Targeted Threats

Back to Research

Investigations into the prevalence and impact of digital espionage operations against civil society groups.

Featured in Targeted Threats

March 20, 2019

Reckless VII: Wife of Journalist Slain in Cartel-Linked Killing Targeted with NSO Group’s Spyware

November 27, 2018

Reckless VI: Mexican Journalists Investigating Cartels Targeted with NSO Spyware Following Assassination of Colleague

October 1, 2018

The Kingdom Came to Canada: How Saudi-Linked Digital Espionage Reached Canadian Soil

The NSO connection to Jamal Khashoggi

Citizen Lab senior research fellow Bill Marczak and Saudi dissident Omar Abdulaziz joined CNN to discuss how NSO’s Pegasus spyware found on Omar’s phone is linked to Jamal Khashoggi.

Latest Research

Packrat: Seven Years of a South American Threat Actor

December 8, 2015

This report describes an extensive malware, phishing, and disinformation campaign active in several Latin American countries, including Ecuador, Argentina, Venezuela, and Brazil. The nature and geographic spread of the targets seems to point to a sponsor, or sponsors, with regional, political interests. The attackers, whom we have named Packrat, have shown a keen and systematic interest in the political opposition and the independent press in so-called ALBA countries (Bolivarian Alternative for the Americas), and their recently allied regimes.

Targeted Malware Attacks against NGO Linked to Attacks on Burmese Government Websites

October 16, 2015

This report analyzes a campaign of targeted attacks against an NGO working on environmental issues in Southeast Asia. Our analysis reveals connections between these attacks, recent strategic web compromises against Burmese government websites, and previous campaigns targeting groups in the Tibetan community.

Pay No Attention to the Server Behind the Proxy: Mapping FinFisher’s Continuing Proliferation

October 15, 2015

This post describes the results of Internet scanning we recently conducted to identify the users of FinFisher, a sophisticated and user-friendly spyware suite sold exclusively to governments. We devise a method for querying FinFisher’s “anonymizing proxies” to unmask the true location of the spyware’s master servers. Since the master servers are installed on the premises of FinFisher customers, tracing the servers allows us to identify which governments are likely using FinFisher. In some cases, we can trace the servers to specific entities inside a government by correlating our scan results with publicly available sources.

تماس از لندن: فیشینگ رمز عبور دو مرحله‌ای از ایران

August 27, 2015

این گزارش به کمپین رو به رشد حملات فیشینگ علیه کاربران در گستره ایران و حداقل یک حمله به یک فعال غربی می‌پردازد. این حمله‌ها تلاش دارند تا امنیت مضاعفی که از طریق رمز عبور دو مرحله‌ای در گوگل فراهم شده است را دور بزنند و به شکل گسترده‌ای مبتنی بر تماس‌های تلفنی و تلاش برای ورود در زمان حقیقی از سوی مهاجم است. جالب اینجاست که این حمله‌ها عموما با یک تماس تلفنی از کشور انگلستان شروع می‌شده و هکرها به یکی از دو زبان فارسی و یا انگلیسی ارتباط برقرار می‌کرده‌اند.

London Calling: Two-Factor Authentication Phishing From Iran

August 27, 2015

This report describes an elaborate phishing campaign using two-factor authentication against targets in Iran’s diaspora, and at least one Western activist.