Media Releases

Researchers Uncover Extensive Twitter-based Cyber Espionage Campaign Targeting UAE Dissidents, Journalists

May 30, 2016

Toron­to, ON – A new report from the Uni­ver­si­ty of Toronto’s Cit­i­zen Lab reveals a sophis­ti­cat­ed inter­na­tion­al cyber-espi­onage cam­paign tar­get­ing jour­nal­ists and activists whose work con­cerns the Unit­ed Arab Emi­rates. The cam­paign used elab­o­rate rus­es, includ­ing fake orga­ni­za­tions and jour­nal­ists, to engage tar­gets online, then entice them to open mali­cious files and links con­tain­ing mal­ware capa­ble of mon­i­tor­ing their activ­i­ties.

The cam­paign, which the researchers name Stealth Fal­con, was first uncov­ered when a fic­ti­tious orga­ni­za­tion named “The Right to Fight” con­tact­ed Rori Don­aghy, a UK-based jour­nal­ist and founder of the Emi­rates Cen­ter for Human Rights. Build­ing from this dis­cov­ery, the Cit­i­zen Lab team, led by senior researcher Bill Mar­czak, uncov­ered an elab­o­rate web of fake social media han­dles and orga­ni­za­tions.

“We’ve been dili­gent­ly trac­ing Stealth Fal­con for the past six months. But these guys have very good oper­a­tional secu­ri­ty. For every fake per­sona we have thus far iden­ti­fied, dozens may await dis­cov­ery”— Bill Mar­czak, Research Team Lead and Senior Researcher

Stealth Falcon’s tech­niques rely heav­i­ly on rus­es, which they seem to have con­struct­ed with the help of a good pic­ture of their tar­gets’ behav­iors and inter­ests. One par­tic­u­lar­ly con­cern­ing approach was the use of fake jour­nal­ists to entice tar­gets to open mali­cious doc­u­ments.

“Stealth Fal­con shows us that mas­querad­ing as a jour­nal­ist is a recur­rent tech­nique, but that it can have chill­ing effect on trust in civ­il soci­ety”— John Scott Rail­ton, Senior Researcher

The tar­gets include a range of activists and pub­lic fig­ures whose work cov­ers issues of human rights and advo­ca­cy in the Unit­ed Arab Emi­rates. Trou­bling­ly sev­er­al of the indi­vid­u­als tar­get­ed by Stealth Falcon’s ruse were lat­er con­vict­ed or jailed by the UAE. Of the over four hun­dred pieces of ‘bait’ con­tent the researchers ana­lyzed, 73% of them con­cern the Unit­ed Arab Emi­rates.

“Gov­ern­ments and the pri­vate sec­tor are increas­ing­ly export­ing attack tools and know-how in the name of cyber­se­cu­ri­ty. Some­times, cyber­se­cu­ri­ty for some can lead to inse­cu­ri­ty for oth­ers”— Bill Mar­czak, Research Team Lead and Senior Researcher

The report stops short of con­clu­sive­ly attribut­ing Stealth Fal­con a par­tic­u­lar spon­sor, but high­lights cir­cum­stan­tial evi­dence that could point towards UAE gov­ern­ment involve­ment.

The research shows how the Inter­net, a key tool for orga­niz­ing and activism, is also a pow­er­ful vehi­cle in the hands of mali­cious attack­ers.

“Auto­crat­ic regimes like the Unit­ed Arab Emi­rates are now rou­tine­ly find­ing ways to sub­vert the tools of social media to accom­plish their sin­is­ter aims. Care­ful research of the sort under­tak­en here can help jour­nal­ists, activists, and oth­ers be on guard for these new threats”— Ron Deib­ert, Direc­tor of the Cit­i­zen Lab and Pro­fes­sor of Polit­i­cal Sci­ence at the Uni­ver­si­ty of Toron­to.

The Cit­i­zen Lab, based at the Uni­ver­si­ty of Toronto’s Munk School of Glob­al Affairs, has an estab­lished track record of uncov­er­ing cyber espi­onage cam­paigns and oth­er kinds of tar­get­ed dig­i­tal attacks against human rights orga­ni­za­tions.  For more about the Cit­i­zen Lab, see


For more infor­ma­tion:

Dena Allen
Pub­lic Affairs & Engage­ment
Munk School of Glob­al Affairs
Uni­ver­si­ty of Toron­to
Tele: 416–946-0123
Mobile: 416–795-3902

Guide on Cit­ing in Media
Title: Keep Calm and (Don’t) Enable Macros:
A New Threat Actor Tar­gets UAE Dis­si­dents
Pub­lished By: The Cit­i­zen Lab, Munk School of Glob­al Affairs, Uni­ver­si­ty of Toron­to
Pub­li­ca­tion Date: 30 May 2016
Report URL: