Spyware Leaves Trail to Beaten Activist Through Microsoft Flaw
On a Monday in July, Ahmed Mansoor sat in his study in Dubai and made the mistake of clicking on a Microsoft Word attachment that arrived in an e-mail, labeled “very important” in Arabic, from a sender he thought he recognized.
With that click, the pro-democracy activist unwittingly downloaded spyware that seized on a flaw in the Microsoft Corp. (MSFT) program to take over his computer and record every keystroke. The hackers infiltrated his digital life so deeply they still accessed his personal e-mail even after he changed his password.
Since then, Mansoor, 42, an electrical engineer and father of four, says he has suffered two beatings by thugs in September during his campaign for citizens’ civil rights in the Persian Gulf federation of the United Arab Emirates. While those assailants remain unknown, researchers say they’ve figured out what was behind the virtual assault.
The spyware that penetrated his laptop appears to be a Western-made surveillance tool sold to police and intelligence agencies that’s so powerful it can turn on webcams and microphones and grab documents off hard drives, according to the findings of a study being published today by the University of Toronto Munk School of Global Affairs’ Citizen Lab.
Mansoor’s predicament shows how nations have rapidly moved beyond the surveillance of phone and e-mail transmissions to rifle through the most intimate details stored by personal computers and the smartphones that citizens carry with them everywhere. The tools, which can peer into people's living rooms and access rough drafts of love letters, business strategies or plans for street demonstrations, mark the latest escalation in a digital arms race between governments and the people they watch.
As traditional monitoring of communications has pushed dissidents to encrypt e-mails and shun phone lines for Skype, Mansoor’s story shows how governments are countering with off- the-shelf commercial spyware that in the wrong hands can be turned against people fighting for democracy, rather than the products’ advertised targets such as criminals and terrorists.
“People need to understand how this type of thing occurs and under what circumstances, because without oversight these systems will be prone to abuse,” says Morgan Marquis-Boire, 33, the San Francisco-based researcher who led today’s study independently of his job as a security engineer at Google Inc.
Remote Control System, a tool made by Milan-based HackingTeam, is the product that the findings indicate infected Mansoor’s computer.
The details of how the software takes over a computer or smartphone expose the important role played by spyware’s enablers -- from software makers, which often send flawed products to market, leaving computers vulnerable to attack; to companies run by hackers-turned-executives that profit from the bugs, building and selling tools called exploits that turn the weaknesses into open doors for intruders.
Mansoor’s is not the only case of Western-made hacking software targeting political dissidents, who in the past two years have embraced the power of the Internet and cell-phone text messages to share information and organize -- only to see those technologies used against them.
Earlier this year, Bahraini activists, including two people who now live in the U.S. and Britain, received e-mails laden with FinFisher spyware made by U.K.-based Gamma Group, showing the far-reaching capabilities of the hacking tools. Marquis- Boire also participated in identifying FinFisher in July after Bloomberg News provided him with the e-mails as part of an investigation into the abuses of electronic intrusion products and the costs and threats of global cyber espionage and its enablers.
HackingTeam and Gamma say on their websites that they only sell the surveillance systems to governments.
The work of unmasking these tools is already serving to protect people from them. The world’s biggest computer security companies such as McAfee Inc., and Symantec Corp., have since written anti-virus protection based on the FinFisher samples.
HackingTeam Chairman David Vincenzetti didn’t respond to e- mailed requests for comment or to messages left at his office. Vincenzetti, 44, the company’s biggest shareholder, co-founded the privately held, 35-employee company in 2003, according to its website. There it boasts in bold black and red letters its ability to give clients, “Total control over your targets. Log everything you need. Always. Anywhere they are.”
A U.A.E. government spokesman didn’t respond to several e- mailed requests for comment.
More than a year after the 2011 Arab Spring uprisings exposed repressive regimes’ abusive surveillance of phone calls, text messages and e-mails, examples of more intrusive monitoring are surfacing.
In July, the software that appears to be HackingTeam’s also targeted a group of journalists in Morocco who run a pro- democracy website, Mamfakinch.com, today’s study shows, confirming earlier findings by other researchers. The site, formed in the wake of 2011’s street protests, had just won an Internet freedom award from Mountain View, California-based Google and Global Voices, an online community promoting free speech.
“It’s very easy to fall into these traps,” says Mansoor, who says he has a master’s degree in telecommunications. He contacted Citizen Lab researchers after reading about their work on the nearby Persian Gulf kingdom of Bahrain.
The disclosures are putting pressure on Western governments to rein in the largely unregulated monitoring trade. Sales by European and U.S. companies of digital eavesdropping systems to governments around the world are legal, with some exceptions for countries such as Syria and Iran.
The British government informed Gamma in August that it must obtain export licenses to sell its FinSpy tool outside the European Union.
The U.K. is now lobbying other Western nations to amend their conventions on arms-related exports to include some surveillance technology, according to the U.K. Department for Business.
Martin J. Muench, the managing director of Gamma’s Munich- based German unit, which develops the FinFisher product line, including FinSpy, says his company complies with the export regulations of Germany, the U.K. and U.S. The samples reported on by Citizen Lab are demonstration copies of FinSpy, not the fully operational versions sold to clients, he says.
Technologies sold by HackingTeam and Gamma are a type of malicious software, or malware, known as a Trojan, named after the legendary wooden horse that Greek warriors used to sneak into Troy before sacking the ancient city. They are the retail cousins of state-made cyber weapons such as the Stuxnet computer worm, which damaged centrifuges in an Iranian nuclear plant and was jointly developed by the U.S. and Israel, according to the New York Times.
To make the intrusions work, malware often relies on flaws in some of the most common computer applications.
In Dubai, the Trojan snuck into Mansoor’s laptop by using an exploit aimed at a specific bug in Microsoft Office software, Marquis-Boire found.
The flaw, catalogued as CVE-2010-3333, has been a hackers’ favorite around the globe -- even after Redmond, Washington- based Microsoft issued a fix in November 2010, available for download online.
One China-based hacking campaign that targeted Tibetan activists and industries including energy and military research has used that weakness in most of its 90 attacks since June 2011, according to a report published by Tokyo-based Trend Micro Inc. in March.
“An attacker who successfully exploited this vulnerability could take complete control of an affected system,” the Microsoft bulletin that alerted users to the patch said two years ago. “An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.”
“We continue to encourage customers to apply the bulletin to ensure they are protected,” Yunsun Wee, director of Microsoft’s Trustworthy Computing Group, which handles security and privacy issues for the company, said in an Oct. 4 statement.
Mansoor says he bought his laptop this year and doesn’t know if his Microsoft Office was fully updated.
Marquis-Boire’s research led him to seek the origins of the code that exploited the Microsoft flaw in Mansoor’s case, a hunt that took him on a detour to other samples of similar malware in a public database.
The exploit contained in one sample raised the possibility that a vulnerability linked to Montpellier, France-based Vupen Security SA was used to gain entry into Mansoor’s computer with HackingTeam’s Remote Control System, the report says.
Vupen Chief Executive Officer Chaouki Bekrar said in e- mails that his company has no relationship with HackingTeam and has nothing to do with any exploits found in HackingTeam’s product.
Marquis-Boire’s reasoning is based on discovering an exploit created when only Vupen and its clients may have known about it, and finding it had similarities to the exploit used in Mansoor’s case.
In the key sample Marquis-Boire found, the attached exploit was based on a bug in Adobe Systems Inc. (ADBE)’s Flash Player graphic design program.
Vupen had discovered that flaw in January and shared it with customers before publicly disclosing it in August, according to a notice on an online mailing list in which Vupen appears to take credit for the find. In a series of e-mails asking about the notice, Bekrar didn’t dispute that the document correctly represented the company’s discovery of the flaw, without directly addressing questions about its authenticity.
With those dates in hand, Marquis-Boire built a timeline showing when, according to Vupen’s post, the firm had discovered the bug and when the bug was made public. The malware with the Adobe exploit bore a date stamp of May, the report says, midway between the dates.
That meant Vupen knew about the flaw when the malware was built.
Marquis-Boire then compared the Trojan sample that used the Adobe flaw to the malware that hit Mansoor. He found that the computer code written to deliver each of the two exploits was similar, the report says.
The Citizen Lab report says, however, that while Vupen takes credit for discovering the Adobe bug, it’s possible the exploit was made by another party.
Vupen’s Bekrar said in an Oct. 3 e-mail that, “There is absolutely no evidence that links us to those samples, this is a common and classic vulnerability collision issue where other researchers unrelated to us have probably found the same vulnerability, they exploited it, and they supplied the code to HackingTeam or their customers.”
Vupen wrote exploits for both flaws only after the software makers released patches for the programs, Bekrar said in a separate e-mail. Doing so allows customers to protect against attack, he said.
He declined to comment further on Oct. 4, saying, “Since there is no evidence or proof that the code came from us, we will not comment nor respond to any other question.”
Adobe spokeswoman Wiebke Lips said the San Jose, California-based company alerted customers about the vulnerability in an Aug. 21 security bulletin and had no comment on findings that commercial spyware had capitalized on the flaw.
Governments that buy these tools -- including the U.S. -- and suppliers such as Vupen are purposely keeping the Internet unsafe, says Christopher Soghoian, principal technologist for the American Civil Liberties Union’s speech, privacy and technology project. Allowing the market to flourish could backfire if these tools start being used against us, he says.
“By fueling and legitimizing this global trade, we are creating a Pandora’s box,” Soghoian says.
The confluence of hacking and surveillance is scheduled to be on view Oct. 11 in Washington at the ISS World trade show -- known as the Wiretapper’s Ball -- where Vupen, HackingTeam and Gamma are the sole presenters for a program called “Encrypted Traffic Monitoring and IT Intrusion Product Training.”
The convention, at which makers of eavesdropping systems peddle their wares, is closed to the media. The daylong training session itself is further restricted to attendees from police, public safety or intelligence departments.
The ISS description of Bekrar’s hour-long talk provides clues to his company’s role in spyware.
“This session presents and demonstrates how VUPEN’s exclusive and sophisticated exploits taking advantage of computer and mobile vulnerabilities can be useful as attack vectors to remotely penetrate criminals’ PCs and phones (e.g. to install monitoring software) via various attack vectors.”
Vulnerabilities are actively tracked by hackers, software companies and government agencies alike, with each working in dual roles -- sometimes protecting people or companies from flaws, and other times using the tools for attacks.
A lucrative market for vulnerabilities and exploits has developed because companies in the market, such as Acton, Massachusetts-based Netragard Inc., pay bug hunters more for the information than the makers of the flawed software themselves.
Netragard CEO Adriel Desautels says that while the software industry might pay a few thousand dollars for vulnerabilities to patch systems and better protect customers, his company sometimes pays $100,000 or more for an exploit of an unknown flaw.
Shoddy products are to blame for the vulnerabilities, not the people profiting from the flaws, says Desautels, whose company motto is “We protect you from people like us.”
“The software vendors make people vulnerable,” Desautels says. His company only sells exploits in the U.S., he says.
Citizen Lab isn’t the first to identify the Trojan, which has been analyzed by several security companies, as HackingTeam’s. A Russian anti-virus company, Dr. Web, said in a July 25 report that the malware was HackingTeam’s, without explaining how it made the connection. The following day, Bellevue, Washington-based security company Intego, which had first published the virus under the name OSX/Crisis, said the Trojan had been used to target Moroccan journalists, without linking it to HackingTeam.
On Aug. 20, the Web magazine Slate connected the dots, publishing a story about the Moroccan journalists and saying evidence pointed to the spyware being HackingTeam’s. HackingTeam did not comment for that story.
Marquis-Boire writes in his Citizen Lab report that he can attribute the malware to HackingTeam because one of the samples he found -- an apparent demonstration copy that was similar to the Moroccan sample and the one sent to Mansoor -- transmits its data back to the Web location rcs-demo.hackingteam.it.
Since the July Citizen Lab study first unmasked FinSpy, researchers have traced Gamma’s product to at least 15 countries, including the U.A.E. It’s unclear whether government agencies in those countries are Gamma clients or whether the users may be based elsewhere.
The oil-rich U.A.E., a safe haven for investments by foreigners and multinationals in areas such as energy, finance and trade, stands apart from other Middle East nations that have been convulsed by unrest in the past year and a half. It has avoided most of the Arab Spring protests that toppled dictators in Tunisia, Libya and Egypt.
Still, the country’s lack of democracy has moved activists such as Mansoor to push for change, drawing official scrutiny, he says. He was imprisoned last year after signing a petition supporting elections, and became known as one of the “U.A.E. Five.” A presidential commutation of a three-year sentence for insulting the government’s top officials freed him, he says.
Mansoor’s cyber ordeal began on July 23. He was sitting in his home office when he received the malware-laden e-mail from a sender who used an address that looked familiar, .
Once open, the document contained only scrambled data, giving him the first hint something was amiss. Unseen to him, the attachment had also delivered the exploit.
The infection complete, the Trojan established a connection out of Mansoor’s laptop to a command and control server, a computer to which spyware sends its pilfered data.
While Mansoor couldn’t tell the program was tracking his virtual movements -- stealing his e-mail password, and possibly more -- he did notice his computer started running slowly.
After seeing coverage of FinFisher and Bahrain, Mansoor reasoned he, too, may have been targeted by such software. He forwarded the infected e-mail to one of the researchers, Bill Marczak, a 24-year-old computer science doctoral candidate at the University of California Berkeley who also is active in the pro-democracy group Bahrain Watch.
Over the next couple of days, Marczak helped Mansoor make sense of the hack. Using menus that Google provides its Gmail users to track account activity Mansoor found someone was logging into his account. The Gmail feature pinpointed the location of the unauthorized login to an Internet address in the Emirates.
Working with Marquis-Boire, they also found that the malware itself at times communicated with a Web address in the U.A.E.
Marczak worked through the first week of August securing Mansoor’s computer. He says he’s motivated by a desire to rein in spyware abuses and to help promote democracy in the Gulf. “Since I can’t participate on the ground, I participate online,” Marczak says.
They hit an unexpected hitch when simply changing Mansoor’s e-mail password didn’t keep out the intruders. Whoever had hacked him had installed a feature that allowed access to Mansoor’s account regardless what password he’d set.
They finally disabled the tool on Aug. 7 and Mansoor finished cleaning the computer.
The virtual attack stopped, but a month later Mansoor says he was physically attacked. The two might not be linked, Mansoor says, though he suspects it is part of a broader pattern of surveillance that includes his mobile phone.
He had continued his activism, bringing attention to cases that included the detention of men with links to a group advocating greater adherence to Islamic precepts.
Human Rights Watch on Aug. 1 said 50 dissidents were arrested, most during July. The government afterward said the people arrested were involved in a conspiracy to destabilize the country.
Mansoor says the first assault came on Sept. 11, when a man approached him as he was walking to his car on the campus at the Ajaman University of Science and Technology, where he is studying law.
“When he reached me he asked, ‘Are you Ahmed Mansoor?’ And I extended my hand for a shake. He spit on me and then pushed me to my back,” says Mansoor, who provided hospital records showing treatment for an elbow injury.
In this case he suspects his whereabouts were being tracked through his mobile phone because no one should have known he was coming to the campus, he says.
Six days later, another assailant cornered Mansoor on campus and without saying a word dragged him to the ground and punched him in his head until a crowd gathered, he says. Doctors X-rayed his skull, dressed his wounds and gave him a tetanus injection, according to hospital records that describe him as the victim of an assault.
While he understands the physical risks he faces when venturing outside, the impact of the digital attack within the confines of his own home remains a mystery to Mansoor.
“They downloaded my e-mails, and who knows what else they’ve done?” he says. “My bigger concern is that they are violating my privacy.”
In Casablanca, Moroccan activist Hisham Almiraat, who is a French-trained physician, says that help from San Francisco- based Electronic Frontier Foundation helped confirm the journalists had been attacked by malware.
“After the Arab revolutions happened, those governments have maybe realized they have to harness the power of the Internet and use those tools to try to scare activists, or try to spy on them and follow their steps,” says Almiraat, 35, a founder of the Mamfakinch.com site.
His next step, however, may be through Europe’s courts.
“It’s something that I hope would not change our belief as activists in the Internet,” Almiraat says of the malware attacks.
To contact the reporter on this story: Vernon Silver in Rome at firstname.lastname@example.org;
To contact the editor responsible for this story: Melissa Pozsgay at email@example.com