Tainted Leaks: Disinformation and Phishing with a Russian Nexus

Special thanks to David Satter, Raphael Satter, and the Open Society Foundations for cooperating and providing us with materials necessary to conduct the investigation. Thanks to the Citizen Lab team who provided review and assistance, especially Bill Marczak, Masashi Crete-Nishihata, Etienne Maynier, Adam Senft, Irene Poetranto, and Amitpal Singh. We would like to thank additional researchers for comments and feedback including Jen Weedon, Alberto Fittarelli, Exigent Petrel and TNG.Documents stolen from a prominent journalist and critic of the Russian government were manipulated and then released as a “leak” to discredit domestic and foreign critics of the government. We call this technique “tainted leaks.”Support for Citizen Lab’s research on targeted threats comes from the John D. and Catherine T. MacArthur Foundation, the Open Society Foundations, the Oak Foundation, Sigrid Rausing Trust, and the Ford Foundation

Group5: Syria and the Iranian Connection

We thank Noura Al-Ameer for collaborating with this investigation, and for graciously agreeing to be included in this report. The targeted nature of many cases means that, without the help of brave targets and victims, we are often left with a very limited view of what is taking place. We are exceptionally grateful to colleagues at Citizen Lab for comments, critical feedback, and assistance with document preparation including Ron Deibert, Bill Marczak, Morgan Marquis-Boire, Sarah McKune, Masashi Nishihata, Irene Poetranto,Christine Schoellhorn, and Adam Senft. Thanks also to Justin Kosslyn and Brandon Dixon for helpful feedback. We would also like to thank the following teams: Lookout, PassiveTotal and RiskIQ, VirusTotal, and Cisco’s AMP Threat Grid Team for data correlation. Very special thanks to other investigators who wished to remain anonymous but provided exceptionally helpful assistance, especially TNG and Tuka. Note: the night sky image of Syria used as background for several illustrations is from CIMSS at the University of Wisconsin Madison.This report describes a malware operation against the Syrian Opposition. We name the operator Group5, and suspect they have not been previously-reported. Group5 used “just enough” technical sophistication, combined with social engineering, to target computers and mobile phones with malware

It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community

Special thanks to Tibet Action Institute. Additional thanks to Jakub Dalek, PassiveTotal, VirusTotal, and TNG.In this report we track a malware operation targeting members of the Tibetan Parliament that used known and patched exploits to deliver a custom backdoor known as KeyBoy. We analyze multiple versions of KeyBoy revealing a development cycle focused on avoiding basic antivirus detection

Dark Basin: Uncovering a Massive Hack-For-Hire Operation

We thank the many targets that have helped us during the past three years. Without your diligence and effort this investigation would not have been possible. We have special gratitude for the journalists and media outlets for their patience We also personally thank several targets in particular for incredible efforts to help us identify malicious messages and investigate this case: Matthew Earl of ShadowFall, Kert Davies of the Climate Investigations Center, and Lee Wasserman of the Rockefeller Family Fund. We thank our colleagues at NortonLifeLock for their hard work. The sheer scale of activities like Dark Basin makes collaboration essential. We thank those that have requested to not be named, including TNG. You know who you are, and your hard work inspires us. Special thanks to Citizen Lab colleagues, especially Adam Senft, Miles Kenyon, Mari Zhou, and Masashi Crete-Nishihata. Many thanks to Peter Tanchak. Thanks to The Electronic Frontier Foundation, especially Eva Galperin and Cooper Quintin.Over the course of our multi-year investigation, we found that Dark Basin likely conducted commercial espionage on behalf of their clients against opponents involved in high profile public events, criminal cases, financial transactions, news stories, and advocacy. This report highlights several clusters of targets. In future reports, we will provide more details about specific clusters of targets and Dark Basin’s activities

Missing Link: Tibetan Groups Targeted with 1-Click Mobile Exploits

This report is a collaboration with the Tibetan Computer Emergency Readiness Team (TibCERT). Special thanks to the TNG & Tommy.This campaign is the first documented case of one-click mobile exploits used to target Tibetan groups, and reflects an escalation in the sophistication of digital espionage threats targeting the community