Small Wars Journal

Snapping Up Cheap Spy Tools, Nations 'Monitoring Everyone'

Tue, 08/02/2016 - 6:15am

Snapping Up Cheap Spy Tools, Nations 'Monitoring Everyone' by Frank Bajak and Jack Gillum, Associated Press

It was a national scandal. Peru's then-vice president accused two domestic intelligence agents of staking her out. Then, a top congressman blamed the spy agency for a break-in at his office. News stories showed the agency had collected data on hundreds of influential Peruvians.

Yet after last year's outrage, which forced out the prime minister and froze its intelligence-gathering, the spy service went ahead with a $22 million program capable of snooping on thousands of Peruvians at a time. Peru - a top cocaine-producing nation - joined the ranks of world governments that have added commercial spyware to their arsenals.

The purchase from Israeli-American company Verint Systems, chronicled in documents obtained by The Associated Press, offers a rare, behind-the-scenes look into how easy it is for a country to purchase and install off-the-shelf surveillance equipment. The software allows governments to intercept voice calls, text messages and emails.

Except for blacklisted nations like Syria and North Korea, there is little to stop governments that routinely violate basic rights from obtaining the same so-called "lawful intercept" tools that have been sold to Western police and spy agencies. People tracked by the technology have been beaten, jailed and tortured, according to human rights groups…

Read on.

Comments

Outlaw 09

Wed, 08/03/2016 - 7:25am

It is just not only nation states using OTS "LI" tools........

The latest The mailforlen Daily!
http://paper.li/mailforlen/145745237...8-0cc47a0d15fd

https://citizenlab.org/2016/08/group5-syria/

Iranian Cyber Warfare being conducted against Syrian opposition.....

Group5: Syria and the Iranian Connection

August 2, 2016

By John Scott-Railton,* Bahr Abdulrazzak,* Adam Hulcoop,* Matt Brooks,* & Katie Kleemola**

Quote:

Executive Summary

This report describes an elaborately staged malware operation with targets in the Syrian opposition. The operators have used use a range of techniques to target Windows computers and Android phones with the apparent goal of penetrating the computers of well-connected individuals in the Syrian opposition.

We first discovered the operation in late 2015 when a member of the Syrian opposition spotted a suspicious e-mail containing a PowerPoint slideshow. From this initial message, we uncovered a watering hole website with malicious programs, malicious PowerPoint files, and Android malware, all apparently designed to appeal to members of the opposition.

Elements of the Syrian opposition have been targeted by malware campaigns since the early days of the conflict: regime-linked malware groups, the Syrian Electronic Army, ISIS, and a group linked to Lebanon reported by FireEye in 2015 have all attempted to penetrate opposition computers and communications. Some of these operations are still active as of the time of writing. This report adds one more threat actor to the list: Group5, which we name to reflect the four other known malware groups.

Group5 stands out from the operations that have already been reported on: some of the tactics and tools used have not been observed in this conflict; the operators seem comfortable with Iranian Persian dialect tools and Iranian hosting companies; and they appear to have run elements of the operation from Iranian IP space.

Syria: Publicly-reported Threat Actors

Like a chameleon, Group5 borrows opposition text and slogans for e-mail messages and watering holes, showing evidence of good social engineering and targeting. However, Group5’s technical quality is low, and their operational security uneven. This is a common feature of many operations in the Syrian context: since the baseline security of many of the targets is very low, many successful threat actors seem to conserve (and in some cases not possess) more sophisticated techniques. We believe we identified Group5 early in its lifecycle, before all of the malware that had been staged and prepared could be deployed in a full campaign.

Our analysis indicates that Group5 is likely a new entrant in Syria, and we outline the circumstantial evidence pointing to an Iranian nexus. We do not conclusively attribute Group5 to a sponsor, although we suspect the interests of a state are present, in some form. Group5 is just the latest addition to an expanding cast of actors targeting Syrian opposition groups, and its entry into the conflict shows the continuing information security risks that they face.

Background: The Perpetual Targeting of the Syrian Opposition

Syrians have experienced monitoring and blocking of their electronic communications for many years. As a result, many more technically literate Syrians have familiarized themselves with VPNs and other tools to circumvent simple blocking, and achieve a degree of privacy. After the 2011 Uprising began, the regime disconnected telecommunications services in many areas controlled by opposition groups. This led, in these areas, to the widespread adoption of satellite internet connectivity, mostly via VSAT (Very Small Aperture Terminal) services like Tooway and iDirect, and to a lesser extent the use of BGAN (Broadband Global Area Network) terminals.

At the same time, the Syrian opposition’s activities outside the country, both in neighboring countries like Turkey, as well as in the diaspora, dramatically increased. Much of this activity takes place over social networks, free e-mail accounts like Gmail (and Google Apps for Work), and via tools like Skype’s VoIP services.

These shifts in connectivity limited the effectiveness of the passive monitoring and blocking used by the Al Assad Regime, and frustrated its abilities to monitor the opposition.

However, the shift towards social networks and other online tools has created new opportunities for the regime to target the opposition. Opposition members constantly share information, files, tools and programs, via social media. This highly-connected environment enables them to be highly aware of changing events, and quickly mobilize resources. In addition, a number of online services, such as the Google Play Store, are blocked or restricted for Syria. As a result, a culture of sharing Android APK files has also developed.

The heavy reliance on popular online platforms, and regular sharing of tools, presents many opportunities to seed malicious files. For the regime, a successful operation means a chance to regain visibility into the activities of groups within the geographic borders of Syria, while extending their reach outside into the diaspora. For other groups, such as ISIS, the digital vulnerability of the opposition presents an opportunity to develop a capability against opposition communications. The following section outlines several of these known threat actors.

Regime-Linked Groups

The most well-known threat actor to target the Syrian Revolution is the Syrian Electronic Army (SEA). However, many of the targets of the SEA have been Western organizations, although the SEA continues to conduct lower-profile operations that include malware against the opposition. Less notorious, although still the subject of reporting, are malware groups linked to the regime. These malware groups have been active since 2011, and have used a wide range of Commercial-Off-The-Shelf (COTS) Remote Access Trojans (RATs) to target the opposition. Typically, these groups bundle RATs with a wide range of documents and programs designed to appeal to the opposition. Over the years, these campaigns have included everything from “revolution plans,” lists of “wanted suspects,” to fake security and encryption tools. These campaigns have been extensively characterized by reports from the Citizen Lab, The Electronic Frontier Foundation, and private companies like TrendMicro and Kaspersky. A range of reports have documented these regime-linked campaigns over the years.

Pro-Regime Groups Outside Syria

There is also evidence of pro-Assad groups outside Syria participating in malware campaigns against opposition. Notably, a group reported on in 2015 by FireEye (in collaboration with one of the authors of this report) used female avatars to send trojaned documents to high profile figures in opposition politics, aid, and armed groups. The operation yielded over 31,000 conversations, and a trove of sensitive information about a variety of groups’ plans and activities. This group also made use of fake matchmaking websites and social media accounts to backstop their deception.

ISIS-Linked Groups

On a different side of conflict, the Citizen Lab documented a malware operation linked to ISIS against the group ‘Raqqa is Being Slaughtered Silently’ (RBSS) in 2015. The operators, masquerading as a group of RBSS sympathizers based in Canada, targeted victims with a file that claimed to contain locations of ISIS forces and US Airstrikes within Syria. The file actually contained custom malware that collected and transmitted information about the infected computer. The report concluded that there was strong circumstantial evidence linking the malware to members of ISIS.

Many Groups, Similar Tactics

Each of these groups has distinct Tactics, Techniques and Procedures (TTPs). However, one common thread among the many publicly-reported groups is that they rarely use exploits in their campaigns, instead relying heavily on social engineering and trickery to convince targets to execute malicious files, disguised as innocuous documents.

This may reflect some of these groups’ lack of technical sophistication. For example, many regime-linked groups seem to have very limited skills and technical resources, and rely almost entirely on RATs coupled with well-informed social engineering. These techniques have evolved, but not improved radically since 2011. In other cases, such as the Lebanon-linked group reported on by FireEye, operators may have access to more sophisticated techniques, but see little reason to use them against their targets, given the limited technical capabilities of the opposition.

Part 1: Discovering Group5

This section describes the e-mails that first alerted us to an operation targeting the Syrian political opposition in October 2015.

On October 3rd 2015, Noura Al-Ameer, a well-connected Syrian opposition political figure, negotiator, and former Vice President of the opposition Syrian National Council (SNC), received a suspicious e-mail.1 The e-mail purported to come from a human rights documentation organization she had never heard of: “Assad Crimes.” The sender, using the e-mail address office@assadcrimes[.]info claimed to be sharing information about Iranian “crimes,” a theme familiar to many in the opposition.

Noura Al-Ameer
Fig. 1: Noura Al-Ameer, former SNC Vice President and a target of the operation. An activist from Homs, Syria, Al-Ameer was detained and tortured in the security branches, later moved to the infamous Adra prison in Damascus, prior to fleeing the country several years ago. Today, she is a delegate to the SNC’s political council and works to document war crimes committed during the conflict. Her identity was falsely used to register the assadcrimes website.

Continued......
Really worth reading....have followed this particular internet researcher during his many days of researching hacks....and hackers...especially the use of "LI" tools.....he has done extensive research on the hacked Italian "LI" software company and where their tools ended up.....

Outlaw 09

Wed, 08/03/2016 - 3:47am

It is not only governments getting their hands on this technology which by the way massively keeps my company and 25 employees healthy employed these days.

On the early Ukrainian thread I posted a number of comments concerning the massive hack of a so called Italian "LI" company what was in fact selling their "LI" tools (w/o EU export licenses) to the highest bidder ie criminal groups....and worldwide as well as to countries using them to suppress human rights (again w/o EU export licenses).

It was a 600G hacked download with some actually quite interesting and novel hacking tools BUT the hack found very little MSM take-up even in the IT Security MSM....

BTW...there were also a number of western security and police services listed on their billing statements....