How Government-Grade Spy Tech Used A Fake Scandal To Dupe Journalists

Future Tense
The Citizen's Guide to the Future
Aug. 20 2012 9:00 AM

How Government-Grade Spy Tech Used A Fake Scandal To Dupe Journalists

149095066
Pro-democracy demonstrators in Morocco

Photo by FADEL SENNA/AFP/GettyImages

An email claiming to reveal a political scandal will grab the attention of almost any journalist. But what if the email was just a ruse to make you download government-grade spyware designed to take total control of your computer? It could happen—as a team of award-winning Moroccan reporters recently found out.

Ryan Gallagher Ryan Gallagher

Ryan Gallagher is a journalist who reports on surveillance, security, and civil liberties.

Mamfakinch.com is a citizen media project that grew out of the Arab Spring in early 2011. The popular website is critical of Morocco’s frequently draconian government, and last month won an award from Google and the website Global Voices for its efforts “to defend and promote freedom of speech rights on the internet.” Eleven days after that recognition, however, Mamfakinch’s journalists received an email that was not exactly designed to congratulate them for their work.

Advertisement

The email, sent via the contact form on Mamfakinch.com, was titled “Dénonciation” (denunciation). It contained a link to what appeared to be a Microsoft Word document labeled “scandale (2).doc” alongside a single line of text in French, which translates as: “Please do not mention my name or anything else, I don't want any problems.” Some members of the website’s team, presumably thinking they’d just been sent a major scoop, tried to open the file. After they did so, however, they suspected their computers had become infected with something nasty. Mamfakinch co-founder Hisham Almiraat told me that they had to take “drastic measures” to clean their computers, before they passed on the file to security experts to analyze.

What the experts believe they found was, they said, “very advanced”—something out of the ordinary. The scandale (2).doc file was a fake, disguising a separate, hidden file that was designed to download a Trojan that could secretly take screenshots, intercept e-mail, record Skype chats, and covertly capture data using a computer’s microphone and webcam, all while bypassing virus detection. Christened a variety of names by researchers, like “Crisis,” and “Morcut,” the spy tool would first detect which operating system the targeted computer was running, before attempting to infect it with either a Mac or Windows version.

Once installed, the Trojan tried to connect to an IP address that was traced to a U.S. hosting company, Linode, which provides “virtual private servers” that host files but help mask their origin. Linode says using its servers for such purposes violate its terms of service, and confirmed the IP address in question was no longer active. The use of Linode was a clear attempt to make the Trojan hard to track, according to Lysa Myers, a malware researcher who analyzed it.

But there were a couple of clues. The Trojan’s code repeatedly referenced the acronym “RCS” alongside occasional mentions of the Italian name “Guido.” This pointed straight to an Italian company called Hacking Team, one of the leading providers of spyware-style tools to governments and law enforcement agencies worldwide.

Hacking Team’s flagship product is called “Remote Control Systems,” a Trojan it describes as “eavesdropping software which hides itself inside the target devices.” RCS can spy on Skype chats, log keystrokes, take webcam snapshots—identical to the Trojan used to target the Moroccans. It can also be tailored to infect a computer via “opening a document file,” according to marketing materials, and “can monitor from a few and up to hundreds of thousands of targets.”

Hacking Team did not respond to repeated requests by phone and email for comment. Notably, however, during an interview last October the company’s co-founder David Vincenzetti told me that RCS had since 2004 been sold “to approximately 50 clients in 30 countries on all five continents.” (Most people today consider there to be seven continents—Africa, Antarctica, Asia, Australia/Oceania, Europe, North America, and South America—but in parts of Europe it used to be taught that there were only five: Africa, America, Asia, Australia, and Europe.) So while it’s not possible to say for sure whether Moroccan authorities are using RCS, it’s certainly being deployed by countries in that region of the world, by Vincenzetti’s own admission.

The Moroccan case is not isolated, and it’s likely we’ll hear more about such attacks in the future. Last month, as I reported for Future Tense, a number of Bahraini activists were targeted with a Trojan tool purportedly designed by a British spy tech company, Gamma Group, which is one of Hacking Team’s main competitors. Human rights organizations have been concerned for some time about Western companies selling high-tech surveillance equipment to countries in which it may be abused. Ever mounting evidence of the equipment being used to target pro-democracy activists and journalists could have repercussions for the companies involved and is likely to strengthen the case for stricter export controls.

Thanks to Jean-Marc Manach for help with the French translation.

Future Tense is a partnership of SlateNew America, and Arizona State University.

TODAY IN SLATE

The World

The Budget Disaster that Sabotaged the WHO’s Response to Ebola

How Movies Like Contagion and Outbreak Distort Our Response to Real Epidemics

PowerPoint Is the Worst, and Now It’s the Latest Way to Hack Into Your Computer

Everything You Should Know About Today’s Eclipse

An Unscientific Ranking of Really, Really Old German Beers

Education

Welcome to 13th Grade!

Some high schools are offering a fifth year. That’s a great idea.

Culturebox

The Actual World

“Mount Thoreau” and the naming of things in the wilderness.

Want Kids to Delay Sex? Let Planned Parenthood Teach Them Sex Ed.

The Shooting Tragedies That Forged Canada’s Gun Politics

  News & Politics
Politics
Oct. 22 2014 9:42 PM Landslide Landrieu Can the Louisiana Democrat use the powers of incumbency to save herself one more time?
  Business
Continuously Operating
Oct. 22 2014 2:38 PM Crack Open an Old One A highly unscientific evaluation of Germany’s oldest breweries.
  Life
Lexicon Valley
Oct. 23 2014 10:30 AM Which Came First, the Word Chicken or the Word Egg?
  Double X
The XX Factor
Oct. 23 2014 8:51 AM The Male-Dominated Culture of Business in Tech Is Not Great for Women
  Slate Plus
Tv Club
Oct. 22 2014 5:27 PM The Slate Walking Dead Podcast A spoiler-filled discussion of Episodes 1 and 2.
  Arts
Brow Beat
Oct. 23 2014 9:00 AM Exclusive Premiere: Key & Peele Imagines the Dark Side of the Make-A-Wish Program
  Technology
Future Tense
Oct. 22 2014 5:33 PM One More Reason Not to Use PowerPoint: It’s The Gateway for a Serious Windows Vulnerability
  Health & Science
Bad Astronomy
Oct. 23 2014 7:30 AM Our Solar System and Galaxy … Seen by an Astronaut
  Sports
Sports Nut
Oct. 20 2014 5:09 PM Keepaway, on Three. Ready—Break! On his record-breaking touchdown pass, Peyton Manning couldn’t even leave the celebration to chance.