Rebekah Brown is a senior researcher at the Citizen Lab focussing on targeted threats against civil society. She has over 20 years of experience in threat intelligence and analysis. Before joining the Citizen Lab, Rebekah worked at Apple, where she focused on complex threat models and helped design and implement features for individuals at increased risk for stalking, harassment, and abuse. She is a trained network warfare analyst and previously served as operations chief of a U.S. Marine Corps cyber unit and a U.S. Cyber Command training and exercise lead. Rebekah is a published author on intelligence-driven incident response, and co-author of the SANS course on cyber threat intelligence.
Publications
Same Sea, New Phish
Russian Government-Linked Social Engineering Targets App-Specific Passwords
In May 2025, Keir Giles, a well-known expert on Russian military operations, was targeted with a highly sophisticated and personalized phishing attack. Using a method not previously observed by the Citizen Lab, the attacker posed as a U.S. State Department employee to convince Mr. Giles to create and send app-specific passwords for his email accounts, bypassing multi-factor authentication. Google spotted and blocked the attack, attributing it to a Russian state-backed operator.
Weaponized Words
Uyghur Language Software Hijacked to Deliver Malware
Our investigation of a spearphishing campaign that targeted senior members of the World Uyghur Congress in March 2025 reveals a highly-customized attack delivery method. The ruse used by attackers replicates a pattern in which threat actors weaponize software and websites aimed at preserving and supporting marginalized and repressed cultures to target those same communities.
Virtue or Vice? A First Look at Paragon’s Proliferating Spyware Operations
In our first investigation into Israel-based spyware company, Paragon Solutions, we begin to untangle multiple threads connected to the proliferation of Paragon’s mercenary spyware operations across the globe. This report includes an infrastructure analysis of Paragon’s spyware product, called Graphite; a forensic analysis of infected devices belonging to members of civil society; and a closer look at the use of Paragon spyware in both Canada and Italy.
