Comparative Analysis of Targeted Cyber Threats Against Human Rights Organizations

Principal Investigator: Professor Ronald J. Deibert (Citizen Lab, at the Munk School of Global Affairs, University of Toronto).

Sponsor: John D. and Catherine T. MacArthur Foundation
The Citizen Lab at the Munk School of Global Affairs, University of Toronto, seeks organizations to participate in its study “Comparative Analysis of Targeted Cyber Threats against Human Rights Organizations.” The purpose of this study is to conduct a comparative analysis of targeted malware (malicious software) attacks and other cyber threats (e.g. denial of service attacks, Internet censorship, etc.) against human rights and civil society organizations to better understand the technical and social nature of the attacks and the political context that may motivate them.

Human rights and civil society organizations face a growing spectrum of cyber threats including Internet filtering, website defacements, denial of service attacks, and targeted malware attacks. Human rights and civil society organizations can be particularly vulnerable to such attacks due to limited resources or lack of security awareness.

Of these threats, targeted malware attacks in particular are becoming an increasing problem. Typically, a target of such an attack receives an email, possibly appearing to be from someone they know, containing text that urges the user to open an attached document (or visit a website). If the user opens the attachment with a vulnerable software application and no other mitigations are in place, their computer will likely be compromised. Once the victim’s computer is compromised attackers can extract documents, email, and other data, and possibly use the infected computer as a mechanism to exploit the victim’s contacts or other computers on the same network.

The Citizen Lab seeks to work with a wide range of diverse human rights and civil society organizations during the course of this study in order to better understand the technical and social nature of targeted cyber attacks and the political context that may motivate them. Obtaining email malware samples from participating organizations is one important component of the study. However, the Citizen Lab seeks to understand the context of the targeted cyber attacks as well, such that obtaining information from participants about their work and experiences is also essential. Accordingly, participation in the study will entail occasional interviews and other communications between the Citizen Lab and participating organizations.

The Citizen Lab will not disclose the identity of organizations participating in the study. At the conclusion of the study, the Citizen Lab will publish its findings utilizing pseudonyms. Every effort will be made to keep personal information collected during the course of this study confidential.

Participation in the study will primarily include (but may not be limited to) the following activities:

  1. Data sharing and submission of technical samples of targeted malware attacks.

    Participating organizations consent to send email messages they receive that are believed to contain targeted malware to a special email address administered by the research team for the purposes of this study. Each email message shared with the research team must be transmitted in a manner that preserves the following: the sender email address, the recipient address, originating IP address, the email headers, subject line, the message body, and file attachments. The Citizen Lab will provide detailed instructions on submission procedures.

    The Citizen Lab may also contact the organization for background information concerning particular submissions.

  2. Participation in interviews.

    At the onset of participation in the study, the Citizen Lab will interview two individuals from each organization: the staff member spearheading the organization’s program work (e.g., Program Director) and the staff member primarily responsible for the organization’s IT security (e.g., IT Officer). The interviews will include questions regarding the organization’s work, staff awareness of computer security attacks against the organization, and general information security policies for addressing attacks. The interviews will be audio recorded and transcribed. The Citizen Lab will work with the organization to schedule such interviews at a mutually agreeable time.

    After the interviews, the Citizen Lab may also occasionally engage in follow-up communications with the organization.

The Citizen Lab plans to conclude the study at approximately the end of 2012.

Every effort will be made to keep personal information collected during the course of this study confidential. Only members of the research team will have access to personally identifiable data, which will be stored securely. No information about the organization, or provided by the organization during the research, will be disclosed to others without the prior consent of the organization. When the results of the research are published or discussed in public presentations, organizations will be assigned pseudonyms and no information will be included that would reveal identity.

An organization’s participation in this study may help contribute to the public good by educating society, and the human rights community in particular, about the computer network threats human rights and civil society organizations face. The full findings of the study (utilizing pseudonyms) will be published, made publicly available, and presented during conferences and other public speaking events.

The Citizen Lab will also periodically supply information on the study findings to participating organizations. This information will include:

  1. Threat alerts When the research team discovers a critical threat, it will notify study participants of the details of the threat.
  2. Statistics and highlights bulletins The research team will occasionally prepare summary bulletins for the organization on the samples provided and/or notable developments concerning targeted malware attacks. These bulletins may include information on whether the samples submitted were positively identified as malicious software; how many anti-virus software products were able to successfully detect the sample as malicious software; or the technical behavior of the most significant malware received.
  3. Summary Report At the completion of the study participating organizations will be provided with an analysis of the samples shared with the research team. In addition to a written report, the analysis may also include a presentation component, if an organization is interested and members of the Citizen Lab research team are available. This analysis may help an organization gain a better understanding of the computer network attacks it receives.
The Citizen Lab will endeavor to stay in regular contact with study participants, but cannot guarantee the frequency of updates.

Organizations that meet the following criteria are eligible to participate in this study:

  1. The organization’s mission concerns the promotion or protection of human rights. For purposes of this study, “human rights” means any or all of the rights enumerated under the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and the International Covenant on Economic, Social and Cultural Rights.

    An organization the mission of which does not directly implicate human rights, but may nonetheless be affected by malware for the purpose of compromising human rights (e.g., media outlets that regularly report on human rights violations), may contact the Citizen Lab to request consideration for participation.

  2. The organization commits to active cooperation in all research steps outlined above in the “Scope of Participation” section. On average it is expected that participation will require 1-3 hours a week over the course of the study.

If an organization fails to meet these criteria at any point during the study, that organization may be excluded from the study. (See “Opt-Out or Dismissal from the Study” section .)

Acceptance of organizations for participation in the study is at the sole discretion of the Citizen Lab.

Activities Outside the Scope of the Study

Please be aware that this study is strictly an academic research activity. Our goal is to better understand the technical, political, and social aspects of targeted malware attacks on human rights and civil society organizations. We cannot provide technical support, incident response, information security recommendations, or any other such security services to you or your organization.

The Citizen Lab may withdraw an organization from participating in this research if circumstances arise that warrant such action – for example, if the organization fails to send sample data or participate in interview sessions. An organization can also decide not to take part in this study; if it does take part, it is free to withdraw its consent to and discontinue participation at any time.

How To Enroll

If you are interested in participating in this study and would like further information, please contact the Citizen Lab at hrthreats[AT] Enrollment requires an informed consent meeting during which full details on the study will be provided and any questions you may have will be answered.