Research by the University of Toronto Citizen Lab shows that computer back doors are a permanent security risk to users through out the world.
Their research based on events in the middle east demonstrates readily available commercial software is being used by governments to infiltrate computers used by critics and dissidents.
Bloomberg news reported the case of Ahmed Mansoor who was sitting in “his study in Dubai and made the mistake of clicking on a Microsoft Word attachment that arrived in an e-mail, labeled “very important” in Arabic, from a sender he thought he recognized.
“With that click, the pro-democracy activist unwittingly downloaded spyware that seized on a flaw in the Microsoft Corp. (MSFT) program to take over his computer and record every keystroke. The hackers infiltrated his digital life so deeply they still accessed his personal e-mail even after he changed his password.
Since then, Mansoor, 42, an electrical engineer and father of four, says he has suffered two beatings by thugs in September during his campaign for citizens’ civil rights in the Persian Gulf federation of the United Arab Emirates. While those assailants remain unknown, researchers say they’ve figured out what was behind the virtual assault.
The spyware that penetrated his laptop appears to be a Western-made surveillance tool sold to police and intelligence agencies that’s so powerful it can turn on webcams and microphones and grab documents off hard drives, according to the findings of a study being published today by the University of Toronto Munk School of Global Affairs’ Citizen Lab.
Citizen Lab issued this summation of the report.
In July of this year, Morgan Marquis-Boire and Bill Marczak published analysis of what appeared to be FinSpy, a commercial trojan from the FinFisher suite of surveillance tools sold by Gamma Group International. Their report, From Bahrain with Love: FinFisher’s Spykit Exposed?, presented evidence consistent with the use of FinSpy to target Bahraini dissidents, both within Bahrain and abroad.
A range of other companies sell surveillance backdoors and vulnerabilities for what they describe as “lawful intercept tools.” Recently CSO magazine published an article reporting on claims by anti-virus company Dr Web that a backdoor known as “Crisis” or “DaVinci” was, in fact, the commercial surveillance tool “Remote Control System” sold by Milan, Italy-based lawful intercept vendor Hacking Team1. According to an article published by Slate, the same backdoor was used to target Moroccan citizen journalist group Mamfakinch2.
This report examines the targeting of Mamfakinch and evidence suggesting that the same commercial surveillance toolkit described in these articles appears to have also been used in a recent campaign targeting Ahmed Mansoor, a human rights activist based in the United Arab Emirates (UAE). Additionally, it examines the possibility that a vulnerability linked to the French company VUPEN was used as the vector for intrusion into Ahmed Mansoor’s online presence.
The findings of this report contribute to a body of evidence of a growing commercial market for offensive computer network intrusion capabilities developed by companies in Western democratic countries. While the majority of these companies claim to sell their products to a restricted client base of law enforcement, military, and intelligence agencies, this report shows another example of commercial network intrusion tools being used against dissidents in countries with poor human rights records.
The market for commercial computer network intrusion capabilities has become a focus of controversy and debate about regulatory and legal controls that might be exercised over sales to such regimes or uses of the technology to target dissidents. Following the publication of From Bahrain with Love: FinFisher’s Spykit Exposed, the U.K. government reaffirmed that existing controls restricting the export of cryptographic systems apply to the Gamma Group’s exports of FinSpy.
In general, targeted malware attacks are an increasing problem for human rights groups, who can be particularly vulnerable to such attacks due to limited resources or lack of security awareness.
Recent Background: Da Vinci and Mamfakinch.com
On Friday the 13th of July 2012, the Moroccan citizen media and journalism project Mamfakinch3 was targeted by an electronic attack that used surveillance malware. Mamfakinch.com, a website that is frequently critical of the Moroccan government, received a message via their website directing recipients to a remote webpage:
The text, which hints at a sensitive scoop or lead translates roughly as “please don’t mention my name and don’t say anything at all [about me] I don’t want to get mixed up in this”.
The logs of the website reveal this message was sent from Moroccan IP space:
18.104.22.168 – – [13/Jul/2012:20:48:46 +0100] “GET /wp-content/plugins/wp-cumulus/tagcloud.swf?r=8659047 HTTP/1.0″ 200 34610 “https://www.mamfakinch.com/nous-contacter/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1″
22.214.171.124 – – [13/Jul/2012:20:48:47 +0100] “GET /nous-contacter/?_wpcf7_is_ajax_call=1&_wpcf7=2782 HTTP/1.1″ 200 9886 “https://www.mamfakinch.com/nous-contacter/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1″
126.96.36.199 – – [13/Jul/2012:20:50:08 +0100] “POST /nous-contacter/ HTTP/1.1″ 200 139 “https://www.mamfakinch.com/nous-contacter/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1″
188.8.131.52 – – [13/Jul/2012:20:50:12 +0100] “GET /nous-contacter/ HTTP/1.1″ 200 9887 “https://www.mamfakinch.com/nous-contacter/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1″
184.108.40.206 – – [13/Jul/2012:20:50:14 +0100] “GET /nous-contacter/?_wpcf7_is_ajax_call=1&_wpcf7=2782 HTTP/1.1″ 200 9888 “https://www.mamfakinch.com/nous-contacter/” “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1″
The IP from which the targeting message was uploaded (220.127.116.11) is from a Moroccan range dedicated to mobile 3G Internet users in the capital Rabat and its surroundings:
The page, found at http://freeme.eu5.org/scandale%20(2).doc prompted the user for the installation of malicious java, file, “adobe.jar”: