Morgan Marquis-Boire, Security Engineer at Google Incident Response Team, analyzes the digital aspect of activism and anti-dissident activities during the Arab Spring.
Hello and welcome to CuteCats.exe and the Arab Spring. My name is Morgan Marquis-Boire and I work on the Google Incident Response Team. Today, however, I am not here to talk about Google, but to discuss what appears to be the systemic use of phishing and surveillance malware as a means of suppressing dissidents during the so-called Arab Spring.
Before I start, I’d like to point out that this is work that I’ve done mainly with the Electronic Frontier Foundation in San Francisco and with the Citizen Lab, which is a human rights, digital media and global security think tank at the University of Toronto.
So, without further ado – CuteCats.exe and the Arab Spring. The title of this presentation refers to a revolutionary way of demonstration and protest occurring around the Arab world that began in December 2010, and also to a theory developed by Ethan Zuckerman in 2008.Mr. Zuckerman postulated (see left-hand image) that most people are not interested in activism but mainly use the Internet for surfing pornography and lolcats. The tools that are developed for these activities, such as Facebook, Twitter, Blogger, etc., are nevertheless very useful to social movement activists who lack the resources to develop dedicated tools themselves.
So, he then goes on to stipulate that, subsequently, this makes activists more immune to reprisals by governments, than if they were using dedicated activism platforms, because messing with people’s cute cats and pornography provides a far greater outcry than shutting down obscure activist resources.My corollary theory, which is the CuteCats.exe Theory of Digital Activism, is that once a platform attracts a critical mass of activists, that platform will be used to target them.
So, I’m sure many of you heard people describe parts of the Arab Spring as the Twitter Revolution or the Facebook Revolution. I don’t necessarily agree with those phrases, but they reflect the usefulness of the platforms Ethan Zuckerman describes in the organization of social movements. People that orchestrate surveillance campaigns are also familiar with this idea. Unsurprisingly, the targeting of dissidents across civil countries involved in the Arab Spring has played on the usefulness of Facebook, YouTube, Twitter, Skype and other popular platforms.As everyone is probably well aware, there has been an extended period of unrest in Syria. Protests began in January 2011 and spread into a nation-wide uprising. Since then the Assad regime has deployed the Syrian army to quell the uprising, besieging several cities, however, as of the present day, this conflict is still ongoing.
Shortly after the beginning of the physical conflict a digital campaign was started against the opponents of Assad’s regime. While this was not publicly unearthed until 2012, evidence points this campaign starting in November 2011 or earlier.Around Christmas of that year a group of activists providing technical support to the uprising were arrested. One of those who remained unimprisoned received a Skype message from one of his friends who had been captured advising him to install a useful tool, which would enable him to disguise his online identity from the regime surveillance. Unthinkingly, he installs the software and then realizes upon reflection that this was probably not a great plan (see right-hand image).
He called to external agencies for aid, and the analysis of his machine revealed that it had been infected with a remote access Trojan, which provided significant capability for surveillance of its victims. It allowed for logging of keystrokes, streaming remote view of his desktop, the ability to watch him through his webcam and listen to him through his microphones, as well as execute arbitrary programs. In addition to this particular Trojan, the machine was found to have been twice previously compromised several weeks earlier by the same actors.
Analysis of his computer and malware continued through January, and on February 17 CNN announced that computer spyware was the newest weapon in the Syrian conflict and discussed the widespread hijacking of activists’ accounts and credentials, as well as the targeting of dissidents.
Since this article, we have been able to track multiple persistent campaigns targeting opponents to the current regime in Syria. Their preferred methods involved targeting dissidents via Skype accounts of compromised friends, as well as targeting them through social networks used to organize the revolution.
For instance, Facebook is a platform that was banned in Syria until February 2011. It has many pro-revolution forums and profiles of prominent members of Syria opposition. In early April the Facebook page of Burhan Ghalioun, a professor at the Sorbonne in Paris and the leader, at the time, of the Syrian opposition transnational council was hit with a phishing attack.This leads to almost 6000 friends and any visitors to his page being led to this website (see right-hand image). So, this is obviously designed to look affiliated with Facebook and offers a download under the words “Facebook security”. Unsurprisingly, this download is malicious software with keylogging functionality.
The malware was hosted on this (see leftmost image below) compromised site, which was found to be hosting multiple Facebook phishing campaigns by the same actors, such as this one (middle image below) and this one (rightmost image below).