The Citizen Lab, a multidisciplinary power house located at the Munk School of Global Affairs, studies online security and investigates any threats against civil society. Last year, the lab discovered spyware being used to target United Arab Emirates (UAE) activists.
“In this case, the targeted journalist, Rori Donaghy contacted [Bill] Marczak with emails that he found to be suspicious towards the end of the last year,” said John Scott Railton, a senior researcher at the Citizen Lab. Railton joined the group almost four years ago to investigate attacks against the Syrian opposition in the ongoing Syrian civil war.
Rori Donaghy, a UK-based journalist who has written extensively on the UAE and the Middle East, received a suspicious email from an organization called The Right to Fight, which was later discovered to be fake. Donaghy then notified Marczak, which led to the beginning of Stealth Falcon, the codename of the investigation led by Bill Marczak.
“As the primary researcher, Bill is responsible for the clever technical methods that underpin the work,” noted Railton. The Citizen Lab discovered fake human rights groups, journalists, Twitter handles, and email accounts — all made with the agenda of monitoring the activities of actual activists and journalists.
The spyware is sent in URL form; upon opening the files, the malicious code is run on the recipient’s desktop. This malware then continually monitors the recipient’s activities. The lab employed a combination of technical analysis, extensive Twitter searches, and close work with malware targets during the investigation. Under the leadership of Marczak, Railton, external experts, and other members of the Citizen Lab confirmed their initial suspicions and uncovered what Railton described as “other possible attacks.”
“The Citizen Lab does not formally attribute the attack to a particular group in the report. However, we do go through an analysis of competing hypotheses laying out why we suspect that a state sponsor is likely. This analysis included looking at the resources necessary to conduct such a campaign, its sophistication, as well as the numerous circumstantial links to arrests and other real world features,” explained Railton.
When asked about any new findings, Railton mentioned, “Some of the infrastructure associated with this campaign was pulled down, and we were also happy to see a number of antivirus companies quickly adding detection against the tools used by this group.”
Social media is arguably the most powerful tool for activism, especially when it comes to spreading the word and gathering the masses. Recognizing this power, many governments across the globe practice media censorship as a precaution: prior to the Iranian 2009 presidential elections, social media platforms were blocked for almost a month; China continues to censor social media political content that seems to oppose the values of the State because it has the potential to reach masses; Twitter was inaccessible during the onset of the 2011 Egyptian Revolution; and pro-Ukraine tweets are blocked in Russia.
“The Citizen Lab is unique in the world for [its] ability to bring a mixed methods approach to the problem of malware attacks against civil society, for the impact of our reporting, and the role we play in the research ecosystem,” said Railton. Social media is a powerful tool for the masses, but it can also be used to target activism and monitor activities, which is why organizations like the Citizen Lab are essential to investigating cases of censorship and suppression.