“While the majority of these companies claim to sell their products to a restricted client base of law enforcement, military and intelligence agencies, this report shows another example of commercial network intrusion tools being used against dissidents in countries with poor human-rights records,” said Citizens Lab Security Researcher Morgan Marquis-Boire in his report.
The market for commercial computer network intrusion capabilities (surveillance backdoors and vulnerabilities usually described as “lawful intercept tools”) has become a focus of controversy and debate about regulatory and legal controls that might be exercised over sales to such regimes or uses of the technology to target dissidents. The latest evidence for the phenomenon comes from Marquis-Boire’s analysis of malicious software used to compromise a high-profile dissident residing in the United Arab Emirates.
“In general, targeted malware attacks are an increasing problem for human rights groups, who can be particularly vulnerable to such attacks due to limited resources or lack of security awareness,” said Marquis-Boire.
The recent attack targeted Ahmed Mansoor, a prominent UAE blogger and one of the “UAE Five,” a group of Emirati activists who were imprisoned from April to November 2011 on charges of insulting president Khalifa bin Zayed Al Nahyan, vice president Mohammed bin Rashid Al Maktoum, and Crown Prince Mohammed bin Zayed Al Nahyan.
In July, he received an email urging him to read a “very important message,” which contained a malicious attachment. When Mansoor opened the document, his suspicions were aroused due to the garbled text displayed. His reaction turned out to be prescient: his email account was later accessed from a string of suspicious IP addresses.
“To the user it appears to be a Microsoft Word document, however it in fact is an RTF file containing an exploit which allows the execution of code that downloads surveillance malware,” said Marquis-Boire. “This document exploits a stack-based buffer overflow in the RTF format that has been previously
The findings indicate that the software is a commercial surveillance backdoor distributed by an Italian company known as Hacking Team, first identified by Russian anti-virus company Dr. Web. It has been called “Remote Control System”, “Crisis” and “DaVinci.” The report also found evidence for the potential involvement of vulnerabilities sold by a French company, VUPEN.
The Hacking Team Remote Control System (RCS) is described in a leaked copy of their promotional literature as: “A stealth, spyware-based system for attacking, infecting and monitoring computers and smartphones. Full intelligence on target users even for encrypted communications (Skype, PGP, secure web mail, etc.).”
The Hacking Team public website stipulates that its technology is sold only to a restricted customer base: “we provide effective, easy-to-use offensive technology to the worldwide law enforcement and intelligence communities.”
Meanwhile, French security company VUPEN provides a variety of services including the sale of what it characterizes as "extremely sophisticated and government grade exploits specifically designed for offensive missions.” VUPEN said that it discovered an exploitable vulnerability in January of this year (which appears to be involved in the attack), at which point they shared this with their customers, prior to public disclosure in August.
The execution of the attack is similar in behavior and appearance to the Windows version of the RCS backdoor that targeted Mamfakinch, Morgan-Boire noted, a Moroccan citizen media and journalism project.
Mamfakinch was targeted by an electronic attack that used surveillance malware. Mamfakinch.com, a website that is frequently critical of the Moroccan government, received a message via their website directing recipients to a remote web page.
“Svp ne mentionnez pas mon nom ni rien du tout je ne veux pas d embrouilles…” read the message. The text, which hints at a sensitive scoop or lead, translates roughly as “please don’t mention my name and don’t say anything at all [about me] I don’t want to get mixed up in this” – catnip to reporters.
“The use of social engineering and commercial surveillance software attacks against activists and dissidents is becoming more commonplace,” said Marquis-Boire. “For at-risk communities, gaining awareness of targeted threats and exercising good security practices when using email, Skype or any other communication mechanism are essential. Users should be vigilant concerning all emails, attached web links, and files.”
He added, “In particular, carefully assess the authenticity of any such materials referencing sensitive subject matter, activities or containing misspellings or unusual diction. If you believe that you are being targeted, be especially cautious when downloading files over the Internet, even from links that are purportedly sent by friends.”