 Thanks so much everyone. It's our pleasure to finally be here in Montreal with you at North Sec. I'm Asashin Ishihara This is my colleague John Scott Railton As Pierre David said we are from the Citizen Lab, which is an interdisciplinary research group at the Mung School of Global Affairs University of Toronto. We work on a variety of things But one of the main research interests we have is trying to track and understand malware-enabled espionage campaigns targeting civil society and I use that language espionage campaign on purpose because the purpose of these operations is not to extract intellectual property It's not financial gain. It is to collect sensitive information from groups doing political work That could threaten those in power and over the next hour We're gonna break that down for you with some examples around the world and we're gonna do that in four ways First we're gonna give you some provocative statements about the state of attacks against civil society We're gonna tell you a good story We're gonna give you some evidence from a number of case studies and then we're gonna zoom out and look at what some challenges are for These groups that are targeted and also for information security professionals like everyone in this room and how you might help out in this space So for the provocative statement, let it pass it on to John. Always happy to be provocative, Masashi So the first and obvious point is that the internet is an essential part of civil society Civil society, of course is jargon for us What is civil society? It's not a clothing brand, although that exists civil society the organizations Activists citizen journalists and others who defend rights freedoms democracy pretty good people Generally folks you want to help but also people who are often thorns in the side of government and other groups in power So another obvious point this should be pretty familiar to people in the room It is cheap to connect but expensive to secure and nowhere is this more true than Threadbearer activist organizations doing their best to leverage new media to get their message out With the predictable result that we watch every day, which is they are all owned or soon to be owned So that was the provocative statement The good story is two things Two birds one stone first. It's a good story But it's also a little bit of a peek at how we at the citizen lab do an investigation So I'm gonna walk through that Let me introduce you to a pretty cool person. This is Janet his nostra she is an Ecuadorian journalist and television presenter and a Royal-sized thorn in the side of the Ecuadorian government Last year Janet began receiving Spanish language because Ecuador Gmail notifications account reset stuff account error stuff bread and butter fishing. Why should anyone care, right? Well for whatever reason These made their way to me through a network of Connections and I took a look at the fishing and what caught my attention was that it wasn't like fishing generator fishing This is the base domain em google dot us for those of you who can't read it So it's like that's interesting somebody went to the trouble to register this domain hosting the fishing straight there Raw dogging it. Why not? Let's look a little bit more so we did and The way we did this was kind of interesting so Janet was our patient zero and if you've got a bunch of people You don't know if they're targeted You don't necessarily want to expose too much interesting stuff to them. You can't control their networks You can't get on their boxes. What do you do? Well? It turns out you can stuff a large number of IOCs into a Gmail search link So you can just create a URL That obviously doesn't look suspicious at all right But if people trust you enough to click this thing this will search a Gmail inbox and what we did was We had it search their inboxes for all the terms that I found in Janet's email that I associated with this group and What did we find well? Some flash update notifications a bunch of other plug-in things bread and butter right again Okay, so we're looking at some kind of an interesting campaign probably some malware I couldn't get some of these things to drop, but then it got super weird The same email addresses were also seeding links to Political sites political news sites Big large-scale fake news websites with original content in like Venezuela and Argentina Which was mind-blowing because usually things are pretty compartmented right fishing malware not disinformation So at this point it's kind of like okay, this is interesting and then Paydirt an email from a fake anti-Korea movement. So Korea president of Ecuador had an attachment, which is our jambalam That attachment contained this utterly unconvincing word document And of course stuffed in an OLE was a piece of malware So we ran it looked at it and things got interesting and As we began getting more samples we discovered that we were looking at a ginormous campaign With malware going back to 2000 and late Different rats cybergate extreme rat alien spy adds a bunch of other stuff and what distinguished these was not the Malware that they were using but that they were packing them pretty effectively. So low to no AV detection good stuff large scale so Get on the multigos start looking at command and control Things are linked unsurprisingly infrastructure gets reused all the way back to 2008 which is pretty Pretty brazen of this group But what was really interesting was this particular? Domain day news sites net and that rang Cowbell size bell because that same domain was associated with a malware attack unsuccessful against Alberto Nisman who is an Argentine prosecutor who Allegedly shot himself in the head twice the day before he was going to present a dossier against the Argentine president This was something that a colleague of mine Morgan Marquis bar has spotted So now we knew that we were into something but we also began to get paranoid right. Oh, it's bad people and Just around at that time running this malware in some sandboxes. We started having an interesting moment. So One of the sandboxes was running a researcher who shall remain nameless for their own security was staring at the screen and this popped up And it says you like to play the spy. Well watch out. It could cost you your life for the next half hour The operator behind the campaign issued the following threats among others popping up on the screen to the researcher in the sandbox environment, so Right. I'm not sure what my favorite is But it's like we're gonna analyze your brain with a bullet and your family too or you know some classic IRC stuff You think you're living but we have your IP right now. You're in trouble Take your time and scan the processes. We're gonna get you quickly Well, they didn't get the researcher quickly, but what it did was flag to us something else that was interesting So here's Martha Roldos an Ecuadorian activist who had received physical threats in real life and via text message From a group that we believe to be the same group So we realized that we were playing with a group that felt emboldened to make these threats And this is kind of an interesting piece of information Usually an operator if they discovered that they're sitting on a sandbox is gonna close things down, right? Where possible restart the machine not these guys not at all For whatever reason they felt so emboldened that from their C2 they were issuing these clear text threats So from there we dumped into a documenting phase and what we tried to do was get a better and more Systematic perspective of the threats we pushed this Google link out the Gmail link out fairly largely And we began to see three broad categories of targets. We found journalists We found again civil society think clothing And finally government threats specifically people who were members of Ecuador's political opposition So what was interesting about this campaign is that it had these three parts It was malware fishing all standard and then disinformation and it wasn't just in one country It was in Venezuela. It was an Ecuador. It was in Argentina. I didn't mention it But we found malware associated with Brazil going back to 2008. So It wasn't me So what's going on there? Is that you massage? We began to get a sense that we were looking at a group that probably had the blessing of the regime that it was located in Felt emboldened as a result to conduct illegal activities and so emboldened that it would roll the same infrastructure for eight years Against political targets throughout Latin America So here we are nice little map right kind of the same story Well at this point and because we're not private sector, right? We didn't just put this in a report and share it with a client or close things down. We got to do the fun part which is Push the information out much more broadly So we wrote a really cool report and called them pack rat because they have rats that they pack But also they hang on to domains forever And we worked with a news organization to do a story. So here's Janet again One of the cool features of this was that we also dumped out all the IOC's and of course worked with Providers and hosters to take pack rat down Interesting fact further confirming and I'm not gonna state while I'm standing up here who we think they are After a couple of weeks of drama around this case their infrastructure popped back up and they're still rolling So further confirming the fact that these people feel that they're very likely completely outside of the touch of government or prosecution So with that we're gonna move to some evidence which Masashi specializes in So we're gonna go over a number of case studies But as we do this and do a couple deep dives into them I want you guys to keep in mind the big picture that throughout these cases from different regions around the world The message is the same civil society is being constantly targeted Well, how is this done? Well, there's one roll road to your webcam, but there's three possible paths It can take the first route is one that you know, everyone here here's a lot about advanced persistent threat What does that really mean? And you know, there's a number of different white papers out there They'll have various definitions. We have this one So we consider apt to be any national in-house capability that allows for development and Operations and you can think of a number of different well resource actors that can do this for example the NSA China Russia etc But that's just one route the second route that John will talk about a little bit later is Repurposing off-the-shelf malware for espionage operations And we have some very interesting cases of how this being done right now during the Syrian civil war The third route is commercialization and here We're looking at misuse important word there and we'll get back to that later of lawful intercept tools Such as finfisher and hacking team that y'all might have heard about But let's look at APT so again APT buzzword lots of people say it lots of people play it What does it mean and a lot of the reports you'll see discussion of attacks against governments attacks against the private sector But what about civil society? Well, we had that question and we did a study that we released a couple years ago called communities at risk So what were we looking at in that study? Well, we had 10 civil society groups the majority of which we're doing activities related to China looking at human rights issues In the region looking at minority ethnic groups such as Tibetans and we'll get back to that a bit later So just keep that in mind as we go through these examples So we worked with these groups for over four years And we wanted to understand how they're being targeted how they were reacting to it and both the technical and political Side of these kinds of attacks and we collected over 2,000 pieces of malware From 44 different malware families. So this is pretty interesting. This is a small sample 10 groups But you can see they're getting a lot of stuff. So what does this all mean? Well finding number one These targeted operations use the minimum necessary sophistication and we'll unpack that in a minute and The most important thing to consider here is the first target is the human on the other side of the keyboard and Unfortunately, all of us in this room have what we like to call forever-day vulnerabilities and they're very hard to guard against So what you see here is all of the CVE's of the malware that we collected over four years the little orange dots are Unique attacks and the gray lines are when that CVE was announced and I want to draw your attention to the two blobs You'll see here. So that's 20 10 33 33 and 2012 015 8 if anyone here is tracking these kind of actors You know what I'm talking about and you see a pivot from 33 33 to 015 8 Importantly, these are not zero days. These are old days like I'm talking old and you see they're still being used So you see that line there and then you see the activity continue. We did get one zero day So you see here the attack happened before the CVE announcement But this is an important thing to underline Because these are old days and you know if it's not broke don't fix it. Why would you burn a sophisticated? Capability against targets that are frankly usually soft-target. So again over four years of collection only one zero day And if you look at 2012 015 8 that was patched since April 10th 2012 But we still saw operators use it for over a year and a half after it was patched So what does that mean? It means it was probably working because the targets They were going after did not have updates on their machines Perhaps they're running pirated versions of windows and so forth. So again get in the attacker mindset They're lazy just like everybody else. Let's just do what works So we wanted to do a more rigorous analysis of the data set that we had So we created something called the targeted threat index and the idea here is we want to characterize and quantify Our data set and try to understand what the severity of them are both from a social engineering perspective And also of course from a technical perspective. So here's how the metric works It's calculated in two parts you take a base value score of how Sophisticated the social engineering is and then you have a technical sophistication multiplier We use a multiplier because the amount of resources time effort in some cases money To create a custom piece of malware for a target can be significant So just keep that in mind and you take those together and you get a TTI score. So that's a bit abstract So let's break down how this works. So here's our base value of social engineering. We go from zero to five and I'll show you some examples to better illustrate what we're looking at So all of these are real lures sent to groups that we worked with so here You see the value of one which means it's been targeted But it's not customized and in this case the email is inviting you to I guess some kind of event There's not really much information here. It did have malware, but you know, it's not so convincing Probably wouldn't open that Well, how about this one? So this is a two. It's targeted and poorly customized in this case It was sent to a Tibetan human rights group. It's about an issue that Tibetan groups care about but again It's coming from someone. You don't know it doesn't look like a real person not a lot of permanent details here I don't know if I'd click that But let's up this a bit. So now you have a three which is targeted and customized now We're getting a little more interesting This person that's named here is a real person. That is their real email This in fact could be a real message that they sent that was collected in previous Operations if you are working in the Tibetan community and you got this at your workplace seems pretty legit I might click that But let's up it even more so now we're looking at for it's targeted It's personalized the salutation is addressed directly to the target and this one is particularly Interesting because you can see there are people on the other side of this putting some consideration Into the targeting so in this case it says it's from a mr. Cheng Li Who's director of research at a China Center at Brookings Institution? Well, if you just googled this title You'll find this gentleman here looks legit, you know, he's got his title Okay, that's interesting. Let's take a little bit of a closer look at this email So, you know for those you pay attention out there in the crowd You might see some funny things like first of all, you know someone from Brookings is sending from AOL Okay, weird It's unsolicited so the person that received this has never met this person before they are a well-known China scholar So it's like wow they want my opinion as a Tibetan activist on a port in Tibetan issue And you can even see at the bottom it says thank you again and happy Tib lo Sar, which is Tibetan New Year interesting And he really really really wants you to open this file. So let's just keep that all in mind, but you know what? To can play this game So we wrote back mr. Cheng Li with the permission of the targeted individual and we said, you know We'd love to help out but we're having a bit of a problem with the attachment Maybe it's cuz we're on a Mac, you know Chinese character fonts computers I don't know and You know it took a little while for Cheng Li to respond, but hey, he's a busy man He was traveling, you know, okay that's that's legit and He has another interesting thing to send us and the interesting thing here is if you clicked on this URL It would look at your user agent and what operating system you're on and if you're on a Windows Hey, have some Windows malware, but if you're on a Mac. Oh, we got some nice fresh OS X malware just for you So no sir. Thank you. Thank you very much So that's a four. Wow people on that other side. They're really trying to work to get you to click What's a five? So it's targeted and it's highly personalized. In fact, it's so personalized We can't ethically show you a real example, but here's a little story of a real example So you're a NGO and you get an email from your actual funder and the actual program officer from that funding Organization and they say I have an important update for a meeting that we're having two weeks from now Which is a real meeting which was already scheduled. I don't know about you guys. I would probably click that so That's the social engineering across our data set. You'll see here. These are all the scores We saw a lot of threes, which were pretty good We saw some fours and fives, but the majority were threes That means there's a lot of effort being done in these operations to make these emails seem legitimate But what about the technical side of it? So again, we use a multiplier and what we're looking at here is a level of effort to obfuscate the code inside the binaries themselves And to obfuscate the functionality when it's on the network. Why do we look at obfuscation? Well, all the malware we're looking at the functionality is essentially the same They're all rats. They're all looking to do the same thing and we choose Obfuscation because it makes it harder to analyze which makes our lives harder It's harder to find it on the network which makes defenders lives harder and again, it's a way to To see the differences between them our because the functionality is mostly the same a two is like finn-fisher hacking team level Professional software development and we didn't see any of these in this data set But we'll talk more about what that stuff looks like in a bit So we saw a lot of ones a lot of one point two fives Some one point five so it's not very technically sophisticated Overall if you look at our scores and you put these together the highest TTI scores were based on high levels of social engineering Rather than technical sophistication. So just remember that's where the effort is going in these particular Operations and why because it works. Why up the technical sophistication if you don't have to Okay, so that was finding one finding two Who's doing this well? We found that the same groups that are targeting private sector and governments that we hear a lot about and all the white papers that are out There are also targeting civil society So who runs these ops while looking at the TTPs looking at the malware looking at shared infrastructure We identified ten distinct espionage campaigns and threat actors Four of which are known to target government and private sector And we know that because of previous reporting by our friends in industry and other research groups So here's some of them. How many people know net traveler? Okay, not a lot of net traveler fans in the audience, but they have targeted 350 government and industry and NGO groups another one DTL group reported by our friends at fire I they have targeted 11 different government and industry verticals plug X again a very Prolific group has targeted a number of government and private sector groups as well as NGOs Perhaps the most significant one we found were these guys APT one which I'm sure everyone in the audience knows it was reported by Mandiant apparently linked to a specific unit of the PLA and interestingly Recently the Department of Justice United States served an indictment of five individuals Who were apparently connected to this operation if you read that indictment and the Mandiant report You'll see all kinds of discussion of industry and government targets But you won't see any mention of civil society However, we saw them targeting one of our Tibetan groups and also Saw an active compromise against a large NGO Which is interesting and has over a thousand employees multiple offices enterprise level security helped us the works Probably similar to some of the networks that you guys look at in your day job And what we saw here is the APT one operators had access to the network of the headquarters of this organization for over Eight months. What do they do when they had access? Well, you know the typical stuff They move laterally they impersonated staff they installed rats and they expatriated data again You'll see this discussed in the Mandiant report, but not within an NGO group, which is important so a Non-governmental organization So finally we'll look at finding three and that's these operators Constantly adapt and we already saw that with our friend Cheng Li and the nice little pivot they did there But what's interesting is these adaptations are often in response to defensive measures from the targeted groups And I just want to share a story about the Tibetan community Now this is a community that have been facing these kinds of attacks for over a decade They are the canaries and the coal mines so to speak and they are not laying down on this they're trying to empower their community through education and through trainings to better equip them with a different mindset this is a quote from one of the Tibetan trainers and change their behaviors and they're doing this really based on data so in our study We found that file attachments sent in emails were the most common vector for Tibetan organizations In fact two of these groups if they simply didn't open attachments They would have mitigated 95% of the threats that they receive in over four years So that's interesting So the Tibetan community started this campaign called detach from attachments a nice play on a little piece of Buddhist wisdom that we should all take And it had very simple message and three steps number one stop opening attachments Number two stop sending attachments Number three if you must share a file through email Why don't you try something like Google Drive or Dropbox or some other cloud-based solution? Okay, so that's interesting, you know, we're looking at 95% mitigation here through a simple behavioral change But you know what the attackers were paying attention to so in 2014 We saw the first use of Google Drive links as a malware vector This one's particularly interesting because it's trying to send you a binary of a Tibetan Dictionary program, but of course that was also packaged with malware. So this was the first time we saw it But the trend continues. So you fast-forward a year later. We saw a whole campaign again sending these links out through Google Drive and Importantly, it's not just a bettons. So in some more recent work. We've done tracking Targeted operations against environmental groups working in Burma. They're also receiving Google Drive links and in our most recent publication We also saw the same vector used against pro-democracy activists in Hong Kong So that was route one and I passed off to John now for a different route to your webcam It's a route to commercial off-the-shelf also known as my cousin knows computers and I'm fighting a war and he's gonna help me fight it So in the background are a bunch of Syrians sitting on the ground drinking tea and doing stuff with their computers So finding number four harm is not expensive Masashi just talked about nation-state In-house approaches turns out you can go a long way with commercial over the shelf off the shelf malware And I'm gonna talk about one group. It's really done more than everyone else To explore that so back in the day 2011 beginning of the thing that ended up being called the Syrian civil war back then it was a revolution people were getting Onto the streets and as that happened parts of Syria were no longer under the control of the Syrian regime Right, so they're no longer sitting on the network. So that how do they regain visibility? Into the groups that they want to target will easy malware now They didn't have a lot of like existing relationships with malware vendors at that moment which we'll talk about in a minute I guess I'll talk about So what did they do? Well, they had people who had some degree of sophistication They just started rolling rats with social engineering and the two groups doing that one everybody's heard about the Syrian electronic army One not everybody has heard about malware groups working for the Syrian regime. So that's 2011 long time ago I barely had facial hair Fast forward a few years and we've got a bunch more groups all doing the same thing So Lebanese groups targeting the Syrian opposition and ISIS and Islamist groups targeting the Syrian opposition There are more, but this is just a couple What's interesting is that despite the proliferation of groups who all want to know what the opposition is doing for targeting They're basically rolling the same TTPs, which we'll talk about in a minute And I just had to put in this slide so Syrian electronic army 2016 big update very exciting and diamond rolls down Some pictures some names now public. So here are two members of the Syrian electronic army I wouldn't normally read from a slide, but this is just all together too good So here's an indictment against the SEA for blackmail, which it turns out they were doing on the side So Dardar, who's the guy on the right? Had hacked a bunch of companies in Europe and was trying to extort them for consulting fees And this is just like I guess if you're gonna do that. This is probably not how you want to do it. So Dardar demanded further payments, which he referred to as blackmail Which is really not what you want to do if you're blackmailing somebody and then just like the ultimate moment of Zen Dardar in the course of his communications with representatives from victim one, which is a large institution occasionally mentioned his affiliation with the Syrian electronic army and the fact that he was wanted By the FBI which if you're trying to convince a large risk averse company to give you some money is like, I don't know next level Despite that the Syrian electronic army is rolling along targeting the opposition as recently as this week actually New attacks and what's really exercising them at the moment is trying to target mobile phones The reason for this is that the Syrian opposition a lot of them are in places that don't have good Internet connectivity, but also not stable electricity. So everybody's moving their comms to phones and all their threat actors are moving there Let's talk about the malware group. Now. These are some super elite gentlemen, right? Here are their pictures, which they in judiciously posted on social media Somewhere under different names. So anyways, these are some pictures of the guys And when they're not doing malware, they're also shooting guns at these people Which is a characteristic of this kind of group and I think it's fair to analogize it to a militia Online not a lot of sophistication not necessarily uniform wearing shooting guns on behalf of somebody Digital or otherwise. So how do these malware groups target the Syrian opposition? What are they doing? Well, it turns out that the opposition is growing increasingly paranoid of the possibility that it's being targeted So malware actors realize this and push out a whole bunch of fake security tools and Circumvention tools into opposition forums. So of course, right like if people are afraid of things Why not give them like a maliciously bundled circumvention tool or a maliciously bundled VPN client or Amazon Internet Security? Which is a fake AV scanner which probably works But the very best one ever is there was a rumor in the Syrian opposition a couple years ago that Skype was not safe Which is obviously sort of true and The malware actors in a moment of genius released a Skype encryption program Which you can see on the right of this slide. You'd run this executable and You'd click the button and it would say like congratulations. Your Skype call is encrypted Nart Villeneuve friend of the lab now a fire. I formerly trend micro Released this report, but we had a great laugh when we saw this just absolute brilliance So what are these things bundled with? They're bundled with rats Really not sophisticated rats extreme rat shadow tech rat and J rat black shades and that and a bunch of others These guys have like the shallowest technical pockets in the world like they go to forums and download stuff and bundle it But it turns out right that if you're targeting an opposition group, that's not exactly rolling sophisticated secure systems. This works How well does it work? Well, we all know That someone will always click when you target an organization, right? and The consistent finding of studies about social engineering is that if it's fairly well targeted 40 to 60% of people ish click right? This is not that different for studies that have been done in the Syrian opposition But how well does this really work? So I had this picture of a woman for the Lebanese groups earlier and I'll tell you why so this is a female avatar Who used Skypes and the Facebooks to seduce? generals and other members of the Syrian fighting opposition and Just brought home bacon 64 Skype account databases it turns out that a really good way if you want to know how an opposition that's heavily reliant on Skype Operates if you target their machines with a rat and then rather than staying persistent you just exfil the Skype databases which have it all Well, this group didn't really protect their exfil very well and I and Two very smart folks at FireEye Did a report on this their total hall was 240,000 individual Skype messages The comms backbone of the Syrian opposition everything from like the movement of weapons to meetings They were about to take place to political stuff and negotiations. So what does that look like? Well, here are 12,000 dots I'll get feed up right little social network analysis because I'm fancy This is data that I generated from their exfil And I mapped out the way that the targeting actually worked inside this group So you've got like a couple people who click first, right? So the attackers infected these people and then they pivoted around throughout the opposition and nailed some higher profile people who were engaged in comms with a lot of other folks and that's how they did it, right? The reality is opposition groups work in groups and get targeted as groups, right? It's not an individual thing It's an organizational thing despite the facts that the groups that we're looking at don't exactly have a centralized IT policy So here's the attackers I view of some of these targeted Syrians, right? So here's a guy we're looking at the attackers screen looking at the victim screen You know, I'd be really nice of the victim like tilt the webcam a little bit because The laptop's kind of badly focused there and here we have an image of the attacker using a combination of a pop laptop and its webcam and Then a little bit of open-source intelligence gathering on Facebook to try to ID their target who they Connected with a fighter working with the Syrian opposition. So pretty heavy-duty targeting But what they're getting is not just a porn browsing history, although that made up a good chunk of the X-FIL But a bunch of other stuff the information that they use that they get has been used in military raids Targeted assassinations not just in Syria, but also in Turkey Targeted bombing, right? You want to know where an opposition command center is Humiliation operations. I mentioned porn earlier Turns out if you're a commander and you're an Islamist that a bunch of videos of you Doing the nasty in front of your webcam will browsing stuff really efficient at causing your colleagues to lose confidence in you and Access to sensitive negotiations. So basically like wholesale catastrophic. Oh, no compromise death and beyond right These are all cases where there's documented evidence. This isn't just talk Changing tack a little bit root 3 to your webcam commercialization. So this is some really fun stuff It turns out that every government wants access to secured communications, right? Both to block them and to filter them but also to gain access to denied devices and some of it's lawful and Done with a lot of careful oversight some of it's not and there's a giant industry of companies Some you may be familiar with like perhaps Finn Fisher or hacking team Some perhaps a less so like advanced German technology, which also sounded like a bad BMW advertising campaign selling Hacking tools and monitoring tools to gov and not just Western governments, but anybody who can pay so finding five Commercial malware has proliferated globally. So this is some stuff that I and my colleague Bill Marzak Claudia Guarnieri and Morgan Marquis bore have done and what we've done is documented the global proliferation of this stuff And also its abuse potential. So what's happening? Well companies that sell basically? Lawful intercept malware, which is just a fancy turn of phrase it borrows the term lawful interception from telecom interception Spins a little bit and describes it as something that you can do with malware They're basically just selling sophisticated malware with good obfuscation and persistence and they're pitched to governments is right You have new challenges today a lot of people's comms are encrypted Some of the stuff that you want is on device You want to be stealth you want to be untraceable you want to be hidden? Right by our stuff or don't So how do come how do countries use this? Well, here's some real examples, right? So this is an email so email attachment nuts and bolts malware seating But also just about every other vector you can think of right? Download poisoning over-the-year updates Provided of course that you can pay and an increasing number of governments are paying So what does this look like from the operators? I view well, this is some leaked stuff from hacking team So here they are with the gods I view of this little target here, right scroll back and forth look at movement look at contacts Across time look at social network Browsing stuff all the things that you can get when you're sitting on people's devices and One of the key pitches that these companies make that you know the sort of like rat forms can't is Defense against antivirus so when they sell they'll typically sell a certification That's like for the given period of our contract your stuff is going to be non-detectable by AV We guarantee it and usually there's also like some kind of an ode a service as part of the package now of course that feels like a challenge and Some of my brilliant colleagues and I have discovered that it turns out right if you have a collection Infrastructure and it touches the internet it too can be enumerated. So we did that and this was an enumeration that we did in 2014 that came up with 21 suspected government users we said suspected but we'll just say this is where the final chain of The obfuscation proxies was located, right? So some countries here that are perhaps Reassuring and then some that are definitely not like I can't imagine that Nigeria is going to be like heavily overseen in terms of how it uses surveillance powers or Egypt or Mexico or really anything else in this map So Let's talk about real cases though. So this is Hisham Hisham's a Moroccan journalist working with a Moroccan journalism Organization and he and a bunch of his colleagues doing nothing illegal Other than documenting civil rights abuses by the Moroccan government and arguing for the freedom of the press We're successfully targeted with hacking teams malware, right? Ethiopia Ethiopia has a big diaspora as anyone who's ever taken a taxi cab in Washington, DC will know and That diaspora among other things has its own journalists serious news organizations And perhaps the most paranoid group about the diaspora is the Ethiopian government Which bought hacking team and finfisher malware always went to hedge its bets and has been systematically targeting journalists in its opposition Now something happened last year Which was really interesting, which is hacking team became hacked team And got they selves doxxed massively So here's a tweet that happened last year on their Twitter feed since we have nothing to hide We're publishing all of our emails files and source code, right? It's the ultimate open source moment There was a lot of stuff in that dump That was interesting among other things it confirmed our findings and added countries to the list It also added new victims we discovered that their stuff had also been used to target journalists in Ecuador and many other places The key thing is the industry argument about a lot of this stuff is it's lawful intercept It's sold to governments who are going to oversee how it's used and use it for child pornography and anti-terrorism Investigations the reality of course is if you give a government especially a government with an issue with oversight and corruption and Paranoid leadership the ability to conduct secret surveillance history tells us they will abuse it They also at hacking team think a lot about us So it's always very interesting when you find yourself talked about especially in a document dump so Here we were reading about ourselves Prof. Dbert director of citizen lab right he seems to think that he's running a regulatory organization that has some authority over our worldwide business right they'd really prefer it if we just leave them alone and in fact despite the documented use of their tool against Completely undeserving victims in many countries around the world their narrative of course is we're the victims right we got hacked So finding six We've been doing this work since 2012 Targeting commercial malware, and I'd love to talk to you more about that in questions And what we've discovered every time we look every surface we scratch more countries are buying right post Snowden revelations every country kind of knows what they could get right and everyone would like to buy it and a lot of these companies Have recognized this as a market opportunity So repressive regimes have learned quickly and are sharing a lot of information to each other about what you might do to preserve Your government I've been talking about hacking team There are a bunch of others finfisher known to many people in the room is also used widely Here's a scan that we did last year looking at the endpoints of their obfuscation proxy systems Bunch of users many of them likely to use these tools in abusive ways So we talked about three routes to your webcam And what I'd like to do now is roll it over to my colleague Masashi to talk about some interesting challenges So first we want to think about the challenges facing civil society the community that we at the citizen lab care about and going forward What's going to be the state of these threats? Well, I hope you can all Have taken the observation that we've tried to share with you that the barriers to entry for conducting espionage Operations are dropping you don't need a tailored access operations league group You don't need you know this in-house development capability anymore if you have money you can buy these things You can even just take a rat from some forum and have some really Significant impacts in the real world so the barriers to entries are low So what does that mean? We think it means that we're gonna see a lot more threats against civil society groups around the world This is not just something for groups in certain communities This is not just something for groups that are rubbing certain powerful actors the wrong way This is something we're gonna see in a lot of places and we're gonna see it very soon So what about another observation? Well Organization political mobilization is going mobile in many of the countries and regions in the world that we're interested in People don't have a desktop computer. They have a pocket computer, and this is where their life is This is where they're organizing their activities. This is where their personal life is This is where their professional life is and this is where they're going to get targeted So prediction more threats against mobile very soon And it's probably already started So these are just some general ideas of what's happening around civil society. How does this affect all of you in the room? So y'all curious you don't want to know what you can do. I know some of you do. I know you're thinking I can hear it I can feel it One of the big challenge that I've observed over the past couple years We get a lot of people approaching us who are like, hey, what you do is really cool How can we help right? I've got some skills. I can reverse the things We like that One of the challenges that people often face if they've got some skills or desire to do engagement is actually the relationship process How to actually connect with groups who need help? There are things that people in this room do in hardware and then there are things that y'all do in software like relationship management some of those things can be very challenging and one of the things that we've observed is that When people who have great intentions and want to help cast out looking for a way to do it Unless you're connected with some fairly solid feedback about what needs actually look like and about what problems are you can waste effort You can get frustrated It can be challenging to actually know if you're accomplishing things and I know for a fact that a bunch of security companies have tried to do pro bono stuff and Found the sort of how to connect with real targeted groups to be one of the biggest challenges source of risk Reputational risk a bunch of other concerns. So our Recommendation is to connect with a group that has those relationships and perhaps good judgment allegedly at least so We're hiring and we're one of those groups. We'd like to think so but we also know the space pretty well And if people sitting in the room find this at all enticing or we'd just like to jam on some mobile reversing, right? The aforementioned especially APKs That we're looking at there are plenty of opportunities to do so So I'd encourage you to grab my colleague Masashi or if you must mean I'm just kidding And ask us and we can probably connect you either to somebody who's interested or talk to you more about Connecting and working with us. So with that we wanted to leave time for questions So we'd like to do our thanks. Yeah, so big. Thanks. First of all to the Northside organizers It's awesome being here with all of you you can check out all our reports online at our website And you know research is a team sport at the citizen lab There's a lot of collaborators and team members that made all this research possible their names are listed there So thanks to our team and collaborators and thank all of you for your attention. Yeah teamwork makes the dream work. That's right Thanks guys