Future Tense

Phony WikiLeaks Tricks Activist Into Downloading Government-Grade Spyware

A person checks a laptop in Dubai

Photo by KARIM SAHIB/AFP/Getty Images

Western companies that sell government-grade spyware say it’s designed to prevent and detect serious crime. But ever-mounting evidence suggests their advanced surveillance tools are being sold to authoritarian regimes where it’s being used for political purposes.

In August, I reported for Future Tense that citizen journalists in Morocco had been targeted by a sophisticated trojan. A team of award-winning reporters for the Mamfakinch.com website were duped into downloading what appeared to be a Microsoft Word document containing evidence of a scandal, but was actually spyware. Security researchers who studied the trojan believed that it was manufactured by an Italian company called Hacking Team, which offers governments and law enforcement agencies what it calls “’an offensive solution for cyber investigations.” Hacking Team’s technology is designed to secretly infect a computer and siphon data, such as by spying on Skype chats, logging keystrokes, and even taking webcam snapshots.

Now it has emerged that Mamfakinch does not appear to have been the only victim of the Hacking Team technology. A report today by Morgan Marquis-Boire, a Citizen Lab security researcher, has found that a prominent activist-blogger based in the United Arab Emirates has also been targeted with a spy trojan that has all the hallmarks of Hacking Team’s shadowy product. Ahmed Mansoor, who was imprisoned last year over charges of insulting the country’s vice president and threatening state security, received an email in July claiming to be from “Arabic WikiLeaks.” A fake .doc file contained in the email masked a trojan with some of the same elements as the version found in Morocco. (The trojan depends on a security flaw within Microsoft Office software, a kind of vulnerability often described by hackers as a “zero-day exploit.”) It was also linked, Citizen Lab found, to the hackingteam.it domain name. As of the time of publication, Hacking Team had not responded to my request for comment.

The consequences for Mansoor have been severe. Not long after he was targeted by the spyware, he was physically attacked. He told Bloomberg that although the spyware and the attack may not be directly related, “he suspects it is part of a broader pattern of surveillance” that has involved tracking him by his mobile phone.

The dossier of evidence linking Western companies to cases of dissident monitoring in the Middle East has been expanding rapidly in recent months. In July, a number of Bahraini activists were targeted with a Trojan tool purportedly designed by British spy tech company Gamma Group. This may have led in turn to the British government’s subsequent decision to restrict sales of Gamma’s “FinSpy” software, which is in line with an ongoing effort in the European Parliament to bring in stricter rules for spy gear sales. The nearest equivalent in the Unites States is the push by Republican Rep. Chris Smith for the adoption of the Global Online Freedom Act, designed to limit sales of surveillance and censorship technologies to countries where it may be abused.