Targeted Threats
Investigations into the prevalence and impact of digital espionage operations against civil society groups.
Featured in Targeted Threats
CBC: WhatsApp Attributes Hack of 1,400 Users to NSO Group Technology
Citizen Lab senior researcher John Scott-Railton discusses why WhatsApp is suing NSO Group after discovering their spyware was used to target 1,400 users—100 of whom were members of civil society—and why this is a significant bellwether.
Latest Research
Nile Phish: Large-Scale Phishing Campaign Targeting Egyptian Civil Society
This report discusses the targeting of Egyptian NGOs by Nile Phish, a large-scale phishing campaign. Almost all of the targets we identified are also implicated in Case 173, a sprawling legal case brought by the Egyptian government against NGOs, which has been referred to as an “unprecedented crackdown” on Egypt’s civil society. Nile Phish operators demonstrate an intimate knowledge of Egyptian NGOs, and are able to roll out phishing attacks within hours of government actions, such as arrests.
Social Engineering Attacks on Government Opponents
Citizen Lab Senior Research Fellow Bill Marczak has co-authored a paper titled “Social Engineering Attacks on Government Opponents: Target Perspectives,” along with Vern Paxson of UC Berkeley.
It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community
In this report we track a malware operation targeting members of the Tibetan Parliament that used known and patched exploits to deliver a custom backdoor known as KeyBoy. We analyze multiple versions of KeyBoy revealing a development cycle focused on avoiding basic antivirus detection.
The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender
This report describes how a government targeted an internationally recognized human rights defender, Ahmed Mansoor, with the Trident, a chain of zero-day exploits designed to infect his iPhone with sophisticated commercial spyware.
Group5: Syria and the Iranian Connection
This report describes a malware operation against the Syrian Opposition. We name the operator Group5, and suspect they have not been previously-reported. Group5 used “just enough” technical sophistication, combined with social engineering, to target computers and mobile phones with malware.