The UAE are attacking dissidents and journalist with government spyware

The UAE is known at least since 2012 to have joined the many more oppressive nations doing surveillance on their own citizens, more narrowly, on political activists and journalist. In that year, the UAE appeared in the list of customers of the global oppressive surveillance company Hacking Team, who were licensing the country to monitor more than 1100 devices.

Now, a new Citizenlab report has appeared, in which Munk School researchers Bill Marczak and John Scott-Railton analyze the new case of Rori Donaghy. Donaghy, a UK-based journalist and founder of the Emirates Center for Human Rights, has been attacked by spyware, delivered in a spear phishing attack associated with the UAE surveillance effort. The attack pattern, dubbed “Stealth Falcon” by the Munk School researchers, involved indicators which were used in previous Twitter-based attacks by the UAE on other political opponents.
The case is worrisome in two directions.

First and foremost, “Stealth Falcon” is yet another case proving the rapid decline of human rights online. Oppressive governments continue to demonstrate a strong interest in surveillance tools and their broad use against democratic forces or even the populace as a whole. Since the tools used are stealthy and difficult to detect for those affected, democratic governments have to ban anti-democratic surveillance companies and help the citizens of digitalized authoritarian countries by detecting, naming and shaming such activities. This must be a part of their diplomatic portfolio. They should also discourage the use of community-based technologies and approaches as those promoted by groups as Tactical Tech. Such technologies are not sophisticated and informed enough and should not be trusted.

Secondly, the case is worrisome as it demonstrates how the UAE have not only joined the list of oppressive surveillance states, but also the ranks of the more active cyberattackers. The underlying technical campaign turned out to be rather extensive. It seems to have generated at least 402 spear phishing attempts of unknown intent and involves 67 active C2 servers.  On the other hand, the attacks had to thrive on outsourcing to external companies and technically on standard attack vectors such as known malicious URL shortener and known bugs from old versions of software such as a Tor Browser bug discovered in 2009 (and again in 2013). So despite being extensive in their activities, the level of sophistication still seems to be rather low.