[liberationtech] New Citizen Lab report

Ronald Deibert r.deibert at utoronto.ca
Tue Dec 8 23:26:42 PST 2015 

Hi Liberation Tech

I am pleased to announce a new Citizen Lab report we are releasing today, which I thought might be of interest.  The report documents a threat actor who, for the past seven years, has run a large-scale targeted digital attack campaign in several countries of South America.  Titled Packrat: Seven Years of a South American Threat Actor, the report is written by Citizen Lab Senior Researchers John Scott-Railton, Claudio Guarnieri, and Morgan Marquis-Boire and with the collaboration of independent researcher Marion Marschalek, 

The full report is here:  https://citizenlab.org/2015/12/packrat/

Associated Press has extensive coverage here: http://bigstory.ap.org/article/fa7618cf36a642fb900a4f35b2c986b1/south-america-hacker-team-targets-dissidents-journalists 

The group, which we name “Packrat,” came to our attention in 2015 when several Citizen Lab researchers began independently receiving reports of phishing and malware targeting journalists and public figures in Ecuador.  After some analysis, it became clear that this was the same group who had targeted a number of prominent figures in Argentina, including Argentinian special prosecutor Alberto Nisman, who was found dead in January 2015 under suspicious circumstances.  Putting the pieces together it became clear that these reports were the tip of an iceberg.  

Ultimately, our analysis led us to developing a technique for quickly searching the inboxes of potential victims, which led us to many more victims.  One of the authors developed a Gmail search query for strings associated with the attacks.  We shared this query with many potential targets, resulting in hits for phishing attacks, as well as suspicious Microsoft Word (DOCX) files sent to a range of journalists and public figures. 

We found that Packrat uses malware and phishing attack techniques, but also operates elaborate fake online news and advocacy organizations, perhaps to seed disinformation, or possibly to attract unsuspecting political targets. Packrat’s targets included journalists, activists, politicians and public figures in several South American countries.

Packrat has an extensive infrastructure, and seems to operate without fear of discovery or exposure.  Twice during the analysis process Packrat operators messaged a Citizen Lab researcher from on infected machines, sending death threats and taunts in English and Spanish.

While the report does not explicitly attribute Packrat to a particular organization or government, we conclude that the information collected by Packrat likely makes its way to at least one government.

I think the report illustrates the importance of conducting careful and in-depth mixed methods research into the digital threats facing civil society.  In addition, the report highlights the increasingly risky environment in which journalists and others operate in South America.  I hope you have a chance to read it and I welcome any feedback.

All the best
Ron
ps apologies for any cross posting.

Ronald Deibert
Director, the Citizen Lab 
Munk School of Global Affairs
University of Toronto
(416) 946-8916
PGP: http://deibert.citizenlab.org/pubkey.txt
http://deibert.citizenlab.org/
twitter.com/citizenlab
twitter.com/rondeibert
r.deibert at utoronto.ca



-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.stanford.edu/pipermail/liberationtech/attachments/20151209/0f6c54c1/attachment.html>

More information about the liberationtech mailing list