Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Analysts Reveal Link to Commercial Spyware for Surveillance of Journalists and Activists

March 2017 by RiskIQ

RiskIQ revealed that its intelligence and external threat investigation system,
RiskIQ PassiveTotal™, was a critical tool used by the interdisciplinary research
group, The Citizen Lab, in the discovery of commercial spyware linked to NSO Group
that targeted the mobile phones of United Arab Emirates (UAE) human rights
activists.

“When we joined RiskIQ in 2015, we did so with the intent to improve critical
research so analysts could more efficiently hunt digital threats and proactively
defend their organisations,” said Brandon Dixon, vice president of product at
RiskIQ and co-creator of PassiveTotal. “We design our products for situations
exactly like this, but it is extremely rewarding to hear that we’ve influenced
positive change in the fight for privacy and human rights.”

In an operation named “Stealth Falcon,” The Citizen Lab leveraged
PassiveTotal’s broad array of internet data sets and advanced correlation
technologies, querying a series of IP addresses used by threat actors targeting UAE
human rights activists. A query returned a related domain, as well as an email
address that differed from known Stealth Falcon infrastructure. Pivoting across
relevant PassiveTotal data sets, The Citizen Lab connected the email and domain to a
domain that was registered to NSO Group. Suspecting that these domains were part of
an exploit delivery infrastructure, they began seeking evidence of messages
containing links to the network.

Months later, renowned human rights defender, Ahmed Mansoor, one of the UAE Five,
shared two text messages with The Citizen Lab containing links identified as part of
the exploit infrastructure. The Citizen Lab was able to successfully trigger the
exploit infrastructure to fire against a device and captured the payload. This led
to the discovery of a remote jailbreak using a string of zero-days prompting
worldwide attention and an iOS security update from Apple. Ultimately, using
PassiveTotal, The Citizen Lab connected the domain registration information from an
initial phishing e-mail to a range of other malicious and fake news websites.

"Analysts at The Citizen Lab have been using PassiveTotal in investigations since
the very first beta of the platform in 2014. Tools like PassiveTotal help us punch
above our weight. Its ease of use, rich data set, and ongoing evolution of its
features make it an excellent tool for our research, and a benchmark that we compare
other options against," said Masashi Crete-Nishihata, research manager, The Citizen
Lab.

To learn more about how RiskIQ PassiveTotal to support investigations that
contribute to the public good, please read RiskIQ’s blog post, RiskIQ’s
PassiveTotal: Enabling The Citizen Lab Investigations.


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts