U of T news
  • Follow U of T News

Citizen Lab researchers uncover extensive Twitter cyber espionage campaign

Tag cloud of bait content topics used by Stealth Falcon shows a strong emphasis on political topics and narratives critical of the United Arab Emirate government

A new report from the University of Toronto’s Citizen Lab reveals a sophisticated international cyber-espionage campaign targeting journalists and activists whose work concerns the United Arab Emirates. The campaign used elaborate ruses, including fake organizations and journalists, to engage targets online, then entice them to open malicious files and links containing malware capable of monitoring their activities.

The campaign, which the researchers named Stealth Falcon, was first uncovered when a fictitious organization named “The Right to Fight” contacted Rori Donaghy, a UK-based journalist and founder of the Emirates Center for Human Rights. Building from this discovery, the Citizen Lab team, led by Bill Marczak, uncovered an elaborate web of fake social media handles and organizations.

“We’ve been diligently tracing Stealth Falcon for the past six months. But these guys have very good operational security.  For every fake persona we have thus far identified, dozens may await discovery,” Marczak said.

Stealth Falcon’s techniques rely heavily on ruses, which they seem to have constructed with the help of a good picture of their targets’ behaviors and interests. One particularly concerning approach was the use of fake journalists to entice targets to open malicious documents.

“Stealth Falcon shows us that masquerading as a journalist is a recurrent technique, but that it can have chilling effect on trust in civil society,” added Marczak's colleague John Scott Railton.

The targets include a range of activists and public figures whose work covers issues of Human Rights and advocacy in the United Arab Emirates. Several of the individuals targeted by Stealth Falcon’s ruse were later convicted or jailed by the UAE. The researchers analyzed more than 400 pieces of ‘bait’ content, of which 73 percent concerned the United Arab Emirates.

“Governments and the private sector are increasingly exporting attack tools and know-how in the name of cybersecurity," Marczak said. 

The report, called Keep Calm and (Don't) Enable Macros, stops short of conclusively attributing Stealth Falcon a particular sponsor, but highlights circumstantial evidence that could point towards UAE government involvement.

The research shows how the Internet, a key tool for organizing and activism, is also a powerful vehicle in the hands of malicious attackers, said Ron Deibert, Citizen Lab director. “Autocratic regimes like the United Arab Emirates are now routinely finding ways to subvert the tools of social media to accomplish their sinister aims. Careful research of the sort undertaken here can help journalists, activists, and others be on guard for these new threats.”

The Citizen Lab, based at the Munk School of Global Affairs, has an established track record of uncovering cyber espionage campaigns and other kinds of targeted digital attacks against human rights organizations. For more about the Citizen Lab, see https://citizenlab.org/

Read the Citizen Lab report, Keep Calm and (Don’t) Enable Macros, here