Planet Netsweeper

Internet filtering technologies play a critical role in shaping access to information online. Whether we are connecting to the Internet from our homes, coffee shops, libraries, or places of work, software that inspects, manages, and/or blocks our communications has become commonplace. When used at the level of large, consumer-facing Internet Service Providers (ISPs), Internet filtering technologies can have significant human rights impacts. A growing number of governments employ Internet filtering systems at this scale in order to undertake national-level censorship of the Internet. Filtered content ranges from pornography, hate speech, and speech promoting or inciting violence, to political opposition websites, news websites, websites affiliated with various religions, and everything in-between. The growing responsibilities among network operators to filter content, either within private enterprises or on public networks, have given rise to a large and lucrative market. One industry report estimated the value of the web content filtering market at $3.8 billion USD by 2022. While network operators can manually configure their infrastructure to block specific websites or applications, the task can be time- consuming, complicated, and ineffective. Internet filtering companies provide professional services to ISPs and other clients to take care of this responsibility. Typically, Internet filtering companies dynamically categorize Internet resources and then let their clients choose pre-selected content categories or services that they wish to block. Customers can also add custom lists of their own to content that is filtered or blocked. In the hands of authoritarian regimes, such professional services can limit the ability of citizens to communicate freely and help impose opaque and unaccountable controls on the public sphere

Move Fast and Roll Your Own Crypto: A Quick Look at the Confidentiality

Thanks to Masashi Nishihata, Miles Kenyon, and Lotus Ruan.This report examines the encryption that protects meetings in the popular Zoom teleconference app. We find that Zoom has “rolled their own” encryption scheme, which has significant weaknesses. In addition, we identify potential areas of concern in Zoom’s infrastructure, including observing the transmission of meeting encryption keys to China.Bill Marczak’s work on this report is partially supported by the Center for Long Term Cybersecurity (CLTC) at UC Berkeley and the International Computer Science Institute. The Citizen Lab is grateful for support from the Ford Foundation and the John D. and Catherine T MacArthur Foundation

From Bahrain with Love: FinFisher’s Spy Kit Exposed?

Produced by the Citizen Lab at the Munk School of Global Affairs, University of Toronto.This post contains analysis of several pieces of malware obtained by Vernon Silver of Bloomberg News that were sent to Bahraini pro-democracy activists in April and May of this year. The purpose of this work is identification and classification of the malware to better understand the actors behind the attacks and the risk to victims. This analysis suggests the use of “Finspy”, part of the commercial intrusion kit, Finfisher, distributed by Gamma International

The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender

Special thanks to the team at Lookout that we collaborated with in our investigation, especially: Max Bazaliy, Andrew Blaich, Kristy Edwards, Michael Flossman, Seth Hardy, and Mike Murray. Very special thanks to our talented Citizen Lab colleagues, especially: Ron Deibert, Sarah McKune, Claudio Guarnieri, Adam Senft, Irene Poetranto, and Masashi Nishihata. Special thanks to the teams at Apple Inc. with whom we have been in contact for their prompt and forthright engagement during the disclosure and patching process. Special thanks to Nicholas Weaver for supplying the iPhone that we infected in Section 4. Special thanks to Zakir Durumeric. Special thanks to TNG and others who provided invaluable assistance, including with translation, but requested to remain anonymous. Thanks to PassiveTotal.This report describes how a government targeted an internationally recognized human rights defender, Ahmed Mansoor, with the Trident, a chain of zero-day exploits designed to infect his iPhone with sophisticated commercial spyware.Citizen Lab’s research into targeted threats against civil society is supported by the John D and Catherine T MacArthur Foundation. This material is also based upon work supported by the Center for Long Term Cybersecurity (CLTC) at UC Berkeley

NSO Group Infrastructure Linked to Targeting of Amnesty International and Saudi Dissident

Citizen Lab validates Amnesty International investigation showing targeting of staff member and Saudi activist with NSO Group’s technology.Bill Marczak’s work on this project was supported by the Center for Long Term Cybersecurity (CLTC) at UC Berkeley. This work was also supported by grants to the Citizen Lab from the Ford Foundation, the John T. and Catherine D. MacArthur Foundation, the Oak Foundation, the Open Society Foundations, and the Sigrid Rausing Trust

Nile Phish: Large-Scale Phishing Campaign Targeting Egyptian Civil Society

Very special thanks to Citizen Lab colleagues including Ron Deibert, Claudio Guarnieri, Sarah McKune, Ned Moran, Masashi Crete-Nishihata, Irene Poetranto, Adam Senft, and Amitpal Singh. Citizen Lab also thanks T. Nebula, unnamed security researchers, TNG, and Internews.This report discusses the targeting of Egyptian NGOs by Nile Phish, a large-scale phishing campaign. Almost all of the targets we identified are also implicated in Case 173, a sprawling legal case brought by the Egyptian government against NGOs, which has been referred to as an “unprecedented crackdown” on Egypt’s civil society. Nile Phish operators demonstrate an intimate knowledge of Egyptian NGOs, and are able to roll out phishing attacks within hours of government actions, such as arrests

Bitter Sweet: Supporters of Mexico’s Soda Tax Targeted With NSO Exploit Links

We would like to thank our Citizen Lab colleagues Ron Deibert, Irene Poetranto, Adam Senft, Sarah McKune, and Adam Hulcoop. Additional thanks to other researchers, Jen Weedon, and TNG. Special thanks to R3D and SocialTIC for their assistance with this project. Without their extensive work assembling this case, our report would not have been possible. We thank Access Now, especially their Help Line team, and Amnesty International for assistance compiling evidence, and ensuring that this case came to our attention.This report describes an espionage operation using government-exclusive spyware to target Mexican government food scientists and two public health advocates

Pay No Attention to the Server Behind the Proxy: Mapping FinFisher’s Continuing Proliferation

Special thanks to Citizen Lab colleagues Morgan Marquis-Boire and Claudio Guarnieri, as well as Ron Deibert and Masashi Crete-Nishihata. Special thanks to the Open Technology Fund. Thanks to Vern Paxson and Jason Passwaters.This post describes the results of Internet scanning we recently conducted to identify the users of FinFisher, a sophisticated and user-friendly spyware suite sold exclusively to governments. We devise a method for querying FinFisher’s “anonymizing proxies” to unmask the true location of the spyware’s master servers. Since the master servers are installed on the premises of FinFisher customers, tracing the servers allows us to identify which governments are likely using FinFisher. In some cases, we can trace the servers to specific entities inside a government by correlating our scan results with publicly available sources

Champing at the Cyberbit: Ethiopian Dissidents Targeted with New Commercial Spyware

Thanks also to Erik Zouave, Masashi Crete-Nishihata, Lex Gill, Etienne Maynier, Adam Senft, Miles Kenyon, Jawar Mohammed, Etana Habte, Henok Gabisa, and Felix Horne and Cynthia Wong from Human Rights Watch.This report describes how Ethiopian dissidents in the US, UK, and other countries were targeted with emails containing sophisticated commercial spyware posing as Adobe Flash updates and PDF plugins. Targets include a US-based Ethiopian diaspora media outlet, a PhD student, a lawyer, and even a Citizen Lab researcher.This work was supported in part by the Center for Long Term Cybersecurity (CLTC) at UC Berkeley

The Kingdom Came to Canada: How Saudi-Linked Digital Espionage Reached Canadian Soil

In this report, we describe how Canadian permanent resident and Saudi dissident Omar Abdulaziz was targeted with a fake package delivery notification. We assess with high confidence that Abdulaziz’s phone was infected with NSO’s Pegasus spyware. We attribute this infection to a Pegasus operator linked to Saudi Arabia.Bill Marczak’s work on this project was supported by the Center for Long Term Cybersecurity (CLTC) at UC Berkeley. This work was also supported by grants to the Citizen Lab from the Ford Foundation, the John T. and Catherine D. MacArthur Foundation, the Oak Foundation, the Open Society Foundations, and the Sigrid Rausing Trust