Skip to main content

Spying on Opposition, Dissidents, Scribes Becomes More Dangerous

Authoritarian regimes can hire cyber criminals on the sly without signing any official agreement as they did in the case of Pegasus.
Spying on Opposition, Dissidents, Scribes Becomes More Dangerous

Image Credit: Aman Khatri

Snooping on opposition politicians, journalists, political dissidents or even business rivals seems to have become the norm. It is also becoming easier with new methods, technology and people available to carry out such tasks without much difficulty.

In 2021, it was the Pegasus Project. Now, cybersecurity groups have identified several cyber criminal outfits and individuals, including those acting like mercenaries, who can be engaged and used by any power—either governments, their agencies or even the big business—against their ‘enemies’.

While a large chunk of the victims is journalists, political dissidents are becoming the main target of these cyber attackers or hackers. These cyber criminals not only snoop to find out what the targets are up to but they can also gather their data and destroy their entire activity, even personal ones, by attacking their mobile phones, laptops and computers. Most of the time, victims do not even know that they are being tracked or hacked.

To understand the level of the threat being posed by ‘political’ cyber criminals, the Pegasus Project, its impact and expanse have to be understood first. An Israeli cyber arms firm named NSO Group created the Pegasus spyware. The company is supervised by the Israeli government’s Defenc3e Department.

Though NSO claims that the spyware was developed for surveillance of “serious crimes and terrorism”, the technology was used by governments around the world mostly against non-criminal individuals, mostly dissidents. About 50,000 phone numbers of mostly opposition politicians, political dissidents, journalists, lawyers and human rights activists, among others in various countries were leaked in 2020. As many as 14 presidents, prime ministers and diplomats were also on this list. This spyware was acquired/purchased by several governments under an agreement with Israel.

A significant number of the hacked phones inspected by Amnesty International’s cybersecurity team revealed that the malware was covertly installed on mobile phones and other devices running on iOS and Android. The information gathered by Amnesty International was sent by it to 17 global media organisations, leading to protests in different countries, including India, with the protestors demanding a probe into the acquisition and the use of Pegasus, its abuses and a limitation on trading such repressive malware.

A new situation has arisen now—a government or a large corporation can easily access these cyber criminals or mercenaries, who can be hired or their spyware bought to plant spy malware inside the devices of the target.

Threatpost, a Massachusetts (US)-based independent cybersecurity news organisation, has recently come out with a report regarding such emerging cyber threats. Since 2021, various “state-aligned threat groups” have turned up their targeting of journalists to steal data and credentials and also track them, according to the report. The report, quoting researchers at a leading cybersecurity firm called Proofpoint, said there have been “efforts by advance persistent threat (APT) groups. ... Attacks began in early 2021 and are ongoing. The APTs are acting independently of each other but share the same overall goal of targeting journalists. Tactics are also similar with threat actors targeting email and social media accounts as phishing inroads in cyberespionage campaigns”. Sunnyvale (California)-based Proofpoint says it protects “people, data and brand against advanced threats and compliance risks”.

Another aspect of cybercrime targeting individual freedom has been pointed out in an article by Threatpost writer Elizabeth Montalbano. A “cybergang” called the Atlas Intelligence Group (AIG) has been recently spotted by security researchers recruiting independent black hat hackers to execute specific aspects of its own campaigns, she alleged.

AIG, also known as the Atlantis Cyber-Army, functions as “a cyber-threats-as-a-service criminal enterprise. This group markets services including data leaks, distributed denial of service, remote desktop protocol hijacking and additional network penetration services”, according to the report. AIG, the for-hire cyber criminal group, “is feeling the talent drought in tech just like the rest of the sector and has resorted to recruiting so-called ‘cyber mercenaries’ to carry out specific illicit hacks that are part of larger criminal campaigns”.

The report further stated that AIG is “unique in its outsourcing approach to committing cybercrimes. ... For example, Ransomware-as-a-Service organised crime campaigns can involve multiple threat actors—each getting a cut of any extorted lucre or digital assets stolen. What makes AIG different is it outsources specific aspects of an attack to ‘mercenaries’, who have no further involvement in an attack. ... only AIG administrators and the group’s leader—dubbed Mr. Eagle—know fully what the campaign will be and outsource isolated tasks to hired guns based on their skillsets”.

Journalists have been targeted before but not like this. How do these cyber mercenaries attack a journalist or a dissident activist? The attacks typically involve some type of social engineering to lower the guard of targets to coax them to download and execute various malicious payloads onto their personal digital devices, the researchers said. The ways to attract a gullible journalist include emails and messages sent via various social media platforms on topics related to their areas of focus or specialisation, political or otherwise.

“In various instances, the attackers would lie low after posting malware infection. This would enable them to gain persistence on a recipient’s network and help them conduct lateral network reconnaissance and propagate additional malware infections within the target’s network. Secondary tactics included tracking or surveilling journalists.”

Proofpoint said that adversaries or hackers used web beacons planted on journalists’ devices to carry out surveillance. While the latest report tracks some of the most recent activities against journalists, targeting this group of individuals certainly is not novel given the type of information they know when it comes to political and socio-economic issues, the researchers noted.

“APT actors, regardless of their state affiliation, have and will likely always have the mandate to target journalists and media organisations and will use associated personas to further their objectives and collection priorities,” they wrote. Moreover, this focus on media by APTs is unlikely to ever wane, which should inspire journalists to do everything they can to secure their communications and sensitive data, they said.

The researchers at Proofpoint delved deep into these attacks on journalists. Some of the examples they wrote about included the targeting of media personnel in Southeast Asia with emails containing a malicious Royal Road RTF attachment. If opened, the attachment would “install and execute Chinoxy malware—a backdoor that is used to gain persistence on a victim’s machine”. Early this year, a US-based media organisation was the target of phishing attacks that appeared to offer job opportunities from reputable companies to journalists. The attack was reminiscent of a similar one against engineers that the same group of cyber criminals had mounted in 2021.

“The sites were fraudulent and the URLs were armed to relay identifying information about the computer or device someone was working from to allow the host to keep track of the intended target,” the researchers said. Another example was that of a state-sponsored actor which hid behind the persona of a fake media organisation to deliver malware to public relations personnel for companies located in the United States, Israel and Saudi Arabia.

“Between September 2021 and March 2022, Proofpoint observed campaigns by the prolific threat actor that occurred approximately every two to three weeks,” the researchers said. In one campaign that occurred in March 2022, a cyber criminal firm sent an email with the ironic subject line ‘Iran Cyber War’ that ultimately dropped a remote access trojan on the victims’ machines. “The campaign was seen targeting both individual and group email addresses at a handful of Proofpoint customers involved in energy, media, government and manufacturing,” the researchers added.

“Between September 2021 and March 2022, Proofpoint observed campaigns (run by this threat actor) approximately every two to three weeks. The March 2022 campaign targeted both individual and generic, group email addresses ... (of those) involved in energy, media, government, and manufacturing.”

With individuals and cyber criminal groups involved in hacking and the dark Web becoming active in the Internet world, it would become easier for authoritarian and autocratic governments to target opposition leaders, political dissidents, human rights activists and journalists. These regimes can hire such cyber criminals on the sly without signing any official agreement as they did in the case of Pegasus. 

The writer has extensively covered internal security, defence and civil aviation for the Press Trust of India for three decades. Views are personal.

Get the latest reports & analysis with people's perspective on Protests, movements & deep analytical videos, discussions of the current affairs in your Telegram app. Subscribe to NewsClick's Telegram channel & get Real-Time updates on stories, as they get published on our website.

Subscribe Newsclick On Telegram

Latest