back

Million Dollar Dissidents and the Rest of Us

Uncovering Nation-State Mobile Espionage in the Wild

If you suspend your transcription on amara.org, please add a timestamp below to indicate how far you progressed! This will help others to resume your work!

Please do not press “publish” on amara.org to save your progress, use “save draft” instead. Only press “publish” when you're done with quality control.

Video duration
00:53:36
Language
English
Abstract
In August 2016, Apple issued updates to iOS and macOS that patched three zero-day vulnerabilities that were being exploited in the wild to remotely install persistent malcode on a target’s device if they tapped on a specially crafted link. We linked the vulnerabilities and malcode to US-owned, Israel-based NSO Group, a government-exclusive surveillance vendor described by one of its founders as “a complete ghost”.

Apple’s updates were the latest chapter in a yearlong investigation by Citizen Lab into a UAE-based threat actor targeting critics of the UAE at home and around the world. In this talk, we will explain how Citizen Lab discovered and tracked this threat actor, and uncovered the first publicly-reported iOS remote jailbreak used in the wild for mobile espionage. Using the NSO case, we will detail some of the tools and techniques we use to track these groups, and how they try to avoid detection and scrutiny. This investigation is Citizen Lab’s latest expose into the abuse of commercial “lawful intercept” malcode.

We will begin the presentation with our discovery and investigation of a UAE-based threat actor we call Stealth Falcon, and explain how a small error in the operators’ operational security led us to a mobile attack infrastructure consisting of hundreds of servers, which we determined was associated with NSO’s Pegasus product. We will detail the Internet scanning we undertook to enumerate this infrastructure, and some techniques we used to try and find “live” exploit links.

It was through these techniques that we identified suspicious links sent via SMS to UAE human rights defender Ahmed Mansoor. We will describe how we caused the exploit server to “fire”, and how we determined that it served us a one-click zero-day iPhone remote jailbreak to deliver NSO’s Pegasus, a powerful and sophisticated piece of government-exclusive malcode.

We will outline the functionality of the exploit used against Mansoor, and the Pegasus surveillance malcode, and outline the collaborative research and responsible disclosure process to Apple that led to the out-of-band updates to iOS and macOS.

The proliferation of commercial tools for targeted digital surveillance presents a documented risk to activists and civil society. However, there is a silver lining for researchers in this proliferation: by reselling the same commercial “lawful intercept” tool and network infrastructure to multiple countries, and training operators in the same attack techniques, companies are creating patterns that we can use to identify surveillance across a wide range of different actors.

Using the Mansoor attack as a case study, we will provide a window into how researchers at Citizen Lab leverage and fingerprint these patterns to track nation-state level attacks against human rights defenders and journalists. Drawing on cases from the UAE and beyond, we will discuss how we work with targets and victims, conduct Internet scanning, and fingerprint C&C servers. We will conclude with a discussion of some trends that we have observed in commercial malcode sold to nation state actors.

Talk ID
8115
Event:
33c3
Day
3
Room
Saal 1
Start
11:30 a.m.
Duration
01:00:00
Track
Ethics, Society & Politics
Type of
lecture
Speaker
Bill Marczak
John Scott-Railton
Talk Slug & media link
33c3-8115-million_dollar_dissidents_and_the_rest_of_us
English
0.0% Checking done0.0%
0.0% Syncing done0.0%
0.0% Transcribing done0.0%
100.0% Nothing done yet100.0%
  

Work on this video on Amara!

English: Transcribed until

Last revision: 2 years, 8 months ago