Search Mailing List Archives

Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
Limit to: All This Week Last Week This Month Last Month
Select Date Range     through    

[liberationtech] New Citizen Lab Report - Stealth Falcon

Ronald Deibert r.deibert at
Sun May 29 17:08:56 PDT 2016

Hi LibTech

Today, the Citizen Lab is publishing a new report <>, entitled “Be Calm and (Don’t) Enable Macros: Malware Sent to UK Journalist Exposes New Threat Actor Targeting UAE Dissidents.” The report is authored by Citizen Lab senior researchers Bill Marczak and John Scott Railton, and details an extensive and highly elaborate targeted digital attack campaign, which we call “Stealth Falcon.” While we have no “smoking gun” (typical for cyber espionage) there is a lot of circumstantial evidence that strongly suggests the United Arab Emirates is responsible for Stealth Falcon.

The New York Times has an exclusive on the report, which can be found here <>

Our full report is here: <>

Journalists, activists — in fact, all of civil society — now depend on and have benefited from social media to conduct their campaigns and communicate with each other, and with confidential sources.  Yet that same dependence on social media has become a principal point of exposure and risk, exploited by criminals, intelligence agencies, and other adversaries determined to silence dissent. Our report offers a shocking exposé into just how elaborate and shifty these campaigns can be, and how serious the consequences are, for those ensnared in them.

The Stealth Falcon case begins when Rori Donaghy, a UK-based journalist and founder of the Emirates Center for Human Rights, received an email in November 2015, purporting to offer him a position on a human rights panel.  That email contained a malware-laden attachment from a phony organization. Donaghy has published extensively on abuses by the UAE government, including a series of articles based on leaked emails involving UAE government members.  Suspicious that something seemed awry, Donaghy made the wise move to share his email with Citizen Lab researcher, Bill Marczak.

Using a combination of reverse engineering, network scanning, and other highly intricate detective methods that are detailed in the report, Marczak (assisted by John Scott Railton) unearthed a vast campaign of digital attacks aimed at UAE dissidents, organized primarily through fake Twitter accounts, phony websites, and spoofed emails.  The attacks appear to have had extremely serious consequences: many dissidents targeted, and presumably entrapped by Stealth Falcon, disappeared into the clutches of UAE authorities and were reportedly tortured.

The United Arab Emirates is an autocratic regime that governs with strict regulations and harsh punishments.  Human Rights Watch’s 2016 UAE country report documents arbitrary arrests and forcible disappearances of regime critics.  Amnesty International says that “torture and other ill-treatment of detainees was common” in UAE prisons.   It is one of those countries that has for a long time strictly censored the Internet using technology developed by western companies; earlier Citizen Lab research found <> the services of a Canadian company, Netsweeper, are used by UAE ISPs to restrict access to content critical of the regime.  UAE has purchased <> “lawful intercept” surveillance systems from the notorious Finisher and Hacking Team intrusion software vendors, as we have documented <> in prior reports <>.  It is not yet clear whether what we call “Stealth Falcon” is something the UAE developed itself, or whether it’s part of some kind of commercial service.  Regardless, it is a nasty reminder of the way the harsh world of realpolitik actually manifests itself in cyberspace.

There are at least two broader lessons of the Stealth Falcon report. First, the careful, rigorous methods demonstrated by Bill Marczak and John Scott Railton are exemplary of the power of applying structured research techniques drawn from engineering and computer science to issues of human rights.  We hope other University-based research groups are inspired by this mixed methods approach, and emulate what we are doing around documenting targeted digital attacks.  The more this type of research is “normalized” in academia, the less likely abuses of the sort we are unearthing will go unnoticed.

Second, it is clear that autocratic regimes like the United Arab Emirates are now routinely finding ways to project their power through cyberspace by subverting the tools of social media to accomplish their sinister aims. Given that civil society is so deeply immersed in social media, it is imperative that they, and the companies that service them, urgently adapt to and mitigate these new threats. Doing so will require a more mature awareness of the risks that exist in cyberspace, what to be “on the lookout for” when it comes to those risks, and adjust behaviour accordingly.  Although there were many victims of Stealth Falcon, Donaghy himself was not among them thanks to his astute recognition that a pleasant, but out-of-the-blue, invitation seemed not quite right.

All the best

Ronald Deibert
Director, the Citizen Lab
Munk School of Global Affairs
University of Toronto
(416) 946-8916
8B84 F5D8 1691 8D87 93CB 3398 443A CE6C 19A8 6481
r.deibert at

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the liberationtech mailing list