This report describes an extensive malware, phishing, and disinformation campaign active in several Latin American countries, including Ecuador, Argentina, Venezuela, and Brazil. The nature and geographic spread of the targets seems to point to a sponsor, or sponsors, with regional, political interests. The attackers, whom we have named Packrat, have shown a keen and systematic interest in the political opposition and the independent press in so-called ALBA countries (Bolivarian Alternative for the Americas), and their recently allied regimes.
Morgan Marquis-Boire is a Senior Researcher and Technical Advisor at the Citizen Lab at the Munk School of Global Affairs, University of Toronto. He is the Director of Security for First Look Media. Prior to this he worked on the security team at Google. He is a founding member of The Secure Domain Foundation, a non-profit, free, adversary intelligence group. He is a Special Advisor to the Electronic Frontier Foundation in San Francisco and an Advisor to the United Nations Inter-regional Crime and Justice Research Institute. In addition to this, he serves as a member of the Free Press Foundation security advisory board. A native of New Zealand, He was one of the original founders of the KiwiCON hacker conference. His research on surveillance and the digital targeting of activists and journalists has been featured in numerous print and online publications.
This report provides a detailed analysis of two products sold for facilitating targeted surveillance known as network injection appliances. These products allow for the easy deployment of targeted surveillance implants and are being sold by commercial vendors to countries around the world. Compromising a target becomes as simple as waiting for the user to view unencrypted content on the Internet.
We analyze a newly discovered Android implant that we attribute to Hacking Team and highlight the political subtext of the bait content and attack context. In addition, we expose the functionality and architecture of Hacking Team’s Remote Control system and operator tradecraft in never-before published detail.
German Deputy Prime Minister Sigmar Gabriel has announced that Germany will cease to export surveillance technology to a group of countries that includes Turkey, on the grounds that this technology is being used as a means to suppress the citizens of these countries.
Citizen Lab’s Morgan Marquis-Boire spoke to Süddeutsche Zeitung (Germany’s largest daily paper) about the use of so-called “lawful intercept” technology as tools surveillance.
In 2012, together with Eva Galperin from the EFF, Citizen Lab researchers Morgan Marquis-Boire and Seth Hardy identified the use of BlackShades in the targeting of opposition forces in Syria. This work has been featured in the recent coverage of the world wide “BlackShades busts” by the Washington Post, the Daily Beast, The Telegraph, and ThreatPost.
This report outlines an extensive US nexus for a network of servers forming part of the collection infrastructure of Hacking Team’s Remote Control System. The network, which includes data centers across the US, is used to obscure government clients of Hacking Team. It is used by at least 10 countries ranging from Azerbaijan and Uzbekistan to Korea, Poland and Ethiopia. In addition we highlight an intriguing US-only Hacking Team circuit.
In this report, we identified three instances where Ethiopian journalist group ESAT was targeted with spyware in the space of two hours by a single attacker. In each case the spyware appeared to be RCS (Remote Control System), programmed and sold exclusively to governments by Milan-based Hacking Team.