A Stealth Falcon Quietly Snatches Its Twitter Prey

Today, the Citizen Lab is publishing a new report, entitled “Be Calm and (Don’t) Enable Macros: Malware Sent to UK Journalist Exposes New Threat Actor Targeting UAE Dissidents.” The report is authored by Citizen Lab senior researchers Bill Marczak and John Scott Railton, and details an extensive and highly elaborate targeted digital attack campaign, which we call “Stealth Falcon.” While we have no “smoking gun” (typical for cyber espionage) there is a lot of circumstantial evidence that strongly suggests the United Arab Emirates is responsible for Stealth Falcon.

The New York Times has an exclusive on the report, which can be found here http://www.nytimes.com/2016/05/30/technology/governments-turn-to-commercial-spyware-to-intimidate-dissidents.html?_r=0

Our full report is here: https://citizenlab.org/2016/05/stealth-falcon/

Journalists, activists — in fact, all of civil society — now depend on and have benefited from social media to conduct their campaigns and communicate with each other, and with confidential sources.  Yet that same dependence on social media has become a principal point of exposure and risk, exploited by criminals, intelligence agencies, and other adversaries determined to silence dissent. Our report offers a shocking exposé into just how elaborate and shifty these campaigns can be, and how serious the consequences are, for those ensnared in them.

The Stealth Falcon case begins when Rori Donaghy, a UK-based journalist and founder of the Emirates Center for Human Rights, received an email in November 2015, purporting to offer him a position on a human rights panel.  That email contained a malware-laden attachment from a phony organization. Donaghy has published extensively on abuses by the UAE government, including a series of articles based on leaked emails involving UAE government members.  Suspicious that something seemed awry, Donaghy made the wise move to share his email with Citizen Lab researcher, Bill Marczak.

Using a combination of reverse engineering, network scanning, and other highly intricate detective methods that are detailed in the report, Marczak (assisted by John Scott Railton) unearthed a vast campaign of digital attacks aimed at UAE dissidents, organized primarily through fake Twitter accounts, phony websites, and spoofed emails.  The attacks appear to have had extremely serious consequences: many dissidents targeted, and presumably entrapped by Stealth Falcon, disappeared into the clutches of UAE authorities and were reportedly tortured.

The United Arab Emirates is an autocratic regime that governs with strict regulations and harsh punishments.  Human Rights Watch’s 2016 UAE country report documents arbitrary arrests and forcible disappearances of regime critics.  Amnesty International says that “torture and other ill-treatment of detainees was common” in UAE prisons.   It is one of those countries that has for a long time strictly censored the Internet using technology developed by western companies; earlier Citizen Lab research found the services of a Canadian company, Netsweeper, are used by UAE ISPs to restrict access to content critical of the regime.  UAE has purchased “lawful intercept” surveillance systems from the notorious Finisher and Hacking Team intrusion software vendors, as we have documented in prior reports.  It is not yet clear whether what we call “Stealth Falcon” is something the UAE developed itself, or whether it’s part of some kind of commercial service.  Regardless, it is a nasty reminder of the way the harsh world of realpolitik actually manifests itself in cyberspace.

There are at least two broader lessons of the Stealth Falcon report. First, the careful, rigorous methods demonstrated by Bill Marczak and John Scott Railton are exemplary of the power of applying structured research techniques drawn from engineering and computer science to issues of human rights.  We hope other University-based research groups are inspired by this mixed methods approach, and emulate what we are doing around documenting targeted digital attacks.  The more this type of research is “normalized” in academia, the less likely abuses of the sort we are unearthing will go unnoticed.

Second, it is clear that autocratic regimes like the United Arab Emirates are now routinely finding ways to project their power through cyberspace by subverting the tools of social media to accomplish their sinister aims. Given that civil society is so deeply immersed in social media, it is imperative that they, and the companies that service them, urgently adapt to and mitigate these new threats. Doing so will require a more mature awareness of the risks that exist in cyberspace, what to be “on the lookout for” when it comes to those risks, and adjust behaviour accordingly.  Although there were many victims of Stealth Falcon, Donaghy himself was not among them thanks to his astute recognition that a pleasant, but out-of-the-blue, invitation seemed not quite right.