XPost: alt.cypherpunks, alt.culture.saudi, soc.culture.israel   
   XPost: comp.security.misc, alt.fan.rush-limbaugh, alt.privacy.spyware   
   XPost: alt.security.espionage, can.politics, misc.phone.mobile.iphone   
   From: anonymous@anonymous.com   
      
   THE KINGDOM CAME TO CANADA   
   How Saudi-Linked Digital Espionage Reached Canadian Soil   
   By Bill Marczak, John Scott-Railton, Adam Senft, Bahr Abdul Razzak, and Ron   
   Deibert   
   October 1, 2018   
      
      
      
   This report is Part 10 of a series on the abuse of NSO Group’s spyware   
      
   Part 1: The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used   
   against a UAE Human Rights Defender   
   Part 2: Bittersweet: Supporters of Mexico’s Soda Tax Targeted With NSO   
   Exploit Links   
   Part 3: Reckless Exploit: Mexican Journalists, Lawyers, and a Child Targeted   
   with NSO Spyware   
   Part 4: Reckless Redux: Senior Mexican Legislators and Politicians Targeted   
   with NSO Spyware   
   Part 5: Reckless III: Investigation Into Mexican Mass Disappearance Targeted   
   with NSO Spyware   
   Part 6: Reckless IV: Lawyers For Murdered Mexican Women’s Families Targeted   
   with NSO Spyware   
   Part 7: Reckless V: Director of Mexican Anti-Corruption Group Targeted with   
   NSO Group’s Spyware   
   Part 8: NSO Group Infrastructure Linked to Targeting of Amnesty International   
   and Saudi Dissident   
   Part 9: Hide and Seek: Tracking NSO Group’s Pegasus Spyware to Operations in   
   45 Countries   
   Part 10: The Kingdom Came to Canada: How Saudi-Linked Digital Espionage   
   Reached Canadian Soil   
      
   In this report, we describe how Canadian permanent resident and Saudi   
   dissident Omar Abdulaziz was targeted with a fake package delivery   
   notification. We assess with high confidence that Abdulaziz’s phone was   
   infected with NSO’s Pegasus spyware. We    
   attribute this infection to a Pegasus operator linked to Saudi Arabia.   
      
   Key Findings   
      
   - We have high confidence that the cellphone of Omar Abdulaziz, a Saudi   
   activist and Canadian permanent resident, was targeted and infected with NSO   
   Group’s Pegasus spyware. Abdulaziz has been outspoken on an ongoing   
   diplomatic feud over human rights    
   issues between Canada and Saudi Arabia. The targeting occurred while   
   Abdulaziz, who received asylum in Canada, was attending university in Quebec.   
   - During our recently published global mapping of NSO’s Pegasus   
   infrastructure, we identified a suspected infection located in Quebec, Canada,   
   operated by what we infer is a Saudi Arabia-linked Pegasus operator. We   
   matched the infection’s pattern of    
   life to the movements of Abdulaziz, and his phone, with his assistance. After   
   examining his text messages, we identified a text message that masqueraded as   
   a package tracking link. This message contained a link to a known Pegasus   
   exploit domain.   
   - We are unaware of any legal authorization for the infection and monitoring   
   of Omar Abdulaziz in Canada by a foreign government. If not properly   
   authorized, the operators behind this targeting may have committed multiple   
   Criminal Code offences,    
   including willfully intercepting private communications contrary to section   
   184(1).   
      
   1. Summary   
      
   Israel-based “Cyber Warfare” vendor NSO Group produces and sells Pegasus   
   mobile phone spyware suite. Pegasus customers can infect targets using   
   Androids and iPhones by sending them specially crafted exploit links. Once a   
   phone is infected, the    
   customer has full access to a victim’s personal files, such as chats,   
   emails, and photos. They can even surreptitiously use the phone’s   
   microphones and cameras to view and eavesdrop on their targets.   
      
   Over the past two years, multiple reports have emerged showing how Pegasus was   
   abused by multiple NSO Group customers to target civil society. In 2016,   
   Citizen Lab published the first report on the use of Pegasus, Million Dollar   
   Dissident, which detailed    
   how award-winning human rights defender Ahmed Mansoor was targeted, likely by   
   the government of the United Arab Emirates. In 2017, Citizen Lab reported   
   abusive uses of Pegasus spyware in Mexico, where targets included lawyers,   
   journalists, and    
   politicians. In August 2018, Amnesty International reported that a Saudi   
   dissident based abroad (later revealed to be Yahya Assiri), as well as an   
   Amnesty researcher, were targeted with Pegasus. In addition, former president   
   Ricardo Martinelli stands    
   accused by the government of Panama of having used Pegasus during his tenure   
   between 2009 and 2014 to systematically spy on political opponents and   
   journalists.   
      
   In a September 2018 report titled Hide and Seek, we detailed our investigation   
   into the global proliferation of Pegasus operators and infections. After   
   scanning the Internet for Pegasus servers and grouping the 1,091 servers we   
   found into 36 distinct    
   operators, we used DNS cache probing to query Internet Service Providers   
   (ISPs) around the world and identified 120 ISPs in 45 countries where we   
   suspected Pegasus infections were located (Figure 1). Our technique was based   
   on the assumption that Pegasus    
   infections regularly “phone home” to their command and control (C&C)   
   servers to exfiltrate information and receive new commands from their operator.   
      
      
   [continued in next message]   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)