be sending her some materials that he wanted to discuss and checked that he had the right address for her.

That phone call was the first step in a sophisticated campaign to steal Google credentials for members of the Iranian diaspora that the Citizen Lab traced to Iranian hackers. York was targeted likely as a result of her work with Iranian activist groups.

The fake Reuters reporters likely hoped that he could establish his credibility with a phone call and then trick York into providing her Google username and password. Shortly after the call, the fake reporter sent her an email with what looked like a PDF hosted by Google. By clicking on the link, York would have been taken to a spoofed Google login page, which the hackers would have used to steal her username and password.

But hackers aren’t just creating fake journalist personas to spread spyware. In 2012, hackers working in Bahrain impersonated Al Jazeera journalist Melissa Chan to send emails to activists laced with malware that allowed them to take over their computers. It is unclear, Marczak said, whether the email from Chan infected the computers of any activists.

In a seven-year hacking campaign in Latin America that the Citizen Lab named “Packrat,” hackers went a step further: creating fake news outlets complete with fake articles to bolster their perceived credibility.

That hacking campaign succeeded in installing spyware on the phone of Alberto Nisman, the principal investigator of the 1994 bombing of a Jewish community center in Buenos Aires. He was found dead in his home just hours before he was set to deliver a report on allegations that then-President Cristina Fernández de Kirchner had sought to cover up Iran’s role in the attack.

In China, researchers have observed what is now a strikingly similar pattern of obfuscation in the government’s treatment of Tibetan activists. “We tracked a series of emails designed to trick Tibetan journalists into entering their Google credentials into a phishing page,” said Masashi Crete-Nishihata, the Citizen Lab’s research manager. “One of the messages was made to appear as if it came from the press secretary of the Central Tibetan Administration.”

Just as the Internet has enabled a freer flow of information between journalists and their sources, it has also enabled far greater government surveillance. “This is the flip side of the Internet’s ability to mobilize resources,” said John Scott-Railton, a senior researcher at the Citizen Lab.

But the impersonation of reporters by hackers working on behalf of governments is not limited to authoritarian regimes. In 2007, police in Washington State were trying and failing to identify the source of emailed bomb threats against a local high school when the FBI settled on a novel strategy to identify the suspect.

An agent for the bureau posed as an Associated Press reporter and began exchanging emails with the accounts used to send the threats. The agent sent the suspect a fake AP article about him that contained malware designed to reveal his location.

When the suspect clicked on the link, the software downloaded. Two days after clicking it, police arrested a 10th-grader at Timberline High School, the target of the threats.

Foreign Policy: http://ow.ly/6YtW3010z4p

« Seven Cyber-Security Myths Debunked
RoboCop Is Real »

CyberSecurity Jobsite
Perimeter 81

Directory of Suppliers

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

Clayden Law

Clayden Law

Clayden Law advise global businesses that buy and sell technology products and services. We are experts in information technology, data privacy and cybersecurity law.

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

The PC Support Group

The PC Support Group

A partnership with The PC Support Group delivers improved productivity, reduced costs and protects your business through exceptional IT, telecoms and cybersecurity services.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

CERT.GOV.AZ

CERT.GOV.AZ

Azerbaijan Government Computer Incident Response Team

Cyber Security Experts Association of Nigeria (CSEAN)

Cyber Security Experts Association of Nigeria (CSEAN)

Cyber Security Experts Association of Nigeria (CSEAN) is a not for profit group of professionals in the field of Information Security in Nigeria and Diaspora.

Executive Women's Forum (EWF)

Executive Women's Forum (EWF)

The Executive Women's Forum is the largest member organization serving emerging leaders and influential female executives in the Information Security, Risk Management and Privacy industries.

Protiviti

Protiviti

Protiviti consulting solutions span critical business problems in technology, business process, analytics, risk, compliance, transactions and internal audit.

SCADAfence

SCADAfence

SCADAfence offers cutting edge cybersecurity solutions designed to ensure the operational continuity of industrial (ICS/SCADA) networks.

ESNC

ESNC

ESNC’s vulnerability management and real-time SAP security monitoring solutions help largest corporations in the world to effectively prioritize SAP security tasks and secure their business.

Sphonic

Sphonic

Sphonic provides regulated institutions of any size a powerful compliance & risk platform to quickly and securely onboard new customers and manage ongoing AML and Fraud & Risk trends.

ubirch

ubirch

The ubirch platform is designed to ensure that IoT data is trustworthy and secure.

Archivo

Archivo

Archivo is a value added reseller focused on Disaster Recovery as a Service (DRaaS), backup, hyper-convergence, hybrid storage and Cyber security.

Gradcracker

Gradcracker

Gradcracker is THE careers website for Science, Technology (including Cybersecurity), Engineering and Maths university students in the UK.

White Hawk Software

White Hawk Software

White Hawk provides code tamper-proofing solutions to protect mission critical software applications from malicious and Zero day attacks and reverse engineering at run time.

Capgemini

Capgemini

Capgemini is one of the world's foremost providers of consulting, technology and outsourcing services. Areas of expertise include Cybersecurity.

JanBask Training

JanBask Training

JanBask Training is a dynamic, highly professional, global online training provider committed to propelling the next generation of technology learners with a whole new way of training experience.

Aardwolf Security

Aardwolf Security

Aardwolf Security specialise in penetration testing to the highest standards set out by OWASP. We ensure complete client satisfaction and aftercare.

VT Group (VTG)

VT Group (VTG)

VTG delivers force modernization and digital transformation solutions that expand America’s competitive advantage in the modern battlespace.

Scalarr

Scalarr

Scalarr is an innovative, next-generation cyber security firm focused on automation and AI to detect and prevent threats in mobile and Edge/IoT infrastructures.