May 30, 2016
Toronto, ON – A new report from the University of Toronto’s Citizen Lab reveals a sophisticated international cyber-espionage campaign targeting journalists and activists whose work concerns the United Arab Emirates. The campaign used elaborate ruses, including fake organizations and journalists, to engage targets online, then entice them to open malicious files and links containing malware capable of monitoring their activities.
The campaign, which the researchers name Stealth Falcon, was first uncovered when a fictitious organization named “The Right to Fight” contacted Rori Donaghy, a UK-based journalist and founder of the Emirates Center for Human Rights. Building from this discovery, the Citizen Lab team, led by senior researcher Bill Marczak, uncovered an elaborate web of fake social media handles and organizations.
“We’ve been diligently tracing Stealth Falcon for the past six months. But these guys have very good operational security. For every fake persona we have thus far identified, dozens may await discovery”— Bill Marczak, Research Team Lead and Senior Researcher
Stealth Falcon’s techniques rely heavily on ruses, which they seem to have constructed with the help of a good picture of their targets’ behaviors and interests. One particularly concerning approach was the use of fake journalists to entice targets to open malicious documents.
“Stealth Falcon shows us that masquerading as a journalist is a recurrent technique, but that it can have chilling effect on trust in civil society”— John Scott Railton, Senior Researcher
The targets include a range of activists and public figures whose work covers issues of human rights and advocacy in the United Arab Emirates. Troublingly several of the individuals targeted by Stealth Falcon’s ruse were later convicted or jailed by the UAE. Of the over four hundred pieces of ‘bait’ content the researchers analyzed, 73% of them concern the United Arab Emirates.
“Governments and the private sector are increasingly exporting attack tools and know-how in the name of cybersecurity. Sometimes, cybersecurity for some can lead to insecurity for others”— Bill Marczak, Research Team Lead and Senior Researcher
The report stops short of conclusively attributing Stealth Falcon a particular sponsor, but highlights circumstantial evidence that could point towards UAE government involvement.
The research shows how the Internet, a key tool for organizing and activism, is also a powerful vehicle in the hands of malicious attackers.
“Autocratic regimes like the United Arab Emirates are now routinely finding ways to subvert the tools of social media to accomplish their sinister aims. Careful research of the sort undertaken here can help journalists, activists, and others be on guard for these new threats”— Ron Deibert, Director of the Citizen Lab and Professor of Political Science at the University of Toronto.
The Citizen Lab, based at the University of Toronto’s Munk School of Global Affairs, has an established track record of uncovering cyber espionage campaigns and other kinds of targeted digital attacks against human rights organizations. For more about the Citizen Lab, see citizenlab.org
For more information:
Public Affairs & Engagement
Munk School of Global Affairs
University of Toronto
Guide on Citing in Media
Title: Keep Calm and (Don’t) Enable Macros:
A New Threat Actor Targets UAE Dissidents
Published By: The Citizen Lab, Munk School of Global Affairs, University of Toronto
Publication Date: 30 May 2016
Report URL: citizenlab.org/2016/05/stealth-falcon