A new research report from Citizenlab painstaking traces the origins of a series of sophisticated hacking attacks launched at Rori Donaghy, a UK journalist for Middle East Eye who founded the Emirates Center for Human Rights, which reports critically on the autocratic regime that runs the UAE, and 27 other targets.
Citizenlab calls the malware "Stealth Falcon," and it involved a mesh of fake human rights organizations with associated social media accounts, malicious URL shorteners, Javascript-based browser profiling on compromised sites, and Office 365 macros that attacked their host computers.
The researchers show strong circumstantial evidence to suggest that the UAE government launched these attacks.
Stealth Falcon’s technical approach may not be cutting edge, but the operators are neither unsophisticated or ineffective. Analyzed holistically as an operation, Stealth Falcon is a logical and multi-pronged approach to compromising and unmasking a class of targets. Stealth Falcon’s campaign highlights the power of social engineering, once a technical bar has been met, in conducting a large scale campaign.
Contemporary social movements and civil society groups rely heavily on the internet for both their core operations, as well as advocacy activities. Yet these groups are often operating outside a centrally managed IT environment. The constant sharing of links and materials, as well as regular communications with journalists makes them especially vulnerable to targeting with social engineering.
However, the emphasis on social engineering can also cut in the other direction. Many modern attack techniques require an attacker to interact with a target. When operators like Stealth Falcon send malicious e-mails and tweets, there are a range of opportunities for retrospective investigation. As this report shows, the inboxes of targets, for example, are often a more efficient object of investigation than computers themselves, especially once features of a particular campaign are recognized.
Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents
[Bill Marczak and John Scott-Railton/Citizenlab]