John Scott-Railton | Citizen Lab, University of Toronto (original) (raw)

Uploads

Papers by John Scott-Railton

This report describes an extensive malware, phishing, and disinformation campaign active in sever... more This report describes an extensive malware, phishing, and disinformation campaign active in several Latin American countries, including Ecuador, Argentina, Venezuela, and Brazil. The nature and geographic spread of the targets seems to point to a sponsor, or sponsors, with regional, political interests. The attackers, whom we have named Packrat, have shown a keen and systematic interest in the political opposition and the independent press in so-called ALBA countries (Bolivarian Alternative for the Americas), and their recently allied regimes. These countries are linked by a trade agreement as well as a cooperation on a range of non-financial matters. After observing a wave of attacks in Ecuador in 2015, we linked these attacks to a campaign active in Argentina in 2014. The targeting in Argentina was discovered when the attackers attempted to compromise the devices of Alberto Nisman and Jorge Lanata. Building on what we had learned about these two campaigns, we then traced the group's activities back as far as 2008. This report brings together many of the pieces of this campaign, from malware and phishing, to command and control infrastructure spread across Latin America. It also highlights fake online organizations that Packrat has created in Venezuela and Ecuador. Who is responsible? We assess several scenarios, and consider the most likely to be that Packrat is sponsored by a state actor or actors, given their apparent lack of concern about discovery, their targets, and their persistence. However, we do not conclusively attribute Packrat to a particular sponsor.

This report describes how Ethiopian dissidents in the US, UK, and other countries were targeted w... more This report describes how Ethiopian dissidents in the US, UK, and other countries were targeted with emails containing sophisticated commercial spyware posing as Adobe Flash updates and PDF plugins. Targets include a US-based Ethiopian diaspora media outlet, the Oromia Media Network (OMN), a PhD student, and a lawyer. During the course of our investigation, one of the authors of this report was also targeted. We found a public logfile on the spyware's command and control server and monitored this logfile over the course of more than a year. We saw the spyware's operators connecting from Ethiopia, and infected computers connecting from IP addresses in 20 countries, including IP addresses we traced to Eritrean companies and government agencies. Our analysis of the spyware indicates it is a product known as PC Surveillance System (PSS), a commercial spyware product with a novel exploit-free architecture. PSS is oered by Cyberbit — an Israel-based cyber security company that is a wholly-owned subsidiary of Elbit Systems — and marketed to intelligence and law enforcement agencies. We conducted Internet scanning to find other servers associated with PSS and found several servers that appear to be operated by Cyberbit themselves. The public logfiles on these servers seem to have tracked Cyberbit employees.

The anonymous targets who have generously shared these materials with us; Jillian York (EFF); Cit... more The anonymous targets who have generously shared these materials with us; Jillian York (EFF); Citizen Lab colleagues including Morgan Marquis-Boire, Masashi Crete-Nishihata, Bill Marczak, Ron Deibert, Irene Poetranto, Adam Senft, and Sarah McKune; Gary Belvin (Google) and Justin Kosslyn (Google Ideas); Cyber Arabs; Jordan Berry, Nart Villeneuve; and two anonymous colleagues. Thanks also to Frederic Jacobs who suggested a change to the wording of the HTTPS check text.

IEEE Security & Privacy, 2016

Digital security breaches can cause harm to grantees, as well as their clients, beneficiaries, an... more Digital security breaches can cause harm to grantees, as well as their clients, beneficiaries, and partner organizations. These threats also pose a risk to grantmakers and to the larger strategies of impacted organizations. Security leaks can compromise an organization's ability to carry out its work, and can erode trust between civil society actors.This guide is to help grant­makers both assess and address digital security concerns. It explores the types of digital threats against civil society and the obstacles to addressing them. It explains how to conduct a digital security "triage" of grants to elevate the digital security of your whole grant portfolio; while playing special attention to the highest risk grantees. And it provides suggestions for pathways to think more systematically about digital security

Over 76 messages with links to NSO Group’s exploit framework were sent to Mexican journalists, la... more Over 76 messages with links to NSO Group’s exploit framework were sent to Mexican journalists, lawyers, and a minor child (NSO Group is a self-described “cyber warfare” company that sells government-exclusive spyware). The targets were working on a range of issues that include investigations of corruption by the Mexican President, and the participation of Mexico’s Federal authorities in human rights abuses. Some of the messages impersonated the Embassy of the United States of America to Mexico, others masqueraded as emergency AMBER Alerts about abducted children. At least one target, the minor child of a target, was sent infection attempts, including a communication impersonating the United States Government, while physically located in the United States.

In this report we track a malware operation targeting members of the Tibetan Parliament over Augu... more In this report we track a malware operation targeting members of the Tibetan Parliament over August and October 2016. The operation uses known and patched exploits to deliver a custom backdoor known as KeyBoy. We analyze multiple versions of KeyBoy revealing a development cycle focused on avoiding basic antivirus detection. This operation is another example of a threat actor using “just enough” technical sophistication to exploit a target.

This report describes an extensive malware, phishing, and disinformation campaign active in sever... more This report describes an extensive malware, phishing, and disinformation campaign active in several Latin American countries, including Ecuador, Argentina, Venezuela, and Brazil. The nature and geographic spread of the targets seems to point to a sponsor, or sponsors, with regional, political interests. The attackers, whom we have named Packrat, have shown a keen and systematic interest in the political opposition and the independent press in so-called ALBA countries (Bolivarian Alternative for the Americas), and their recently allied regimes. These countries are linked by a trade agreement as well as a cooperation on a range of non-financial matters. After observing a wave of attacks in Ecuador in 2015, we linked these attacks to a campaign active in Argentina in 2014. The targeting in Argentina was discovered when the attackers attempted to compromise the devices of Alberto Nisman and Jorge Lanata. Building on what we had learned about these two campaigns, we then traced the group's activities back as far as 2008. This report brings together many of the pieces of this campaign, from malware and phishing, to command and control infrastructure spread across Latin America. It also highlights fake online organizations that Packrat has created in Venezuela and Ecuador. Who is responsible? We assess several scenarios, and consider the most likely to be that Packrat is sponsored by a state actor or actors, given their apparent lack of concern about discovery, their targets, and their persistence. However, we do not conclusively attribute Packrat to a particular sponsor.

This report describes how Ethiopian dissidents in the US, UK, and other countries were targeted w... more This report describes how Ethiopian dissidents in the US, UK, and other countries were targeted with emails containing sophisticated commercial spyware posing as Adobe Flash updates and PDF plugins. Targets include a US-based Ethiopian diaspora media outlet, the Oromia Media Network (OMN), a PhD student, and a lawyer. During the course of our investigation, one of the authors of this report was also targeted. We found a public logfile on the spyware's command and control server and monitored this logfile over the course of more than a year. We saw the spyware's operators connecting from Ethiopia, and infected computers connecting from IP addresses in 20 countries, including IP addresses we traced to Eritrean companies and government agencies. Our analysis of the spyware indicates it is a product known as PC Surveillance System (PSS), a commercial spyware product with a novel exploit-free architecture. PSS is oered by Cyberbit — an Israel-based cyber security company that is a wholly-owned subsidiary of Elbit Systems — and marketed to intelligence and law enforcement agencies. We conducted Internet scanning to find other servers associated with PSS and found several servers that appear to be operated by Cyberbit themselves. The public logfiles on these servers seem to have tracked Cyberbit employees.

The anonymous targets who have generously shared these materials with us; Jillian York (EFF); Cit... more The anonymous targets who have generously shared these materials with us; Jillian York (EFF); Citizen Lab colleagues including Morgan Marquis-Boire, Masashi Crete-Nishihata, Bill Marczak, Ron Deibert, Irene Poetranto, Adam Senft, and Sarah McKune; Gary Belvin (Google) and Justin Kosslyn (Google Ideas); Cyber Arabs; Jordan Berry, Nart Villeneuve; and two anonymous colleagues. Thanks also to Frederic Jacobs who suggested a change to the wording of the HTTPS check text.

IEEE Security & Privacy, 2016

Digital security breaches can cause harm to grantees, as well as their clients, beneficiaries, an... more Digital security breaches can cause harm to grantees, as well as their clients, beneficiaries, and partner organizations. These threats also pose a risk to grantmakers and to the larger strategies of impacted organizations. Security leaks can compromise an organization's ability to carry out its work, and can erode trust between civil society actors.This guide is to help grant­makers both assess and address digital security concerns. It explores the types of digital threats against civil society and the obstacles to addressing them. It explains how to conduct a digital security "triage" of grants to elevate the digital security of your whole grant portfolio; while playing special attention to the highest risk grantees. And it provides suggestions for pathways to think more systematically about digital security

Over 76 messages with links to NSO Group’s exploit framework were sent to Mexican journalists, la... more Over 76 messages with links to NSO Group’s exploit framework were sent to Mexican journalists, lawyers, and a minor child (NSO Group is a self-described “cyber warfare” company that sells government-exclusive spyware). The targets were working on a range of issues that include investigations of corruption by the Mexican President, and the participation of Mexico’s Federal authorities in human rights abuses. Some of the messages impersonated the Embassy of the United States of America to Mexico, others masqueraded as emergency AMBER Alerts about abducted children. At least one target, the minor child of a target, was sent infection attempts, including a communication impersonating the United States Government, while physically located in the United States.

In this report we track a malware operation targeting members of the Tibetan Parliament over Augu... more In this report we track a malware operation targeting members of the Tibetan Parliament over August and October 2016. The operation uses known and patched exploits to deliver a custom backdoor known as KeyBoy. We analyze multiple versions of KeyBoy revealing a development cycle focused on avoiding basic antivirus detection. This operation is another example of a threat actor using “just enough” technical sophistication to exploit a target.