Rebekah Brown is a senior researcher at the Citizen Lab focussing on targeted threats against civil society. She has over 20 years of experience in threat intelligence and analysis. Before joining the Citizen Lab, Rebekah worked at Apple, where she focused on complex threat models and helped design and implement features for individuals at increased risk for stalking, harassment, and abuse. She is a trained network warfare analyst and previously served as operations chief of a U.S. Marine Corps cyber unit and a U.S. Cyber Command training and exercise lead. Rebekah is a published author on intelligence-driven incident response, and co-author of the SANS course on cyber threat intelligence.
Publications
Tall Tales
How Chinese Actors Use Impersonation and Stolen Narratives to Perpetuate Digital Transnational Repression
In collaboration with the International Consortium of Investigative Journalists (ICIJ), we identified two distinct actors aligned with the People’s Republic of China that have been targeting and impersonating journalists and civil society. Our findings provide insight into the Chinese government’s practice of digital transnational repression and its shift to a system of state-sponsored attacks carried out by private contractors.
Same Sea, New Phish
Russian Government-Linked Social Engineering Targets App-Specific Passwords
In May 2025, Keir Giles, a well-known expert on Russian military operations, was targeted with a highly sophisticated and personalized phishing attack. Using a method not previously observed by the Citizen Lab, the attacker posed as a U.S. State Department employee to convince Mr. Giles to create and send app-specific passwords for his email accounts, bypassing multi-factor authentication. Google spotted and blocked the attack, attributing it to a Russian state-backed operator.
Weaponized Words
Uyghur Language Software Hijacked to Deliver Malware
Our investigation of a spearphishing campaign that targeted senior members of the World Uyghur Congress in March 2025 reveals a highly-customized attack delivery method. The ruse used by attackers replicates a pattern in which threat actors weaponize software and websites aimed at preserving and supporting marginalized and repressed cultures to target those same communities.
