Targeted Threats

Back to Research

Investigations into the prevalence and impact of digital espionage operations against civil society groups.

Featured in Targeted Threats

December 20, 2020

The Great iPwn: Journalists Hacked with Suspected NSO Group iMessage ‘Zero-Click’ Exploit

December 1, 2020

Running in Circles: Uncovering the Clients of Cyberespionage Firm Circles

August 3, 2020

Nothing Sacred: Religious and Secular Voices for Reform in Togo Targeted with NSO Spyware

CBC: WhatsApp Attributes Hack of 1,400 Users to NSO Group Technology

Citizen Lab senior researcher John Scott-Railton discusses why WhatsApp is suing NSO Group after discovering their spyware was used to target 1,400 users—100 of whom were members of civil society—and why this is a significant bellwether.

Latest Research

Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents

May 29, 2016

This report describes a campaign of targeted spyware attacks carried out by a sophisticated operator, which we call Stealth Falcon. The attacks have been conducted from 2012 until the present, against Emirati journalists, activists, and dissidents.

Keep Calm and (Don’t) Enable Macros: Appendices

May 29, 2016

Appendices for the report “Keep Calm and (Don’t) Enable Macros”

Between Hong Kong and Burma: Tracking UP007 and SLServer Espionage Campaigns

April 18, 2016

In this research note, we analyze a malware campaign targeting Hong Kong democracy activists. Two new malware families are used in the campaign that we name UP007 and SLServer. Previous reports have shown overlap in the tactics, tools, and procedures used in this campaign in other operations targeting groups in Burma, Hong Kong, and the Tibetan community.

Shifting Tactics: Tracking changes in years-long espionage campaign against Tibetans

March 10, 2016

This report describes the latest iteration in a long-running espionage campaign against the Tibetan community. We describe how the attackers continuously adapt their campaigns to their targets, shifting tactics from document-based malware to conventional phishing

Packrat: Seven Years of a South American Threat Actor

December 8, 2015

This report describes an extensive malware, phishing, and disinformation campaign active in several Latin American countries, including Ecuador, Argentina, Venezuela, and Brazil. The nature and geographic spread of the targets seems to point to a sponsor, or sponsors, with regional, political interests. The attackers, whom we have named Packrat, have shown a keen and systematic interest in the political opposition and the independent press in so-called ALBA countries (Bolivarian Alternative for the Americas), and their recently allied regimes.