Related Stories

  • Pentagon developing cyber warfare rules
    The Department of Defense (DoD) is developing “rules of engagement” for cyberwar to enable the US military to “take action” against cyber adversaries, Pentagon officials told a House Armed Services Committee panel this week.
  • WikiLeaks: Commercial software aids dictators in malware malfeasance
    Companies are providing software to governments, including dictators, to conduct surveillance of criminal suspects as well as political dissidents, according to a WikiLeaks report based on a review of confidential documents.
  • RSA 2011: Terrorist groups pose most dangerous cyber threat
    While nation-states actively attempt to exploit the networks of the US government, critical infrastructure, and commercial networks, US Deputy Secretary of Defense William Lynn told the RSA Conference audience that terrorist groups are inevitably more likely to fire the most severe type of destructive cyber warfare salvos.
  • OECD report outlines risks of cyber warfare
    Very few single cyber-related events have the capacity to cause global shock, according to a study on cyber security published by the Organisation for Economic Co-operation and Development.
  • Stuxnet – a new age in cyber warfare says Eugene Kaspersky
    The Stuxnet worm, which has reportedly been successfully targeted at Iranian nuclear plants, is being widely reported as originating from a government agency or well-funded source with political intent. The CEO of Kaspersky Lab, however, says that, whilst there is insufficient evidence to point the finger of blame at anyone yet, the worm represents a new age in cyber warfare.

Top 5 Stories


Law enforcement-grade malware increasingly used to target dissidents

11 October 2012

Malware developed by the 'good guys' is increasingly falling into the wrong hands, according to a new report from Citizen Lab. The organization says that there is evidence of a growing commercial market for offensive computer network intrusion capabilities developed by security companies in Western democratic countries.

“While the majority of these companies claim to sell their products to a restricted client base of law enforcement, military and intelligence agencies, this report shows another example of commercial network intrusion tools being used against dissidents in countries with poor human-rights records,” said Citizens Lab Security Researcher Morgan Marquis-Boire in his report.

The market for commercial computer network intrusion capabilities (surveillance backdoors and vulnerabilities usually described as “lawful intercept tools”) has become a focus of controversy and debate about regulatory and legal controls that might be exercised over sales to such regimes or uses of the technology to target dissidents. The latest evidence for the phenomenon comes from Marquis-Boire’s analysis of malicious software used to compromise a high-profile dissident residing in the United Arab Emirates.

“In general, targeted malware attacks are an increasing problem for human rights groups, who can be particularly vulnerable to such attacks due to limited resources or lack of security awareness,” said Marquis-Boire.

The recent attack targeted Ahmed Mansoor, a prominent UAE blogger and one of the “UAE Five,” a group of Emirati activists who were imprisoned from April to November 2011 on charges of insulting president Khalifa bin Zayed Al Nahyan, vice president Mohammed bin Rashid Al Maktoum, and Crown Prince Mohammed bin Zayed Al Nahyan.

In July, he received an email urging him to read a “very important message,” which contained a malicious attachment. When Mansoor opened the document, his suspicions were aroused due to the garbled text displayed. His reaction turned out to be prescient: his email account was later accessed from a string of suspicious IP addresses.

“To the user it appears to be a Microsoft Word document, however it in fact is an RTF file containing an exploit which allows the execution of code that downloads surveillance malware,” said Marquis-Boire. “This document exploits a stack-based buffer overflow in the RTF format that has been previously

The findings indicate that the software is a commercial surveillance backdoor distributed by an Italian company known as Hacking Team, first identified by Russian anti-virus company Dr. Web. It has been called “Remote Control System”, “Crisis” and “DaVinci.” The report also found evidence for the potential involvement of vulnerabilities sold by a French company, VUPEN.

The Hacking Team Remote Control System (RCS) is described in a leaked copy of their promotional literature as: “A stealth, spyware-based system for attacking, infecting and monitoring computers and smartphones. Full intelligence on target users even for encrypted communications (Skype, PGP, secure web mail, etc.).”

The Hacking Team public website stipulates that its technology is sold only to a restricted customer base: “we provide effective, easy-to-use offensive technology to the worldwide law enforcement and intelligence communities.”

Meanwhile, French security company VUPEN provides a variety of services including the sale of what it characterizes as "extremely sophisticated and government grade exploits specifically designed for offensive missions.” VUPEN said that it discovered an exploitable vulnerability in January of this year (which appears to be involved in the attack), at which point they shared this with their customers, prior to public disclosure in August.

The execution of the attack is similar in behavior and appearance to the Windows version of the RCS backdoor that targeted Mamfakinch, Morgan-Boire noted, a Moroccan citizen media and journalism project.

Mamfakinch was targeted by an electronic attack that used surveillance malware., a website that is frequently critical of the Moroccan government, received a message via their website directing recipients to a remote web page.

“Svp ne mentionnez pas mon nom ni rien du tout je ne veux pas d embrouilles…” read the message. The text, which hints at a sensitive scoop or lead, translates roughly as “please don’t mention my name and don’t say anything at all [about me] I don’t want to get mixed up in this” – catnip to reporters.

“The use of social engineering and commercial surveillance software attacks against activists and dissidents is becoming more commonplace,” said Marquis-Boire. “For at-risk communities, gaining awareness of targeted threats and exercising good security practices when using email, Skype or any other communication mechanism are essential. Users should be vigilant concerning all emails, attached web links, and files.”

He added, “In particular, carefully assess the authenticity of any such materials referencing sensitive subject matter, activities or containing misspellings or unusual diction. If you believe that you are being targeted, be especially cautious when downloading files over the Internet, even from links that are purportedly sent by friends.”

This article is featured in:
Industry News  •  IT Forensics  •  Malware and Hardware Security  •  Public Sector


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×