Turns Out That Maybe You Shouldn’t Trust the ‘Media’

Elias Groll
From Iran to China, repressive governments are posing as journalists to hack into the computers of dissidents and other enemies of the state.

In December 2013, a journalist named Andrew Dwight emailed Rori Donaghy, a journalist with Middle East Eye and a founder of the Emirates Center for Human Rights, which focuses on abuses in the United Arab Emirates.

“I have been trying to reach you for comment and I am hoping that this e-mail reaches the intended recipient,” Dwight wrote, explaining that he was working on a book about his experiences from the Middle East. “My focus is on human factors and rights issues in seemingly non-authoritarian regimes (that are, in reality, anything but). I was hoping that I might correspond with you and reference some of your work.”

The email concluded with a link to an article Dwight wanted to discuss. Donaghy clicked on it, but it wasn’t an innocent connection to a webpage. That link was instead part of an elaborate Internet infrastructure set up to scan computers for vulnerabilities, allowing hackers to later target them with so-called spyware, software that can be used to monitor a computer and its users.

The email from Dwight was a ruse, one piece of a larger campaign that researchers say went after activists and opposition figures online. In fact, Dwight never existed. He was a persona created to win Donaghy’s trust and get him to click on links that surveilled his computer.

Dwight’s creators — hackers likely working on behalf of the UAE government, according to the University of Toronto’s Citizen Lab — made him a journalist for a reason: It’s a remarkably effective tool for spreading spyware. Around the world, authoritarian governments are increasingly using a basic tool of journalism — unsolicited emails to a source or expert — against their opponents by hiding that kind of malware in emails purportedly coming from both real reporters and fake ones like Dwight.

The Citizen Lab, a research group that has done groundbreaking work on digital surveillance, has documented hacking campaigns tied to the governments of the UAE, Iran, Bahrain, and Latin America’s left-leaning dictators in which their spies have posed as reporters in emails and phone calls in order to convince dissidents to click on links and open documents containing spyware.

The tactic provides an easy ruse for government sleuths. Security experts will tell you to be suspicious of unsolicited emails, but writing an unsolicited email is a basic aspect of reporting. Journalists will write to activists and experts they have never met, seeking interviews and expertise. It is an infinitely adaptable cover story, and the autocrats and monarchs of the world are catching on.

In a report released Sunday, the Citizen Lab documents how an UAE hacking group active from 2012 until the present tried to infect the computers of Emirati journalists, activists, and dissidents with spyware via Dwight’s fake persona and other methods.

The Citizen Lab is careful to note that it can’t definitively prove that the hackers, which targeted more than two dozen individuals besides Donaghy, worked on behalf of the UAE, but it lays out compelling circumstantial evidence that the attackers were sponsored by the country.

The hacking group, dubbed “Stealth Falcon,” displayed a level of operational security consistent with a state-sponsored group. Of 27 Twitter accounts targeted by the group, “24 primarily engaged in political activities, or were otherwise critical of the UAE government,” the Citizen Lab found. The group consistently displayed a high level of knowledge about its targets and used that information to write intricate spearfishing emails. Moreover, the Citizen Lab observed a Twitter account tweet a link associated with Stealth Falcon while that account was likely under government control.

Bill Marczak, a senior research fellow at the Citizen Lab and the lead author on the UAE report, called the impersonation of journalists “very effective” for government surveillance campaigns. Sharing links and documents is fundamental to the work of journalists and civil society workers. “This is something that’s natural to how you are interacting online,” he told this reporter, who had written himself an unsolicited email seeking to set up an interview.

The Emirati Embassy in Washington didn’t return a request Tuesday for comment on the report.

Other journalists have also found themselves targeted by hackers posing as reporters. In August 2015, Jillian York, the director of international freedom of expression at the Electronic Frontier Foundation, woke up to a call from a man posing as a Reuters journalist. That man told York that he would soon be sending her some materials that he wanted to discuss and checked that he had the right address for her.

That phone call was the first step in a sophisticated campaign to steal Google credentials for members of the Iranian diaspora that the Citizen Lab traced to Iranian hackers. York was targeted likely as a result of her work with Iranian activist groups.

The fake Reuters reporter likely hoped that he could establish his credibility with a phone call and then trick York into providing her Google username and password. Shortly after the call, the fake reporter sent her an email with what looked like a PDF hosted by Google. By clicking on the link, York would have been taken to a spoofed Google login page, which the hackers would have used to steal her username and password.

But hackers aren’t just creating fake journalist personas to spread spyware. In 2012, hackers working in Bahrain impersonated Al Jazeera journalist Melissa Chan to send emails to activists laced with malware that allowed them to take over their computers. It is unclear, Marczak said, whether the email from Chan infected the computers of any activists.

In a seven-year hacking campaign in Latin America that the Citizen Lab named “Packrat,” hackers went a step further: creating fake news outlets complete with fake articles to bolster their perceived credibility.

That hacking campaign succeeded in installing spyware on the phone of Alberto Nisman, the principal investigator of the 1994 bombing of a Jewish community center in Buenos Aires. He was found dead in his home just hours before he was set to deliver a report on allegations that then-President Cristina Fernández de Kirchner had sought to cover up Iran’s role in the attack.

In China, researchers have observed what is now a strikingly similar pattern of obfuscation in the government’s treatment of Tibetan activists. “We tracked a series of emails designed to trick Tibetan journalists into entering their Google credentials into a phishing page,” said Masashi Crete-Nishihata, the Citizen Lab’s research manager. “One of the messages was made to appear as if it came from the press secretary of the Central Tibetan Administration.”

Just as the Internet has enabled a more free flow of information between journalists and their sources, it has also enabled far greater government surveillance. “This is the flip side of the Internet’s ability to mobilize resources,” said John Scott-Railton, a senior researcher at the Citizen Lab.

But the impersonation of reporters by hackers working on behalf of governments is not limited to authoritarian regimes. In 2007, police in Washington state were trying and failing to identify the source of emailed bomb threats against a local high school when the FBI settled on a novel strategy to identify the suspect.

An agent for the bureau posed as an Associated Press reporter and began exchanging emails with the accounts used to send the threats. The agent sent the suspect a fake AP article about him that contained malware designed to reveal his location.

When the suspect clicked on the link, the software downloaded. Two days after clicking it, police arrested a 10th-grader at Timberline High School, the target of the threats.

Photo credit: Flaticon/Foreign Policy illustration