You Should Not Trust The Media

In December 2013, a journalist named Andrew Dwight emailed Rori Donaghy, a journalist with Middle East Eye and a founder of the Emirates Center for Human Rights, which focuses on abuses in the United Arab Emirates.

“I have been trying to reach you for comment and I am hoping that this e-mail reaches the intended recipient,” Dwight wrote, explaining that he was working on a book about his experiences from the Middle East. “My focus is on human factors and rights issues in seemingly non-authoritarian regimes (that are, in reality, anything but). I was hoping that I might correspond with you and reference some of your work.”

The email concluded with a link to an article Dwight wanted to discuss. Donaghy clicked on it, but it wasn’t an innocent connection to a webpage. That link was instead part of an elaborate Internet infrastructure set up to scan computers for vulnerabilities, allowing hackers to later target them with so-called spyware, software that can be used to monitor a computer and its users.

The email from Dwight was a ruse; one piece of a larger campaign that researchers say went after activists and opposition figures online. In fact, Dwight never existed. He was a persona created to win Donaghy’s trust and get him to click on links that surveyed his computer.

Dwight’s creators — hackers likely working on behalf of the UAE government, according to the University of Toronto’s Citizen Lab — made him a journalist for a reason: It’s a remarkably effective tool for spreading spyware. Around the world, authoritarian governments are increasingly using a basic tool of journalism — unsolicited emails to a source or expert — against their opponents by hiding that kind of malware in emails purportedly coming from both real reporters and fake ones like Dwight.

The Citizen Lab, a research group that has done groundbreaking work on digital surveillance, has documented hacking campaigns tied to the governments of the UAE, Iran, Bahrain, and Latin America’s left-leaning dictators in which their spies have posed as reporters in emails and phone calls in order to convince dissidents to click on links and open documents containing spyware.

The tactic provides an easy ruse for government sleuths. Security experts will tell you to be suspicious of unsolicited emails, but writing an unsolicited email is a basic aspect of reporting. Journalists will write to activists and experts they have never met, seeking interviews and expertise. It is an infinitely adaptable cover story, and the autocrats and monarchs of the world are catching on.

In a report released recently, the Citizen Lab documents how an UAE hacking group active from 2012 until the present tried to infect the computers of Emirati journalists, activists, and dissidents with spyware via Dwight’s fake persona and other methods.

The Citizen Lab is careful to note that it can’t definitively prove that the hackers, which targeted more than two-dozen individuals besides Donaghy, worked on behalf of the UAE, but it lays out compelling circumstantial evidence that the country sponsored the attackers.

The hacking group, dubbed “Stealth Falcon,” displayed a level of operational security consistent with a state-sponsored group. Of 27 Twitter accounts targeted by the group, “24 primarily engaged in political activities, or were otherwise critical of the UAE government,” the Citizen Lab found. The group consistently displayed a high level of knowledge about its targets and used that information to write intricate spearfishing emails. Moreover, the Citizen Lab observed a Twitter account tweet a link associated with Stealth Falcon while that account was likely under government control.

Bill Marczak, a senior research fellow at the Citizen Lab and the lead author on the UAE report, called the impersonation of journalists “very effective” for government surveillance campaigns. Sharing links and documents is fundamental to the work of journalists and civil society workers. “This is something that’s natural to how you are interacting online,” he told this reporter, who had written himself an unsolicited email seeking to set up an interview.

The Emirati Embassy in Washington didn’t return a request for comment on the report.

Other journalists have also found themselves targeted by hackers posing as reporters. In August 2015, Jillian York, the director of international freedom of expression at the Electronic Frontier Foundation, woke up to a call from a man posing as a Reuter’s journalist. That man told York that he would soon be sending her some materials that he wanted to discuss and checked that he had the right address for her.

That phone call was the first step in a sophisticated campaign to steal Google credentials for members of the Iranian diaspora that the Citizen Lab traced to Iranian hackers. York was targeted likely as a result of her work with Iranian activist groups.

The fake Reuters reporters likely hoped that he could establish his credibility with a phone call and then trick York into providing her Google username and password. Shortly after the call, the fake reporter sent her an email with what looked like a PDF hosted by Google. By clicking on the link, York would have been taken to a spoofed Google login page, which the hackers would have used to steal her username and password.

But hackers aren’t just creating fake journalist personas to spread spyware. In 2012, hackers working in Bahrain impersonated Al Jazeera journalist Melissa Chan to send emails to activists laced with malware that allowed them to take over their computers. It is unclear, Marczak said, whether the email from Chan infected the computers of any activists.

In a seven-year hacking campaign in Latin America that the Citizen Lab named “Packrat,” hackers went a step further: creating fake news outlets complete with fake articles to bolster their perceived credibility.

That hacking campaign succeeded in installing spyware on the phone of Alberto Nisman, the principal investigator of the 1994 bombing of a Jewish community center in Buenos Aires. He was found dead in his home just hours before he was set to deliver a report on allegations that then-President Cristina Fernández de Kirchner had sought to cover up Iran’s role in the attack.

In China, researchers have observed what is now a strikingly similar pattern of obfuscation in the government’s treatment of Tibetan activists. “We tracked a series of emails designed to trick Tibetan journalists into entering their Google credentials into a phishing page,” said Masashi Crete-Nishihata, the Citizen Lab’s research manager. “One of the messages was made to appear as if it came from the press secretary of the Central Tibetan Administration.”

Just as the Internet has enabled a freer flow of information between journalists and their sources, it has also enabled far greater government surveillance. “This is the flip side of the Internet’s ability to mobilize resources,” said John Scott-Railton, a senior researcher at the Citizen Lab.

But the impersonation of reporters by hackers working on behalf of governments is not limited to authoritarian regimes. In 2007, police in Washington State were trying and failing to identify the source of emailed bomb threats against a local high school when the FBI settled on a novel strategy to identify the suspect.

An agent for the bureau posed as an Associated Press reporter and began exchanging emails with the accounts used to send the threats. The agent sent the suspect a fake AP article about him that contained malware designed to reveal his location.

When the suspect clicked on the link, the software downloaded. Two days after clicking it, police arrested a 10th-grader at Timberline High School, the target of the threats.

Foreign Policy: http://ow.ly/6YtW3010z4p

« Seven Cyber-Security Myths Debunked
RoboCop Is Real »

ManageEngine
CyberSecurity Jobsite
Check Point

Directory of Suppliers

NordLayer

NordLayer

NordLayer is an adaptive network access security solution for modern businesses — from the world’s most trusted cybersecurity brand, Nord Security. 

Tines

Tines

The Tines security automation platform helps security teams automate manual tasks, making them more effective and efficient.

Resecurity

Resecurity

Resecurity is a cybersecurity company that delivers a unified platform for endpoint protection, risk management, and cyber threat intelligence.

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

DMH Stallard

DMH Stallard

DMH Stallard is a mid-market law firm. Areas of expertise include cyber security and cyber crime.

Digital Innovation Hub Slovenia (DIH)

Digital Innovation Hub Slovenia (DIH)

DIH Slovenia is a central hub providing services to grow digital competencies in areas including robotics, IoT, cyberphysical systems and cybersecurity.

Computer Forensics Consult (CFC)

Computer Forensics Consult (CFC)

Computer Forensics Consult provides disaster recovery, computer forensics, electronic discovery and litigation support services in the growing area of Cyber Security.

Project Moore

Project Moore

Project Moore is an Amsterdam law firm specialising in IT-law and privacy.

CybX Security LLC

CybX Security LLC

CybX is the first company of its kind to merge the practice of computer forensics with computer security and information security.

Octiga

Octiga

Octiga is an office 365 cloud security provider. It offers Office 365 monitoring, incident response and recovery tools.

Pelta Cyber Security

Pelta Cyber Security

Pelta Cyber Security is the cyber security consulting and solutions division of Softworld Inc. We provide staffing and recruitment services as well as consulting and solutions for outsourced projects.

Association of anti Virus Asia Researchers (AVAR)

Association of anti Virus Asia Researchers (AVAR)

AVAR's mission is to prevent the spread of and damage caused by malicious software, and to develop cooperative relationships among anti-malware experts in Asia.

Solvere One

Solvere One

Solvere One is a managed service provider (MSP) focused on corporate consulting and partnership.

Lucidum

Lucidum

The Lucidum platform helps you assess risk and mitigate vulnerabilities by finding and correlating data from your security tech stack.

Comcast Technology Solutions (CTS)

Comcast Technology Solutions (CTS)

Comcast Technology Solutions delivers proven technologies for global video, media, communications, data applications, and cybersecurity & compliance.

Avalor

Avalor

Avalor are on a mission to help security teams make faster, more accurate decisions by making sense of their data. With Avalor you can bring in data from anywhere, normalize it and analyze it.

Closed Door Security

Closed Door Security

Closed Door Security is the only cybersecurity team in the north of Scotland offering everything from IASME Certification to CREST-Accredited penetration testing.

Code First Girls

Code First Girls

Code First Girls are on a mission to close the gender gap in the tech industry by providing employment through free education.

HanaByte

HanaByte

HanaByte is a security consultancy focused on delivering state of the art solutions in the cloud. We specialize in delivering cloud services with an emphasis on security.

EVVO LABS

EVVO LABS

EVVO Labs empower your business with the latest IT capabilities to get you ahead of your competitors. We are experts at converging technologies to build your digital transformation.