John Scott-Railton is a Senior Researcher at The Citizen Lab. His work focuses on technological threats civil society, including targeted malware operations, cyber militias, and online disinformation. His greatest hits include a collaboration with colleague Bill Marczak that uncovered the the systematic use of Pegasus spyware to target civil society in several countries, including Mexico and the UAE. Pegasus is developed by the Israeli cyber-warfare company NSO Group and sold exclusively to governments. That investigation also uncovered the first iPhone zero-day and remote jailbreak seen in the wild. Other investigations with Citizen Lab colleagues include the first report of ISIS-led malware operations, China's "Great Cannon," the Government of China's nation-scale DDoS attack, and the 'tainted leaks' disinformation campaigns strongly linked to the Russian Government. These investigations, and others, have served as the basis for criminal investigations and lawsuits. John has also investigated the manipulation of news aggregators such as Google News, and privacy and security issues with fitness trackers. Recently, John was a fellow at Google Ideas and Jigsaw at Alphabet. John has undergraduate degrees from the University of Chicago and a Masters from the University of Michigan. He is completing a PhD at UCLA. Previously he founded The Voices Projects, collaborative information feeds that bypassed internet shutdowns in Libya and Egypt. John's work has been covered by Time Magazine, BBC, CNN, The Washington Post, and the New York Times. He can be reached at jsr [at] citizenlab.ca
Our analysis of spyware covertly implanted on a phone returned to a Russian programmer after he was released from custody, finds that the spyware placed on his device allows the operator to track a target device’s location, record phone calls, keystrokes, and read messages from encrypted messaging apps, among other capabilities.
A sophisticated spear phishing campaign has been targeting Western and Russian civil society. In collaboration with Access Now, and with the participation of numerous civil society organizations, we uncover this operation and link it to COLDRIVER, a group attributed by multiple governments to the Russian Federal Security Service (FSB).
In a joint investigation with Access Now, we found that seven Russian and Belarusian-speaking independent journalists and opposition activists based in Europe were targeted and/or infected with NSO Group’s Pegasus mercenary spyware.
We confirm that two members of Serbian civil society were targeted with spyware earlier this year. Both have publicly criticized the Serbian government. We are not naming the individuals at this time by their request. The Citizen Lab’s technical analysis of forensic artifacts was conducted in support of an investigation led by Access Now in collaboration with the SHARE Foundation. Researchers from Amnesty International independently analyzed the cases and their conclusions match our findings.
بين شهري مايو وسبتمبر 2023، استُهدِف عضو البرلمان المصري السابق أحمد الطنطاوي ببرنامج التجسس Predator من Cytrox عبر روابط أُرسلت إليه عبر رسائل قصيرة و رسائل WhatsApp. وقع الاستهداف بعد أن صرح الطنطاوي علنًا بخطته للترشح لمنصب الرئاسة في الانتخابات المصرية لعام 2024.
Amnesty International’s Security Lab has just published Caught in the Net as part of the European Investigative Collaborations‘ Predator Files, which details a threat actor sending what they assess to be Predator infection links on social media in replies to Twitter / X posts by officials, journalists and other members of civil society. The Citizen… Read more »
Between May and September 2023, former Egyptian MP Ahmed Eltantawy was targeted with Cytrox’s Predator spyware via links sent on SMS and WhatsApp after Eltantawy publicly stated his plans to run for President in the 2024 Egyptian elections. As Egypt is a known customer of Cytrox’s Predator spyware, and the spyware was delivered via network injection from a device located physically inside Egypt, we attribute the attack to the Egyptian government with high confidence.
In an investigative collaboration with Access Now, the Citizen Lab has analyzed forensic artifacts from the iPhone of award-winning exiled Russian investigative journalist Galina Timchenko and found with high confidence that on or around February 10th, 2023 it was infected with NSO Group’s Pegasus spyware.
Citizen Lab found an actively exploited zero-click vulnerability being used to deliver NSO Group’s Pegasus mercenary spyware while checking the device of an individual employed by a Washington DC-based civil society organization with international offices. We refer to the exploit chain as BLASTPASS. The exploit chain was capable of compromising iPhones running the latest version of iOS (16.6) without any interaction from the victim.
We identified widespread Pegasus spyware infections within Armenian civil society. We also identified two suspected Pegasus operators in Azerbaijan, whom we call BOZBASH and YANAR.
