At USENIX Security 2014 held in San Diego California from August 20-22 2014, Citizen Lab researchers presented two papers on targeted threats against civil society communities as part of a dedicated session on the topic entitled Tracking Targeted Attacks against Civilians and NGOs.

Senior Security Researcher Seth Hardy presented  “Targeted Threat Index: Characterizing and Quantifying Politically-Motivated Targeted Malware.”

Targeted attacks on civil society and non-governmental organizations have gone underreported despite the fact that these organizations have been shown to be frequent targets of these attacks. This  paper sheds light on targeted malware attacks faced by these organizations by studying malicious e-mails received by 10 civil society organizations (the majority of which are from groups related to China and Tibet issues) over a period of 4 years.

The study highlights important properties of malware threats faced by these organizations with implications on how these organizations defend themselves and how we quantify these threats. We find that the technical sophistication of malware we observe is fairly low, with more effort placed on socially engineering the e-mail content. Based on this observation, we develop the Targeted Threat Index (TTI), a metric which incorporates both social engineering and technical sophistication when assessing the risk of malware threats. We demonstrate that this metric is more effective than simple technical sophistication for identifying malware threats with the highest potential to successfully compromise victims. We also discuss how education efforts focused on changing user behaviour can help prevent compromise.

Seth Hardy, Masashi Crete-Nishihata, Katharine Kleemola, Adam Senft, Byron Sonne, and Greg Wiseman, The Citizen Lab;Phillipa Gill, Stony Brook University;Ronald J. Deibert, The Citizen Lab. “Targeted Threat Index: Characterizing and Quantifying Politically-Motivated Targeted Malware.” USENIX Security 2014.

A video of the presentation is available here.

Download the paper here [PDF]

In the same session, Citizen Lab Research Fellow Bill Marczak presented a paper titled, “When Governments Hack Opponents: A Look at Actors and Technology.”

This paper analyzes an extensive collection of suspicious files and links targeting activists, opposition members, and nongovernmental organizations in the Middle East over the past several years. We find that these artifacts reflect efforts to attack targets’ devices for the purposes of eavesdropping, stealing information, and/or unmasking anonymous users. We describe attack campaigns we have observed in Bahrain, Syria, and the United Arab Emirates, investigating attackers, tools, and techniques. In addition to off-the-shelf remote access trojans and the use of third-party IP-tracking services, we identify commercial spyware marketed exclusively to governments, including Gamma’s FinSpy and Hacking Team’s Remote Control System (RCS). We describe their use in Bahrain and the UAE, and map out the potential broader scope of this activity by conducting global scans of the corresponding command-and-control (C&C) servers. Finally, we frame the real-world consequences of these campaigns via strong circumstantial evidence linking hacking to arrests, interrogations, and imprisonment.

William R. Marczak, University of California, Berkeley, and The Citizen Lab; John Scott-Railton, University of California, Los Angeles, and The Citizen Lab; Morgan Marquis-Boire, The Citizen Lab; Vern Paxson, University of California, Berkeley, and International Computer Science Institute. When Governments Hack Opponents: A Look at Actors and Technology.” USENIX Security 2014.

A video presentation of the presentation is available here.

Download the paper here [PDF]