Interview with the Citizen Lab: In the Search of Spyware

November 27, 2016

This article was first published on 7iber in Arabic.

On the 23rd of October last year, Noura Amir received an email from an organisation called “Assad Crimes”, and attached was a PowerPoint presentation, which according to the text, was on “Iranian crimes in Saudi Arabia”.

In 2012 Noura Amir was detained in the Assad regime prisons for joining the Syrian Revolution in Aleppo. She was released 6 months later. In 2014, she was elected vice president of the National Coalition of Syrian Revolution and Opposition Forces and was a participant in the Geneva II Conference in 2014.

Noura was wise enough to check the security of messages she received from unknown sources, so she forwarded the message to Citizen Lab, situated on the third floor of the Munk School of Global Affairs at the University of Toronto in Canada, for inspection. The team of researchers at the Lab discovered that the file was linked to vigorous hacking attempts, already detailed in a previous report. According to the journal of the Lab’s director, Ron Deibert, despite the fact that they have not found clear evidence to link the breach to a specific government (which is pretty common in cyber-espionage investigations), they have in fact confirmed that there is a new party targeting the Syrian resistance working in cyberspace in Iran, and that it is possible for the party to be working for the Iranian or Syrian governments (or both).

In 2013, the Lab traced 4 separate spying campaigns targeting journalists, activists, members of the Syrian resistance, and even fighters. Each of the campaigns had a different source, including: organisations linked to the Assad regime, the Syrian electronic army, ISIS and Lebanese organisations.

Citizen Lab’s most recent discoveries linked the Emirati government with an Israeli company contracted to infiltrate the phone belonging to Emirati activist Ahmad Mansoor this past June.

Through its research and investigations, Citizen Lab has contributed to exposing several governments purchasing hacking and spying software targeted at political dissidents. The Lab has drawn maps showing the locations of servers belonging to spy systems worldwide, such as BlueCoat in 2013, FinFisher in 2013 and 2015, and Hacking Team in 2014. It was found in those maps that the Arab countries with most servers were Saudi Arabia, Lebanon, Morocco, the UAE, Oman, Bahrain, and Jordan.

Along with Snowden’s leaks on communication spyware exports, Citizen Lab’s research has led the European Union to add a “cyber-weapons” category to the list of weapons with dual uses. Included in this list are goods that, despite there being a legitimate reason for their export, can be used for violating human rights. For example the chemicals used in pharmaceuticals. These products are all subject to vigorous regulations that require an export license from the official issuers in the country of origin.

7iber met with the team at Citizen Lab to discuss the research that played a large part in exposing spy systems around the world and graphing the movement of the European, Israeli, and Canadian systems which were spying on various countries in the world. We discussed the Lab’s research and mode of operation with the director, Dr. Ronald Deibert, and researchers Jon Scott and Bill Marczak.

7iber: Through your work on mapping spyware programs and tracking malware,are there any rising trends in the tactics that Arab countries use to target activists or political dissent?

Bill: One trend we’ve seen, particularly in the UAE, is a desire to build some of their own surveillance solutions themselves, rather than buying them.  For example, Stealth Falcon (recently identified as UAE cybersecurity company DarkMatter), built their own custom spyware, and used it to target dissidents and UAE journalists.

Governments in the Gulf Cooperation Council (GCC) also seem to be wising up to the fact that Citizen Lab and others are exposing targeted surveillance operations.  For example, we saw in the leaked Hacking Team emails that these governments wanted to sell to Bahrain’s National Security Agency (BNSA), but Hacking Team were told that BNSA was still apparently  facing internal pressures from revelation that they used FinFisher to spy on opposition groups. In the long term, the work carried out by Citizen Lab and other organisations will cause GCC governments to lean more towards supporting attacks where the agencies conducting them are less likely to be identified and have the attacks attributed to them.

The “One Million Dollar Dissent” investigation that the lab recently published on the targeting of the Human Rights activist Ahmad Mansoor, revealed that the Israeli company ‘NSO Group’ hired by the UAE government, used what is called “zero-day attack” on Mansoor’s iPhone.  On  the same day, Apple announced a new IOS update to patch the security loophole. Can you explain to a nontechnical reader what a “zero-day attack” is? And how were you able to track its source?

Jon: The case began with a previous report called Stealth Falcon and it was an investigation of malware attacks against bloggers and other activists in the UAE who were critical of the regime. For the purposes of the attack, we found that the attackers were using a fake link shortener that captured information about their computers and identities, and while doing that work we found a mysterious set of domains of web logs which we then discovered had a historic, tenuous link to something called NSO Group.

Then around August 9th Ahmad Mansour got in contact with us expressing his suspicions about a text message he received . So we got these text messages that had been sent to his phone, and we realised very quickly once we looked at this infiltration that we were looking at something unique, Zero-day x. For those who don’t know, Zero-day x means the equivalent of a backdoor in a piece of software or device, not known even to the manufacturer. The term “zero day” itself means that it has been known for that number of days to developers who build the product. Zero day infection could have turned Mansoor’s iPhone to a digital pocket spy, that for example could control the phone’s camera and mic for eavesdropping, record his conversations and monitor his movements.

Once we determined that we are looking at a zero-day we initiated contact with Apple, and worked very closely with them as we continued our investigation so that on the same day we published our report Apple began pushing updates to every single iPhone, and a couple of days later, Apple pushed out updates to Mac OS as well.

Why would the UAE acquire an NSO program for malware attacks despite already having FinFisher, BlueCoat, and HackingTeam?

Bill: There are a couple reasons for why this may be the case. First of all, different products may work better on different platforms.  For example, NSO only sells spyware for mobile phones. If you want to target computers too, you’ll need to buy either Hacking Team or FinFisher as well. Secondly, governments may wish to evaluate which product is easier to use or gives them greater success.  Also, given that Citizen Lab has been exposing infrastructure associated with Hacking Team, FinFisher, and NSO, there may be a desire on the part of governments to not have all of their cyber-operations using one software so that if one gets burned, the government doesn’t lose everything. Thirdly, there might be different departments or agencies in a government that purchase spyware, perhaps from different vendors. For instance, we saw in Egypt that there were two different agencies, the Ministry of Defense and the Technology Research Department (TRD), that purchased Hacking Team. The TRD also purchased FinFisher. In the UAE, there were two different agencies (Ministry of the Interior and the Intelligence Ministry), in Saudi Arabia it was the same two agencies, in Lebanon it was the General Directorate of General Security and Internal Security Forces, and so on and so forth.

Your Stealth Falcon report investigates the use of social engineering to compromise activists and journalists. Social engineering is where the sender of a message appears as if they  know you personally. What checklists should a user have in place to verify whether or not a tweet or an email was socially engineered to compromise them?

Bill: It’s actually quite hard because many activists and journalists are constantly receiving emails from new people as part of their normal work. For example, new sources might contact journalists, and new collaborators or NGO’s may contact activists. Often, these communications involve links or attachments. Sometimes, we can open attachments safely.  For example, if it’s a Word, Excel, or Powerpoint document or a PDF, we can upload the attachment to Google Drive, and then preview and edit it on Google Drive. Previewing on Google Drive is a great way to avoid risks, since the file is never opened on your computer. Instead, Google opens it and shows it to you. If the file doesn’t display on Google Drive, that is a sign the file may be suspicious.

It’s also a good idea to check messages you receive, to see if they display signs of social engineering.  First of all, check if the message is trying to get you do something urgently, which is a common social engineering tactic. An example of fake urgency is an attack that says “if you don’t click on this link, we will suspend your Gmail account.”

Often, attackers will direct you to new or unfamiliar websites. So, secondly, check to make sure you recognise the website that the link is going to. If it’s a short link like or, then you can go to a website like “” and paste in the URL, and then check to see if you recognise the website in the long URL. Then open that website directly if you recognise it.  You can also check links and attachments using ““.

Another thing attackers might do is spoof messages to look like they come from your friends.  For example, one common technique is creating Gmail, Twitter, or Facebook accounts that have the same profile picture, and almost the same name (maybe one letter will be different).  Then,

the fake account will send you a link or attachment posing as your friend.  It’s a good idea to verify with your friends (for example, by calling them) if you get something that seems to be from a friend and looks suspicious.

Should the existence of surveillance or spyware programmes that can linked back to State agents by interpreted as a tool to oppress dissent?

Bill: No, I don’t think we can automatically conclude this. Of course the spyware has legitimate and lawful uses like investigating and preventing crimes and terrorism. Unfortunately, though, these companies seem to sell to any government agency willing to buy, and so spyware winds up in the hands of government agencies with a documented track record of oppressing dissent. If we can show that Hacking Team or FinFisher was acquired by a specific agency with a documented track record of oppressing dissent, then I think the agency will most likely abuse spyware for the same ends.

Ron: Police need to monitor criminal activities that happen in cyberspace. There is a fair argument being made that software like Hacking Team enables them to do their job. Some people disagree with that entirely and think that malware is malware and whether it is spyware or not we should outlaw it all. If you live in a democracy, you have to have something that protects against the abuse of these technologies. So, if police officers want to compromise somebody who is active in activities of a definite criminal nature, such as child sexual exploitation, then it may be okay to use this kind of technology against them, granted there is a warrant issued by a judge. I think the problem is that in most of these cases, we have seen no checks and balances, no judicial authority and no warrant, and so criminals are left unharmed but Human Rights’ activists like Hisham Amirat and Ahmed Mansour are pursued and prosecuted. There is certainly abuse of this technology going on, and how you prevent that from happening is the question. We can’t outlaw the technology but we do need to prevent the abuse of that technology.

Was Citizen Lab shocked in the same way that the world was on the extent of the spying and intelligence activities that the Snowden files revealed?

It is safe to say that there has been a growing trend of more and more state involvement in cyberspace and surveillance and this is something that had been building up long before the Snowden disclosure. The most divisive turning point was probably 9/11, which prompted a significant shift in the intelligence gathering paradigm in the US. When that happened it affected the country’s allies as well as its adversaries, and began what was then dubbed the “global war on terror”, part of which is really a just planetary intelligence gathering operation that involves all aspects of the internet infrastructure from controlling satellite communications and remote censoring to drones and undersea cables. The Snowden disclosures brought a lot of this news to the public eye. Some people knew about it before this. There were people like me who were interested in the topic and had a broad sense of what was going on, but didn’t quite grasp the scale of what was happening as is possible now when looking very closely at the Snowden disclosures. The depth, scope, and scale were all pretty remarkable, in the US especially but in the rest of the “Five Eyes” intelligence gathering states (Australia, Canada, New Zealand, and the UK) as well.