On 3 July 2021, a new interactive online platform by Forensic Architecture, supported by Amnesty International and the Citizen Lab, maps for the first time the global spread of the notorious spyware Pegasus, made by cyber-surveillance company NSO Group.
‘Digital Violence: How the NSO Group Enables State Terror’ documents digital attacks against human rights defenders around the world, and shows the connections between the ‘digital violence’ of Pegasus spyware and the real-world harms lawyers, activists, and other civil society figures face. NSO Group is the worst of the worst in selling digital burglary tools to players who they are fully aware actively and aggressively violate the human rights of dissidents, opposition figures, and journalists. Edward Snowden, President of Freedom of the Press Foundation.
NSO Group is a major player in the shadowy surveillance industry. The company’s Pegasus spyware has been used in some of the most insidious digital attacks on human rights defenders. When Pegasus is surreptitiously installed on a person’s phone, an attacker has complete access to a phone’s messages, emails, media, microphone, camera, calls and contacts. For my earlier posts on NSO see: https://humanrightsdefenders.blog/tag/nso-group/
“The investigation reveals the extent to which the digital domain we inhabit has become the new frontier of human rights violations, a site of state surveillance and intimidation that enables physical violations in real space,” said Shourideh C. Molavi, Forensic Architecture’s Researcher-in-Charge.
Edward Snowden narrates an accompanying video series which tell the stories of human rights activists and journalists targeted by Pegasus. The interactive platform also includes sound design by composer Brian Eno. A film about the project by award-winning director Laura Poitras will premiere at the 2021 Cannes Film Festival later this month.
The online platform is one of the most comprehensive databases on NSO-related activities, with information about export licenses, alleged purchases, digital infections, and the physical targeting of activists after being targeted with spyware, including intimidation, harassment, and detention. The platform also sheds light on the complex corporate structure of NSO Group, based on new research by Amnesty International and partners.
“For years, NSO Group has shrouded its operations in secrecy and profited from working in the shadows. This platform brings to light the important connections between the use of its spyware and the devastating human rights abuses inflicted upon activists and civil society,” said Danna Ingleton, Deputy Director of Amnesty Tech.
Amnesty International’s Security Lab and Citizen Lab have repeatedly exposed the use of NSO Group’s Pegasus spyware to target hundreds of human rights defenders across the globe. Amnesty International is calling on NSO Group to urgently take steps to ensure that it does not cause or contribute to human rights abuses, and to respond when they do occur. The cyber-surveillance must carry out adequate human rights due diligence and take steps to ensure that human rights defenders and journalists do not continue to become targets of unlawful surveillance.
In October 2019, Amnesty International revealed that Moroccan academic and activist, Maati Monjib’s phone had been infected with Pegasus spyware. He continues to face harassment by the Moroccan authorities for his human rights work. In December 2020, Maati Monjib was arbitrarily detained before being released on parole on 23 March 2021.
Maati Monjib, tells his story in one of the short films, and spoke of the personal toll following the surveillance, “The authorities knew everything I said. I was in danger. Surveillance is very harming for the psychological wellbeing of the victim. My life has changed a lot because of all these pressures.”
Amnesty International is calling for all charges against Maati to be dropped, and the harassment against him and his family by the Moroccan authorities to end.
Ron Deibert is director of the Citizen Lab at the University of Toronto’s Munk School of Global Affairs. (Courtesy of Ron Deibert)
On 25 May 2021 Nathaniel Basen for TVO.org spoke with professor Ron Deibert about internet censorship, espionage, and getting threats from authoritarian regimes. It is a long but rich interview: In 2001, Ron Deibert, a professor at the University of Toronto, founded Citizen Lab to help understand and track the spread of digital human-rights abuses around the world.
In the 20 years since, the interdisciplinary lab has made headlines for protecting journalists and human-rights defenders from digital attacks; one of its researchers helped identify members of the group that attacked the United States Capitol earlier this year.
TVO.org: Let’s start at the beginning. How and why did Citizen Lab start, and what did it look like at the time?
Ron Deibert: Back in the late 1990s, I was doing what I would consider to be conventional academic research — the lone professor studying a topic. A lot of desktop research. A student was taking a course of mine proposed doing a paper where he would explore censorship in China. This was a new topic back then — there was not any evidence really that China was censoring the internet — but people assumed they would, and there was a lot of uncertainty about what was going on there.
He was kind of a self-taught hacker, and he put together this research paper where he connected to computers in China using some proxy servers and started comparing the results he got to what he could see here in Canada, doing it very systematically. It opened my eyes to the ways in which methods from computer science and engineering science — technical interrogation tools and techniques — could be used to surface real primary evidence about what’s going on beneath the surface of the internet around information control. Especially what governments, and also private companies, are doing that isn’t in the public domain. No one was really doing that at the time, and a lightbulb went on, where I realized that this is a really powerful way of surfacing primary evidence and data in a way that really no one else was doing.
So I put together a prospectus for a lab that would be interdisciplinary, that would bring together people who have these skills to work systematically on uncovering information-control practices and look at surveillance and censorship and information warfare, from the standpoint of risks to citizens from a human-rights perspective. I was very fortunate at the time to get support from the Ford Foundation — I got a grant from them in 2001 — and I put the proposal together for the Citizen Lab from that.
TVO.org: And at the time you were in a pretty small basement lab.
Deibert: Actually, it was my office in political science where it all got started. When I got the grant, the Munk Centre was just being established, and the building at Devonshire [at the University of Toronto] was under construction. I went over to that building and scoped out what I thought would be a room that no one else would want, to increase my chance of getting approval. I found this space, and I went to Janice Stein, the director, and said, “Hey, I’ve got this grant. I’ve got this idea. I need some space.” And she said, “Okay, you can have it.”
So she supported the idea and took a risk. Space is a very valuable asset on campus. And even though it sounds less glamorous, we were really happy to have that room.
After 10 years, we moved to the new Munk building, the observatory, where we’re located now, and that was really great, because we needed more space. Security is not perfect — where we are there are lots of problems — but it is much better than it was in the old building, where people would just wander in and could easily locate us. Now we’re wrapped behind several layers of access control…..
TVO.org: Let’s talk a little bit about your process. How does Citizen Lab decide what to look into next?
Deibert: It’s a combination of factors. First and foremost, we are looking at the topic, at the domain, broadly speaking, which for us is global in scope. We don’t have a particular regional focus. We’re looking at risks to human rights that arise out of information technology: that’s the broadest possible definition of what we do.
That also limits our selection of cases that we want to examine. We assume that, however problematic cybersecurity is for big banks or government, they have resources — they can go hire a private company. But journalists, human-rights defenders, people living in the global south who are human-rights defenders and are advocating for policy change, they really lack capacity. So we put our effort into identifying cases that present the highest risk to human rights and, ideally, affect the most vulnerable parts of the population.
We divide our work systematically. So there are certain teams that we organize around, though there’s a bit of overlap. It’s fluid, but we have some teams that are more interested in applying network-measurement techniques to uncovering internet censorship, let’s say, and that’s probably the area where we’ve doing the most work for the longest time. Then there’s what we call the targeted-threats group, which is really the most serious stuff around espionage, and it certainly has the highest risk and has gotten us in the crosshairs of some bad actors, to such an extent that we’ve now become a target. We also apply non-technical methods in an interdisciplinary way — we have people who are trained in law and policy. So we’ve done a lot of work around legislation of analyzing national security laws and practices in Canada.
I would say how things are chosen depends on the opportunities that come up. We may hear about something, some preliminary evidence, perhaps a journalist tips us off or a victim comes forward. Or the team itself decides, hey, this is something we should look into. A good example of that is Zoom. We knew about Zoom: it was a kind of obscure business, networking-communications platform, until the pandemic hit. Suddenly, everyone was on Zoom. So our researchers got together and said, “Hey, we better take a look at this” and indeed uncovered some highly problematic security and privacy issues.
TVO.org: Your work with Zoom is a good example of getting immediate results from your work. If I’m correct, after a public outcry, Zoom cleaned up a lot of what you found. How does that feel to have an immediate impact on the world in that way?
Deibert: It’s actually super-rewarding in a number of ways. First of all, there’s the gratification to get the message out. Ultimately, we see ourselves as a university-based watchdog group, so if you can publish something and the next day everybody’s reading about it because it’s on the front page of the New York Times? That’s phenomenal. We’ve been actually really fortunate to have high-profile coverage for our research. I think we’ve had, like, close to 30 front-page stories in the New York Times, the Washington Post, other global media, the Financial Times, about different reports of ours over the last 20 years.
Going further, ultimately, we don’t just want to get attention for what we’re doing — we want to see some change. So there have been so many cases now where we’ve seen consequences, actions taken, policy changes, or advocacy campaigns started as a result of the work that we’ve done.
Probably the biggest one was back in 2016, when we investigated a targeted espionage attack against a human-rights defender in the United Arab Emirates. He shared with us an SMS message that was tainted with malware that the UAE government was using to try to hack his phone, and when we reverse-engineered it, that malware infected our own device, our own iPhone. We realized that it was so sophisticated and involved what were then three software flaws in the Apple operating system, that even Apple itself didn’t know about. We did a responsible disclosure to them and, within two weeks, they pushed out a patch that affected directly the security of more than 1 billion people. So, to be able to say, “Hey, we were responsible for that” is, I think, quite an accomplishment.
TVO.org: On the flip side, there are people that don’t like the work you do. What has it been like for you to become a target? I can’t imagine when you started this thing that you pictured yourself coming under threat.
Deibert: Well, first of all, you’re right. I grew up studying world politics as something out there, and I’m a spectator. There were a couple of instances before this, but, really, when we published the GhostNet report in 2009, which was the first public-evidence-based report on cyber espionage, it was the one that involved the hacking of the office of His Holiness the Dalai Lama, and we uncovered this massive Chinese espionage operation.
It suddenly dawned on me, okay, we’ve gone from kind of just observing and recording to becoming a factor, because very quickly thereafter, we had all sorts of inquiries and veiled threats and concerns about physical security. From that point on, from 2009 to today, they’ve really only amplified. The worst is probably when we were targeted by Black Cube, the same private-intelligence firm made up of ex-Mossad agents that notoriously went after the accusers of Harvey Weinstein. Now, that’s really frightening to be in their crosshairs. We ended up actually exposing that operation, but to know that something like that is going on, frankly, is very disturbing. It really forces you to change your behaviour, think about practical issues: when you’re travelling, hotels, getting into elevators, who’s accessing the same building as you.
At the same time, though, I think it’s a mark of success. If we’re not successful, those people wouldn’t care. It’s just something you have to factor into your risk calculation and take all the precautions, and we’re most concerned about the risks to the subjects of our research. Frankly, we go to extraordinary lengths to protect the security in terms of the data we handle, how we interact with them and interview them. But, yeah, it’s just constant. Actually, every day there’s something, ranging from people who, unfortunately, maybe are mentally disturbed, and they read about us and want to visit us, all the way to, you know, the world’s worst authoritarian regimes that are trying to threaten us.
TVO.org: A lot of this work is global in nature, but some Ontarians might be surprised to know a lot of it is quite local. I’m thinking about your work with internet-filtering technology and Waterloo-based Netsweeper. What makes filtering technology so important, and what was Netsweeper up to?
Deibert: As the internet evolves, there are all sorts of reasons why people want to control access to certain content online — beginning, I would say, with schools and libraries. There are legitimate concerns among parents and teachers that children have access to pornography or other types of content. Service providers like Netsweeper fill the market niche, providing filtering technology to those clients.
But, very quickly, there grew a need among governments — national-level internet censorship. In the beginning, like I talked about with the Chinese, it was very rare in the 1990s or 2000s. I could count on one hand the number of governments that were doing this sort of thing. Now, it’s routine, and it’s big business. So with a company like Netsweeper, for us, it was, frankly, a no-brainer to zero in on it, and not even because they’re based in our own backyard. There’s certainly a motivating factor there because we’re Canadians, and we want to make sure that, as best we can, we identify businesses operating out of Canada to see if they’re in compliance with Canadian law or Canadian values. Here, we had a company that seemed to be not just kind of stumbling into selling internet-censorship services to some of the world’s worst violators of human rights, but actively courting them.
They were showing up all over the world, especially in the Middle East. The Middle East is where Netsweeper really profited from selling internet-censorship services to governments that routinely violate human rights and block access to content that would be considered protected legally here in Canada. And they were also doing this in a non-transparent way.
This is not something they openly advertised, and yet we knew, from our research and technical investigation, we could identify basically unquestionable proof that their technology was being used to filter access to content that would be legally protected here in Canada, in places like Bahrain and Yemen and in the Gulf.
So we did a report about Netsweeper’s technology in Yemen, and at this time, the main telco, YemenNet, was controlled by Houthi rebels, and of course there’s an ongoing civil war, which at that time was really quite intense. We simply documented that Netsweeper’s technology was being used to actually block the entire Israeli top-level domain — the only time we’d ever seen that in the world, with the exception of Iran.
We published this report, and we mentioned in the commentary around it that, in providing services to one participant in an armed conflict, who is censoring information, including information related to international news, they’re effectively inserting themselves in an armed conflict, and it raises all sorts of ethical, moral, and potentially even legal issues. Netsweeper sued me and the University of Toronto for defamation for over $3 million. Of course, we thought that was entirely baseless, and six months later, they simply withdrew the suit.
Coincidentally, their suit came shortly before the Ontario government passed anti-SLAPP legislation to prevent lawsuits that chill free expression, which in our opinion, is very much what it is, because as we were going through the litigation, we couldn’t report on Netsweeper. After the lawsuit was dropped, we then published several subsequent reports on Netsweeper…..
TVO.org: In your 20 years, what is the work you’re most proud of?
Deibert: What I’m most proud of is the staff. I’d say a skill that I have is, I think I would make a good NHL scout or a band manager. I have the ability, for what it’s worth, to identify talented people and give them the support they need. So there’s not a particular report that I’m proud of; I’m most proud of the people who work at the lab. I’m so fortunate to be surrounded by these extremely talented, ethical, dedicated people, most of whom have been with me for over 10 years. It’s rare to have that in a small university. And that’s what I’m most proud of.
TVO.org: The lab itself, as we talked about a little bit, is somewhat unique: you’re working outside of government or corporations and working in the interest of human rights. Others around the world have taken note of your model. Do you hope to export it?
Deibert: It’s beginning to be surprising to me that there aren’t more Citizen Lab–like organizations at other universities. To me, this is a field with such endless opportunity. There’s so much unfortunate malfeasance going on in the digital world.
And, yet, you have these extremely powerful methods and techniques, as we’ve demonstrated, that, by way of analogy, act like an X-ray on the abuse of power. That’s the way I think about it. It’s astonishing.
Sometimes I sit back and shake my head. A lot of the stuff we don’t even publish. It’s remarkable what you can see when you use these very precise, careful methods to uncover and track abuses of power. Why haven’t other university professors jumped on this and tried to mimic it? I don’t really know. I suppose there’s no one answer. There are risks involved with it, and it’s actually not easy to cross disciplinary boundaries.
So I think that we’re helping to build the field, at least I hope, and you’re right that there are a few other places where I’m seeing either professors or, in some cases, human-rights organizations, attempting to build something like this. That is fantastic. That’s really where my effort and the next phase of my career is, around really field-building by promoting that model and hoping that others build up centres like the Citizen Lab at other universities, while also ensuring the sustainability of the lab.
This is a bit “inside university,” but the reality is, as the only professor in the lab, I’m the weakest link. So if something happens to me, the lab would really fall apart. Not because I’m the wizard directing everything — purely because I’m the responsible principal investigator for the grant, and you need that at a university. What I hope to do is ensure the sustainability of the lab outside of me, and that means recruiting other professors to the lab. We’re actively fundraising to do that and to try to get more tenure-track positions connected to the lab so that it can continue once I move on.
TVO.org: And what will the next 20 years hold for the lab itself?
Deibert: Hopefully, we ‘ll be able to continue. We know we have the support from the University of Toronto; they’ve been incredible in a number of ways. We live in a time when big university bureaucracies are criticized, sometimes rightfully so — I’ve been critical of my own university in various areas. But one thing I can say, they have been so supportive of work that we do in a variety of real practical ways, including legal support.
I just want the lab to not be something that is tied to one profession. I want it to continue and to duplicate what we do globally. If we had 25 Citizen Labs sprinkled around the planet, it would be better for human rights overall, because there would at least be another protective layer, if you will, of dogged researchers who aren’t afraid to uncover abuses of power, no matter where they are.
..Citizen Lab has tracked and documented more than two dozen cases using similar intrusion and spyware techniques. We don’t know the number of victims or their stories, as not all vectors are publicly known. Once spyware is implanted, it provides a command and control (C&C) server with regular, scheduled updates designed to avoid extensive bandwidth consumption. Those tools are created to be stealthy and evade forensic analysis, avoid detection by antivirus software, and can be deactivated and removed by operators.
Once successfully implanted on a victim’s phone using an exploit chain like the Trident, spyware can actively record or passively gather a variety of different data about the device. By providing full access to the phone’s files, messages, microphone, and video camera, the operator can turn the device into a silent digital spy in the target’s pocket.
These attacks and many others that are unreported show that spyware tools and the intrusion business have a significant abuse potential and that bad actors or governments can’t resist the temptation to use such tools against political opponents, journalists, and human rights defenders. Due to the lack of operational due-diligence of spyware companies, these companies don’t consider the impact of the use of their tools on the civilian population nor comply with human rights policies. [see: https://humanrightsdefenders.blog/2020/07/20/the-ups-and-downs-in-sueing-the-nso-group/]
The growing privatization of cybersecurity attacks arises through a new generation of private companies, aka online mercenaries. This phenomenon has reached the point where it has acquired its own acronym, PSOAs, for the private sector offensive actors. This harmful industry is quickly growing to become a multi-billion dollar global technology market. These newly emerging companies provide nation-states and bad actors the option to buy the tools necessary for launching sophisticated cyberattacks. This adds another significant element to the cybersecurity threat landscape.
These companies claim that they have strict controls over how their spyware is sold and used and have robust company oversight mechanisms to prevent abuse. However, the media and security research groups have consistently presented a different and more troubling picture of abuse…
The growing abuse of surveillance technology by authoritarian regimes with poor human rights records is becoming a disturbing new, globally emerging trend. The use of these harmful tools has drawn attention to how the availability and abuse of highly intrusive surveillance technology shrink already limited cyberspace in which vulnerable people can express their views without facing repercussions such as imprisonment, torture, or killing.
Solving this global problem will not be easy nor simple and will require a strong coalition of multi-stakeholders, including governments, civil society, and the private sector, to reign in what is now a “Wild West” of unmitigated abuse in cyberspace. With powerful surveillance and intrusion technology roaming free without restrictions, there is nowhere to hide, and no one will be safe from those who wish to cause harm online or offline. Not acting urgently by banning or restricting the use of these tools will threaten democracy, rule of law, and human rights worldwide.
On December 7, 2020, the US National Security Agency issued a cybersecurity advisory warning that “Russian State-sponsored actors” were exploiting a vulnerability in the digital workspace software developed by VMware (VMware®1Access and VMware Identity Manager2 products) using compromised credentials.
A malware called SUNBURST infected SolarWind’s customers’ systems when they updated the company’s Orion software.
On December 30, 2020, Reuters reported that the hacking group behind the SolarWinds compromise was able to break into Microsoft Corp and access some of its source code. This new development sent a worrying signal about the cyberattack’s ambition and intentions.
Microsoft president Brad Smith said the cyber assault was effectively an attack on the US, its government, and other critical institutions, and demonstrated how dangerous the cyberspace landscape had become.
Based on telemetry gathered from Microsoft’s Defender antivirus software, Smith said the nature of the attack and the breadth of the supply chain vulnerability was very clear to see. He said Microsoft has now identified at least 40 of its customers that the group targeted and compromised, most of which are understood to be based in the US, but Microsoft’s work has also uncovered victims in Belgium, Canada, Israel, Mexico, Spain, the UAE, and the UK, including government agencies, NGOs, and cybersecurity and technology firms.
Although the ongoing operation appears to be for intelligence gathering, no reported damage has resulted from the attacks until the publishing date of this article. This is not “espionage as usual.” It created a serious technological vulnerability in the supply chain. It has also shaken the trust and reliability of the world’s most advanced critical infrastructure to advance one nation’s intelligence agency.
As expected, the Kremlin has denied any role in recent cyberattacks on the United States. President Vladimir Putin’s spokesman Dmitry Peskov said the American accusations that Russia was behind a major security breach lacked evidence. The Russian denial raised the question of a gap of accountability in attributing cyberspace attacks to a nation-state or specific actor. Determining who is to blame in a cyberattack is a significant challenge, as cyberspace is intrinsically different from the kinetic one. There is no physical activity to observe, and technological advancements have allowed perpetrators to be harder to track and to remain seemingly anonymous when conducting the attack (Brantly, 2016).
To achieve a legitimate attribution, it is not enough to identify the suspects, i.e., the actual persons involved in the cyberattacks but also be able to determine if the cyberattacks had a motive which can be political or economic and whether the actors were supported by a government or a non-state actor, with enough evidence to support diplomatic, military, or legal options.
A recognized attribution can enhance accountability in cyberspace and deter bad actors from launching cyberattacks, especially on civilian infrastructures like transportation systems, hospitals, power grids, schools, and civil society organizations.
According to the United Nation’s responsibility of States for Internationally Wrongful Acts article 2, to constitute an “internationally wrongful act,” a cyber operation generally must be 1) attributable to a state and 2) breach an obligation owed another state. It is also unfortunate that state-sponsored cyberattacks violate international law principles of necessity and proportionality.
Governments need to consider a multi-stakeholder approach to help resolve the accountability gap in cyberspace. Some states continue to believe that ensuring international security and stability in cyberspace or cyberpeace is exclusively the responsibility of states. In practice, cyberspace is designed, deployed, and managed primarily by non-state actors, like tech companies, Internet Service Providers (ISPs), standards organizations, and research institutions. It is important to engage them in efforts to ensure the stability of cyberspace.
I will name two examples of multi-stakeholder initiatives to secure cyberspace: the Global Commission on the Stability of Cyberspace (GCSC), which consisted of 28 commissioners from 16 countries, including government officials, has developed principles and norms that can be adopted by states to ensure stable and secure cyberspace. For example, it requested states and non-state actors to not pursue, support, or allow cyber operations intended to disrupt the technical infrastructure essential to elections, referenda, or plebiscites.
Cyberpeace Institute is a newly established global NGO that was one-year-old in December 2020 but has the important goal of protecting the most vulnerable and achieve peace and justice in cyberspace. The institute started its operations by focusing on the healthcare industry, which was under attack daily during the COVID 19 pandemic. As those cyberattacks were a direct threat to human life, the institute called upon governments to stop cyber operations against medical facilities and protect healthcare.
I believe that there is an opportunity for the states to forge agreements to curb cyberattacks on civilian and private sector infrastructure and to define what those boundaries and redlines should be.
SolarWinds and the recent attacks on healthcare facilities are important milestones as they offer a live example of the paramount risks associated with a completely unchecked and unregulated cyberspace environment. But it will only prove to be a moment of true and more fundamental reckoning if many of us, governments, and different multi-stakeholders played a part, each in their respective roles, in capitalizing and focusing on those recent events by forcing legal, technological, and institutional reform and real change in cyberspace.
The effects of the Solarwinds attack will not only impact US government agencies but businesses and civilians that are currently less secure online. Bad actors are becoming more aggressive, bold, reckless and continue to cross the red lines we considered as norms in cyberspace.
Vulnerable civilians are the targets of the intrusion tools and spyware in a new cyberspace wild west landscape. Clearly, additional legal and regulatory scrutiny is required of private-sector offensive actors or PSOAs. If PSOA companies are unwilling to recognize the role that their products play in undermining human rights or address these urgent concerns, then, in this case, intervention by governments and other stakeholders is needed.
We no longer have the privilege of ignoring the growing impact of cyberattacks on international law, geopolitics, and civilians. We need a strong and global cybersecurity response. What is required is a multi-stakeholders’ courageous agenda that redefines historical assumptions and biases about the possibility of establishing new laws and norms that can govern cyberspace.
Changes and reforms are achievable if there is will. The Snowden revelations and the outcry that followed resulted not only in massive changes to the domestic regulation of US foreign intelligence, but they also shaped changes at the European Court of Human Rights, the Court of Justice of the European Union, and the UN. The Human Rights Committee also helped spur the creation of a new UN Special Rapporteur on the Right to Privacy based in Geneva.
The new cyberspace laws, rules, and norms require a multi-stakeholder dialogue process that involves participants from tech companies, academia, civil society, and international law in global discussions that can be facilitated by governments or supported by a specialized international intergovernmental organization.
A multi-year investigation by Citizen Lab has unearthed a hack-for-hire group from India that targeted journalists, advocacy groups, government officials, hedge funds, and human rights defenders.
Jay Jay – a freelance technology writer – posted an article in Teiss on 9 June 2020 stating that Citizen Lab revealed in a blog post published Tuesday that the hack-for-hire group’s identity was established after the security firm investigated a custom URL shortener that the group used to shorten the URLs of phishing websites prior to targeting specific individuals and organisations. Citizen Lab has named the group as “Dark Basin“.
“Over the course of our multi-year investigation, we found that Dark Basin likely conducted commercial espionage on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories, and advocacy,” the firm said.
It added that the hack-for-hire group targeted thousands of individuals and organisations in six continents, including senior politicians, government prosecutors, CEOs, journalists, and human rights defenders, and is linked to BellTroX InfoTech Services, an India-based technology company.
….The range of targets, that included two clusters of advocacy organisations in the United States working on climate change and net neutrality, made it clear to Citizen Lab that Dark Basin was not state-sponsored but was a hack-for-hire operation.
…As further proof of Dark Basin’s links with BellTroX, researchers found that several BellTroX employees boasted capabilities like email penetration, exploitation, conducting cyber intelligence operations, pinging phones, and corporate espionage on LinkedIn. BellTroX’s LinkedIn pages also received endorsements from individuals working in various fields of corporate intelligence and private investigation, including private investigators with prior roles in the FBI, police, military, and other branches of government.
The list of organisations targeted by Dark Basin over the past few years includes Rockefeller Family Fund, Greenpeace, Conservation Law Foundation, Union of Concerned Scientists, Oil Change International, Center for International Environmental Law, Climate Investigations Center, Public Citizen, and 350.org. The hack-for-hire group also targeted several environmentalists and individuals involved in the #ExxonKnew campaign that wanted Exxon to face trial for hiding facts about climate change for decades.
A separate investigation into Dark Basin by NortonLifeLock Labs, which they named “Mercenary.Amanda”, revealed that the hack-for-hire group executed persistent credential spearphishing against a variety of targets in several industries around the globe going back to at least 2013…
According to a lawsuit announced on Tuesday, the Israeli spyware-maker NSO Group developed malware specifically to access WhatsApp communications. Photograph by Daniella Cheslow / AP
On May 13th, WhatsApp announced that it had discovered the vulnerability. In a statement, the company said that the spyware appeared to be the work of a commercial entity, but it did not identify the perpetrator by name. WhatsApp patched the vulnerability and, as part of its investigation, identified more than fourteen hundred phone numbers that the malware had targeted. In most cases, WhatsApp had no idea whom the numbers belonged to, because of the company’s privacy and data-retention rules. So WhatsApp gave the list of phone numbers to the Citizen Lab, a research laboratory at the University of Toronto’s Munk School of Global Affairs, where a team of cyber experts tried to determine whether any of the numbers belonged to civil-society members.
On Tuesday 29 October 2019, WhatsApp took the extraordinary step of announcing that it had traced the malware back to NSO Group, a spyware-maker based in Israel, and filed a lawsuit against the company—and also its parent, Q Cyber Technologies—in a Northern California court, accusing it of “unlawful access and use” of WhatsApp computers. According to the lawsuit, NSO Group developed the malware in order to access messages and other communications after they were decrypted on targeted devices, allowing intruders to bypass WhatsApp’s encryption.
NSO Group said in a statement in response to the lawsuit, “In the strongest possible terms, we dispute today’s allegations and will vigorously fight them. The sole purpose of NSO is to provide technology to licensed government intelligence and law enforcement agencies to help them fight terrorism and serious crime. Our technology is not designed or licensed for use against human rights activists and journalists.” In September, NSO Group announced the appointment of new, high-profile advisers, including Tom Ridge, the first U.S. Secretary of Homeland Security, in an effort to improve its global image.
In a statement to its users on Tuesday, WhatsApp said, “There must be strong legal oversight of cyber weapons like the one used in this attack to ensure they are not used to violate individual rights and freedoms people deserve wherever they are in the world. Human rights groups have documented a disturbing trend that such tools have been used to attack journalists and human rights defenders.”
John Scott-Railton, a senior researcher at the Citizen Lab, said, “It is the largest attack on civil society that we know of using this kind of vulnerability.”
Private equity firm Novalpina, which acquired a majority stake in NSO Group in February, said that within 90 days it would “establish at NSO a new benchmark for transparency and respect for human rights.” It said it sought “a significant enhancement of respect for human rights to be built into NSO’s governance policies and operating procedures and into the products sold under licence to intelligence and law enforcement agencies.”
The company has always stated that it provides its software to governments for the sole purpose of fighting terrorism and crime, but human rights defenders and NGOs have claimed the company’s technology has been used by repressive governments to spy on them. Most notably, the spyware was allegedly used in connection with the gruesome killing of Saudi journalist Jamal Khashoggi, who was dismembered in the Saudi consulate in Istanbul last year and whose body has never been found.
Last month London-based Amnesty International, together with other human rights activists, filed a petition to the District Court in Tel Aviv to compel Israel’s Defense Ministry to revoke the export license it granted to the company that Amnesty said has been used “in chilling attacks on human rights defenders around the world.”
On Friday the Guardian reported that Yana Peel, a well-known campaigner for human rights and a prominent figure in London’s art scene, is a co-owner of NSO, as she has a stake in Novalpina, co-founded by her husband Stephen Peel. Peel told the Guardian she has no involvement in the operations or decisions of Novalpina, which is managed by my husband, Stephen Peel, and his partners and added that the Guardian’s view of NSO was “quite misinformed.”
On 1 May 2019 Friedhelm Weinberg, Executive Director, HURIDOCS, published “3 ways activists are being targeted by cyberattacks’ on the website of World Economic Forum (see below). A timely piece in view of the current turmoil surrounding the discovery of spyware crafted by a sophisticated hackers-for-hire, who took advantage of a flaw in WhatsApp. The Financial Times identified the actor as Israel’s NSO Group, and WhatsApp all but confirmed the identification, describing hackers as “a private company that has been known to work with governments to deliver spyware.” .. As late as Sunday, as WhatsApp engineers raced to close the loophole, a UK-based human rights lawyer’s phone was targeted using the same method. Researchers at the University of Toronto’s Citizen Lab said they believed that the spyware attack on Sunday was linked to the same vulnerability that WhatsApp was trying to patch. NSO’s flagship product is Pegasus, a program that can turn on a phone’s microphone and camera, trawl through emails and messages and collect location data. NSO advertises its products to Middle Eastern and western intelligence agencies, and says Pegasus is intended for governments to fight terrorism and crime. … Asked about the WhatsApp attacks, NSO said it was investigating the issue. “Under no circumstances would NSO be involved in the operating or identifying of targets of its technology, which is solely operated by intelligence and law enforcement agencies,” the company said. “NSO would not, or could not, use its technology in its own right to target any person or organisation, including this individual [the UK lawyer].”
Several reports have shown Israeli technology being used by Gulf states against their own citizens (AFP/File photo)
Middle East Eye of 13 May 2019 reports that Amnesty International is pushing for Israel’s defence ministry to withdraw an export license for NSO Group, an Israeli tech firm that the human rights group has accused of selling spyware to repressive governments to spy on activists. In a statement on Monday, Amnesty said it plans to file a legal petition to the District Court of Tel Aviv on Tuesday to block the export licenses. Danna Ingleton, deputy director of Amnesty Tech, said in an affidavit on Monday that NSO Group has not done its job to protect human rights defenders from being targeted. Instead, many reports have shown that governments have deployed Pegasus spyware “to surveil human rights defenders”, Ingleton said.
NSO Group has been under increased scrutiny after a series of reports about the ways in which its spyware programme has been used against prominent human rights activists. Last year, a report by CitizenLab, a group at the University of Toronto, showed that human rights defenders in Saudi Arabia, the United Arab Emirates and Bahrain were targeted with the software.
In October, US whistleblower Edward Snowden said Pegasus had been used by the Saudi authorities to surveil journalist Jamal Khashoggi before his death. “They are the worst of the worst,” Snowden said of the firm. Amnesty International said in August that a staffer’s phone was infected with the Pegasus software via a WhatsApp message.
——-
Friedhelm Weinberg‘s piece of 1 May is almost prescient and contains good, broader advice:
When activists open their inboxes, they find more than the standard spam messages telling them they’ve finally won the lottery. Instead, they receive highly sophisticated emails that look like they are real, purport to be from friends and invite them to meetings that are actually happening. The catch is: at one point the emails will attempt to trick them.
1. Phishing for accounts, not compliments
In 2017, the Citizen Lab at the University of Toronto and the Egyptian Initiative for Personal Rights, documented what they called the “Nile Phish” campaign, a set of emails luring activists into giving access to their most sensitive accounts – email and file-sharing tools in the cloud. The Seoul-based Transitional Justice Working Group recently warned on its Facebook page about a very similar campaign. As attacks like these have mounted in recent years, civil society activists have come together to defend themselves, support each other and document what is happening. The Rarenet is a global group of individuals and organizations that provides emergency support for activists – but together it also works to educate civil society actors to dodge attacks before damage is done. The Internet Freedom Festival is a gathering dedicated to supporting people at risk online, bringing together more than 1,000 people from across the globe. The emails from campaigns like Nile Phish may be cunning and carefully crafted to target individual activists.. – they are not cutting-edge technology. Protection is stunningly simple: do nothing. Simply don’t click the link and enter information – as hard as it is when you are promised something in return.
Often digital security is about being calm and controlled as much as it is about being savvy in the digital sphere. And that is precisely what makes it difficult for passionate and stressed activists!
2. The million-dollar virus
Unfortunately, calm is not always enough. Activists have also been targeted with sophisticated spyware that is incredibly expensive to procure and difficult to spot. Ahmed Mansoor, a human-rights defender from the United Arab Emirates, received messages with malware (commonly known as computer viruses) that cost one million dollars on the grey market, where unethical hackers and spyware firms meet. See also: https://humanrightsdefenders.blog/2016/08/29/apple-tackles-iphone-one-tap-spyware-flaws-after-mea-laureate-discovers-hacking-attempt/]
Rights defender Ahmed Mansoor in Dubai in 2011. Image: Reuters/Nikhil Monteiro
3. Shutting down real news with fake readers
Both phishing and malware are attacks directed against the messengers, but there are also attacks against the message itself. This is typically achieved by directing hordes of fake readers to the real news – that is, by sending so many requests through bot visitors to websites that the servers break down under the load. Commonly referred to as “denial of service” attacks, these bot armies have also earned their own response from civil society. Specialised packages from Virtual Road or Deflect sort fake visitors from real ones to make sure the message stays up.
How distributed denial of service (DDoS) attacks have grown. Image: Kinsta.com; data from EasyDNS
Recently, these companies also started investigating who is behind these attacks– a notoriously difficult task, because it is so easy to hide traces online. Interestingly, whenever Virtual Road were so confident in their findings that they publicly named attackers, the attacks stopped. Immediately. Online, as offline, one of the most effective ways to ensure that attacks end is to name the offenders, whether they are cocky kids or governments seeking to stiffle dissent. But more important than shaming attackers is supporting civil society’s resilience and capacity to weather the storms. For this, digital leadership, trusted networks and creative collaborations between technologists and governments will pave the way to an internet where the vulnerable are protected and spaces for activism are thriving.
RightsCon, held this year in Toronto from 16 – 18 May 2018, brings together an international audience to discusses all topics related to human rights in the digital age, such as surveillance, AI, censorship, access to the internet, etc. Citizen Lab researchers, fellows, and associates will be participating in panels and events throughout the week.Citizen Lab is the organization that helped Ahmed Mansoor with his iPone spyware in 2016: https://humanrightsdefenders.blog/2016/08/29/apple-tackles-iphone-one-tap-spyware-flaws-after-mea-laureate-discovers-hacking-attempt/.
Miles Kenyon on 11 a run-down of topics and where you can find them:
Ahmed Mansoor, the Laureate of the Martin Ennals Award 2015, was the target of a major hacking attempt. Fortunately it received global coverage on 26 and 27 August 2016 and Apple has immediately issued a security update to address the vulnerabilities. [For those with Iphones/Ipads, you may want to update your IOS software to 9.3.5!]
Image copyrightAP – human rights defender Ahmed Mansoor
The flaws in Apple’s iOS operating system were discovered by Mansoor who alerted security researchers to unsolicited text messages he had received on 10 and 11 August. They discovered three previously unknown flaws within Apple’s code that meant spyware could be installed with a single tap. Apple has since released a software update that addresses the problem. The two security firms involved, Citizen Lab and Lookout, said they had held back details of the discovery until the fix had been issued.
The texts promised to reveal “secrets” about people allegedly being tortured in the United Arab Emirates (UAE)’s jails if he tapped the links. Had he done so, Citizen Lab says, his iPhone 6 would have been “jailbroken”, meaning unauthorised software could have been installed. “Once infected, Mansoor’s phone would have become a digital spy in his pocket, capable of employing his iPhone’s camera and microphone to snoop on activity in the vicinity of the device, recording his WhatsApp and Viber calls, logging messages sent in mobile chat apps, and tracking his movements,” said Citizen Lab. The researchers say they believe the spyware involved was created by NSO Group, an Israeli “cyber-war” company.
The spyware would have been installed if Mansoor had tapped on the links. Image copyright CITIZENLAB
Hans Thoolen on Human Rights Defenders and their awards 