Media Releases

Report reveals seven-year South American malware campaign

December 9, 2015

Toron­to, ON — A num­ber of jour­nal­ists, activists, politi­cians and pub­lic fig­ures in Latin Amer­i­ca have been tar­get­ed by a large-scale hack­ing cam­paign since 2008, accord­ing to a new report from the Uni­ver­si­ty of Toronto’s Cit­i­zen Lab.

Researchers have named the mali­cious actor behind the attacks as “Pack­rat,” to high­light the attacker’s pref­er­ence for Remote Access Tro­jans (RATs) and for using the same domain names and servers over many years.

The report, writ­ten by Cit­i­zen Lab Senior Researchers John Scott-Rail­ton, Mor­gan Mar­quis-Boire, and Clau­dio Guarnieri, in col­lab­o­ra­tion with researcher Mar­i­on Marschalek, high­lights the threats that jour­nal­ists and civ­il soci­ety face from deter­mined adver­saries. The study began when Cit­i­zen Lab researchers began receiv­ing evi­dence of mal­ware attacks against pub­lic fig­ures and jour­nal­ists in Ecuador. Their analy­sis found that these attacks were linked to an unsuc­cess­ful mal­ware attack against Alber­to Nis­man, a high-pro­file lawyer who was found dead in Jan­u­ary 2015 just hours before he was due to release a report con­demn­ing the Argen­tine gov­ern­ment.

Build­ing from this dis­cov­ery, the report uncov­ers Packrat’s exten­sive activ­i­ty in Argenti­na, Ecuador, Brazil, and Venezuela. Cit­i­zen Lab researchers, exam­in­ing almost three dozen attacks, dis­cov­ered that Pack­rat cre­ates and main­tains web­sites and social media accounts for fake oppo­si­tion groups and news orga­ni­za­tions, then uses them to dis­trib­ute mal­ware and con­duct phish­ing attacks against jour­nal­ists, polit­i­cal fig­ures, activists, and politi­cians. The report also doc­u­ments a fake login page used to tar­get mem­bers of Ecuador’s Nation­al Assem­bly.

The report con­cludes that, while clear attri­bu­tion to a par­tic­u­lar spon­sor is not pos­si­ble, the infor­ma­tion col­lect­ed by Pack­rat like­ly makes its way to at least one gov­ern­ment.  “This case is yet anoth­er exam­ple of the dig­i­tal threats con­fronting civ­il soci­ety, and the role that aca­d­e­m­ic research plays in shed­ding light on the prob­lem,” said Cit­i­zen Lab Direc­tor Ron Deib­ert.

-30-

For more infor­ma­tion:

Irene Poe­t­ran­to
Com­mu­ni­ca­tions Offi­cer, Cit­i­zen Lab
416–946-8903
irene.poetranto@utoronto.ca