State-sponsored attacks and tools used have been observed not as sophisticated, but experts warn that activists remain in danger.
Speaking at the Black Hat conference in Las Vegas, EFF staff technologist Cooper Quintin and global policy analyst Eva Galperin revealed research about how activists and journalists were targeted. In particular, in what it called "Operation Manul". The full report is published here.
Detailing issues in plans for a man-in-the-middle root certificate being installed, to accusations of fire-bombing offices of a dissident newspaper, the speakers said that the Kazakhstan government were not amused and denied claims of intimidation but sent out lawyers who said that the newspaper owners had stolen emails, and were requiring the paper be censored to avoid publishing the emails.
Quintin said: “Irina and Alexander Petrushova, publishers of Respublika, started receiving spear phishing emails claiming to be from lawyers, and the email had a PDF attachment which displayed blurry image saying you need to download new version of Adobe Reader.”
Malware including Jacksbot and Bandook was used, which has surveillance capabilities, but the speakers said that this is very much “crimeware off the shelf”, and is cheap, has fewer attributions, but can be detected by anti-virus.
In terms of linksro Kazakhstan, Galperin said that there was a common thread between targets and tracked campaigns, and often family members or legal support to dissidents were targeted.
Also implicated were Arcanum Global Intelligence and an Indian company Appin. “However,we observe no direct links between Operation Manul and Arcanum,” the report said.
“All emails traced can go back to the Indian IP space, but we also found an overlapping infrastructure and Appin is noisy,” Galperin said. “We cannot be conclusive, but it could be someone who bought the Appin infrastructure, but we think it was them based on evidence.”
Galperin said that more research is needed by industry on events such as this. “Also, attacks don’t have to be sophisticated to work, as often it is a bog-standard spear phishing," she said. "Governments are rarely using zero-days, especially the Kazakhstan government which uses [services from] Hacking Team and FinFisher, yet it still hired Indian hackers to do work for them.”