Reckless Exploit: Mexican Journalists, Lawyers, and a Child Targeted with NSO Spyware
Uncovering an operation using NSO Group’s Pegasus spyware and Trident exploit framework to target Mexican journalists, lawyers, and even a minor child.
Bill Marczak
I am a Senior Research Fellow at Citizen Lab, a co-founder of Bahrain Watch, and a Postdoctoral Researcher at UC Berkeley, where I received my PhD in Computer Science under the advisorship of Vern Paxson. My work focuses on novel technological threats to Internet freedom, including new censorship and surveillance tools. My expertise is in Internet scanning and conducting digital investigations. Coverage of my work has been featured in Vanity Fair, the New York Times, the Washington Post, on CNN, and on Larry King.
Articles
Bitter Sweet: Supporters of Mexico’s Soda Tax Targeted With NSO Exploit Links
This report describes an espionage operation using government-exclusive spyware to target Mexican government food scientists and two public health advocates.
Nile Phish: Large-Scale Phishing Campaign Targeting Egyptian Civil Society
This report discusses the targeting of Egyptian NGOs by Nile Phish, a large-scale phishing campaign. Almost all of the targets we identified are also implicated in Case 173, a sprawling legal case brought by the Egyptian government against NGOs, which has been referred to as an “unprecedented crackdown” on Egypt’s civil society. Nile Phish operators demonstrate an intimate knowledge of Egyptian NGOs, and are able to roll out phishing attacks within hours of government actions, such as arrests.
Social Engineering Attacks on Government Opponents
Citizen Lab Senior Research Fellow Bill Marczak has co-authored a paper titled “Social Engineering Attacks on Government Opponents: Target Perspectives,” along with Vern Paxson of UC Berkeley.
Tender Confirmed, Rights At Risk: Verifying Netsweeper in Bahrain
In this report, we confirm the use of the services of Canadian company Netsweeper, Inc. to censor access to the Internet in the Kingdom of Bahrain.
The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender
This report describes how a government targeted an internationally recognized human rights defender, Ahmed Mansoor, with the Trident, a chain of zero-day exploits designed to infect his iPhone with sophisticated commercial spyware.
Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents
This report describes a campaign of targeted spyware attacks carried out by a sophisticated operator, which we call Stealth Falcon. The attacks have been conducted from 2012 until the present, against Emirati journalists, activists, and dissidents.
Keep Calm and (Don’t) Enable Macros: Appendices
Appendices for the report “Keep Calm and (Don’t) Enable Macros”
Pay No Attention to the Server Behind the Proxy: Mapping FinFisher’s Continuing Proliferation
This post describes the results of Internet scanning we recently conducted to identify the users of FinFisher, a sophisticated and user-friendly spyware suite sold exclusively to governments. We devise a method for querying FinFisher’s “anonymizing proxies” to unmask the true location of the spyware’s master servers. Since the master servers are installed on the premises of FinFisher customers, tracing the servers allows us to identify which governments are likely using FinFisher. In some cases, we can trace the servers to specific entities inside a government by correlating our scan results with publicly available sources.
What we know about the South Korea NIS’s use of Hacking Team’s RCS
This research note outlines what we know about the use of Hacking Team’s Remote Control System (RCS) by South Korea’s National Intelligence Service (NIS). The note synthesizes information found in publicly leaked materials, as well as our own research.