XPost: alt.security.espionage, soc.culture.canada, can.politics
XPost: alt.culture.saudi, alt.arabic.politics, soc.culture.arabic
XPost: alt.military, alt.computer.security, comp.security.misc
From: anonymous@anonymous.com
Saudi-linked Cyber Espionage Against Canadian Victim Discovered
Today, the Citizen Lab is publishing a major new report, “The Kingdom Came
to Canada: How Saudi-Linked Digital Espionage Reached Canadian Soil,” by
Bill Marczak, John Scott-Railton, Adam Senft, Bahr Abdul Razzak, and myself.
Our report details how we discovered Canadian permanent resident and Saudi
dissident Omar Abdulaziz was targeted with a fake SMS message and his phone
infected with spyware manufactured by Israeli-based “Cyber Warfare”
company, NSO Group. We
attribute this infection to a spyware operator linked to Saudi Arabia.
The research for this report builds on our recently published “Hide and
Seek” report, led by the Citizen Lab’s Bill Marczak, in which we detailed
the results of more than two years of Internet scanning into NSO Group’s
command and control
infrastructure. That scanning revealed more than 45 countries in which we
found infected devices “phoning home” to NSO Group’s infrastructure,
operated by more than 30 likely government clients — many of them with
highly problematic human rights
issues.
Among those live infections was a particularly noteworthy one: a Saudi-linked
operator, which we call KINGDOM, monitoring an infected device in Quebec,
Canada. The surveillance of a victim in Canada is particularly intriguing as
it takes place in the
midst of a serious diplomatic dispute between Canada and Saudi Arabia that was
triggered by tweets critical of Saudi Arabia’s human rights record sent by
Canadian Foreign Affairs Minister, Chrystia Freeland, and by the official
Twitter account of
Global Affairs Canada.
Based on Saudi Arabia’s poor human rights track record and its prior history
of abuse of spyware (including by the very same KINGDOM operator), we
hypothesized that the target in Quebec would be a person or group connected to
Saudi political activism.
We then reached out to contacts in the Saudi diaspora and human rights
communities to try to identify the target. Remarkably, we succeeded.
Omar Abdulaziz is a Canadian university student, and a prominent Saudi
activist who sought and received asylum in Canada in 2014 after Saudi Arabia
revoked his scholarship for his outspoken criticism of the regime. Omar
produces a very popular satirical
talk show on YouTube that is followed by millions of viewers. He was also
featured prominently in media coverage of the Canada-Saudi dispute, including
on CBC’s The Current. During his interview on that show, Omar claimed Saudi
authorities had
threatened his family to try to discourage him from speaking out.
Earlier this summer, Omar received a fake DHL courier notification via SMS.
The message arrived only hours after he placed an order on Amazon. When we met
with Omar, we searched back through his SMS messages with his consent against
a list of known NSO
domains we had gathered, and discovered the fake DHL notification SMS. We were
able to confirm that he was, indeed, targeted by the KINGDOM operator and that
the SMS he received contained a link to the NSO Group’s “Pegasus”
spyware infrastructure.
Further verification that Omar was the victim came from matches were able to
make to his pattern of life. Our scanning showed the infected device moving
between two Quebec-based networks at very specific intervals — Vidéotron
and RISQ (Réseau d’
informations scientifiques du Québec). Omar confirmed that those “check
ins” precisely matched his movements between his home wifi network
(Vidéotron), and the wifi network to which he connected during a regular
evening activity (RISQ).
NSO’s Pegasus spyware is extraordinarily stealthy and invasive. Once a
target clicks on a link, the operator has complete surreptitious control over
the target’s device. This control includes being able to silently read
emails and chat messages,
including those that are encrypted, capture ambient sound, and turn on the
camera. During the time Omar’s device was infected, several of his family
members and friends disappeared in Saudi Arabia. Although we have no way to
confirm it, it is certainly
possible these disappearances are the direct result of the KINGDOM
operator’s surveillance of Omar’s phone.
No doubt, this revelation of Saudi-linked espionage against a Canadian
permanent resident will inflame the already tense Canada-Saudi diplomatic
dispute. If it does, it will illustrate one major theme of Citizen Lab’s
research: that the unregulated
commercial spyware market produces costly negative externalities. It is also
noteworthy that what we have unearthed may violate several Canadian Criminal
Code offences, including willfully intercepting private communications
contrary to section 184(1).
It should go without saying that the multiple cases of abuse we have uncovered
over several years cast serious doubt on NSO Group’s claims about a
“Business Ethics Committee” and other controls they have over their
products. While they may treat it
frivolously, NSO Group’s accumulating liabilities must be giving its
ownership group, US-based investment firm Francisco Partners, serious cause
for concern, particularly since the latter has unsuccessfully shopped NSO
Group to potential buyers for a
reported 1 billion USD. Who wants to buy a company whose services routinely
end up being abused, inflaming geopolitical tensions, or implicated in
criminal conduct? What potential liabilities does NSO’s reckless sales
present for its ownership group?
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
