Targeted Threats

Back to Research

Investigations into the prevalence and impact of digital espionage operations against civil society groups.

Featured in Targeted Threats

September 24, 2019

Missing Link: Tibetan Groups Targeted with 1-Click Mobile Exploits

March 20, 2019

Reckless VII: Wife of Journalist Slain in Cartel-Linked Killing Targeted with NSO Group’s Spyware

November 27, 2018

Reckless VI: Mexican Journalists Investigating Cartels Targeted with NSO Spyware Following Assassination of Colleague

CBC: WhatsApp Attributes Hack of 1,400 Users to NSO Group Technology

Citizen Lab senior researcher John Scott-Railton discusses why WhatsApp is suing NSO Group after discovering their spyware was used to target 1,400 users—100 of whom were members of civil society—and why this is a significant bellwether.

Latest Research

Packrat: Seven Years of a South American Threat Actor

December 8, 2015

This report describes an extensive malware, phishing, and disinformation campaign active in several Latin American countries, including Ecuador, Argentina, Venezuela, and Brazil. The nature and geographic spread of the targets seems to point to a sponsor, or sponsors, with regional, political interests. The attackers, whom we have named Packrat, have shown a keen and systematic interest in the political opposition and the independent press in so-called ALBA countries (Bolivarian Alternative for the Americas), and their recently allied regimes.

Targeted Malware Attacks against NGO Linked to Attacks on Burmese Government Websites

October 16, 2015

This report analyzes a campaign of targeted attacks against an NGO working on environmental issues in Southeast Asia. Our analysis reveals connections between these attacks, recent strategic web compromises against Burmese government websites, and previous campaigns targeting groups in the Tibetan community.

Pay No Attention to the Server Behind the Proxy: Mapping FinFisher’s Continuing Proliferation

October 15, 2015

This post describes the results of Internet scanning we recently conducted to identify the users of FinFisher, a sophisticated and user-friendly spyware suite sold exclusively to governments. We devise a method for querying FinFisher’s “anonymizing proxies” to unmask the true location of the spyware’s master servers. Since the master servers are installed on the premises of FinFisher customers, tracing the servers allows us to identify which governments are likely using FinFisher. In some cases, we can trace the servers to specific entities inside a government by correlating our scan results with publicly available sources.

تماس از لندن: فیشینگ رمز عبور دو مرحله‌ای از ایران

August 27, 2015

این گزارش به کمپین رو به رشد حملات فیشینگ علیه کاربران در گستره ایران و حداقل یک حمله به یک فعال غربی می‌پردازد. این حمله‌ها تلاش دارند تا امنیت مضاعفی که از طریق رمز عبور دو مرحله‌ای در گوگل فراهم شده است را دور بزنند و به شکل گسترده‌ای مبتنی بر تماس‌های تلفنی و تلاش برای ورود در زمان حقیقی از سوی مهاجم است. جالب اینجاست که این حمله‌ها عموما با یک تماس تلفنی از کشور انگلستان شروع می‌شده و هکرها به یکی از دو زبان فارسی و یا انگلیسی ارتباط برقرار می‌کرده‌اند.

London Calling: Two-Factor Authentication Phishing From Iran

August 27, 2015

This report describes an elaborate phishing campaign using two-factor authentication against targets in Iran’s diaspora, and at least one Western activist.