Spies in your inbox

Amnesty International’s technology expert explains how Uzbek activists’ accounts were hacked
Image from Pixabay.com

International human rights organisation Amnesty International has released details of a new wave of cyber-attacks against human rights advocates and journalists in Uzbekistan. The organisation’s report reveals a widespread campaign using phishing emails sent to journalists and activists between May and August 2019.

Most of the emails imitated warning messages from Google and Mail.ru, such as “Your mailbox will be disabled”, “Your mailbox will be suspended”, “Your Google account has been disabled”, and request recipients to verify their identity. The emails contain links to phishing sites (sites set up by hackers to mimic popular online services). With the help of fake websites imitating email providers’ webpages, the senders managed to steal rights advocates’ log in details.

Hackers also used spyware programs for Windows and Android, embedded in fake installers for messaging app Telegram and Adobe Flash Player. These programs stole passwords, recorded keystrokes on the user’s keyboard and took regular desktop screenshots. Besides this, they were able to record telephone conversations, text messages and VKontakte, Telegram and Whatsapp chats and reveal the user’s geolocation.

Amnesty International’s tech security expert Etienne Maynier spoke to Fergana about how the organisation was able to track and monitor the cyber-attacks.

– How was your work on this project organised?

– Last year, a report was published by the Canadian NGO eQualitie on cyber-attacks against Uzbek and Central Asian media outlets, including Fergana, and phishing attacks against several Uzbek activists. We studied the report here at the Amnesty Security lab and then discovered and tracked this cyber-attack campaign for several months. We mostly used technical investigation techniques to identify new phishing domains that the hackers created (mostly domains mimicking Google or Mail.ru), but also identified several spyware programs for Android and Windows. In the investigation, we identified a list of people targeted and contacted them to make sure that they were aware of it and that their systems or accounts had not been compromised.

– In other words, it was not that people reported being hacked to you, but rather you yourselves worked out who it was who had been subjected to the attacks?

– Yes, we started our research based on the public report published last year and tracked the evolution of their servers and domains to see what types of attacks they were carrying out. On one of the servers used for storing phishing email templates, we found a list of targeted individuals and contacted the human rights defenders who were listed there.

– Why didn't the hackers hide the list? Was it negligence or were they just not expecting that anybody would be investigating them?

– Probably negligence. We regularly come across similar mistakes in attacks like this one, also because we often track them for several months, so even if they are very careful at the beginning, people tend to slip up at some point.

– How much time did you spend on the investigation?

– We tracked the campaign from May to September 2019, after which they seem to have stopped their activities.

– Why do you think they apparently stopped their activities? Could it be that they found out they were being investigated?

– It could be that they stopped their activities temporarily, or maybe they stopped using this particular infrastructure and started using new servers that we have not found yet. What seems clear is that these attacks fit into a pattern of digital attacks against human rights defenders from Uzbekistan. We published a report in 2017 called «We will find you, anywhere» describing similar attacks on Uzbek journalists and human rights defenders. So these types of digital attacks have been and still are a threat for human rights defenders from Uzbekistan.

Étienne Maynier

– Is it possible to track down where these attacks came from?

– Here we were not able to identify who is behind these attacks or where they came from. The fact that human rights defenders were targeted and that it is related to web attacks on media covering Central Asia and Uzbekistan shows that it is clearly a politically-motivated campaign to spy on journalists and activists.

– Are the tools that were used in these attacks expensive? Does it require significant money or resources to carry out such operations?

– It requires some resources to pay for the servers and domains – after all, the attackers bought more than 70 domains. But it also requires some technical skills to develop the spyware we identified. The spyware programs were largely based on two open source malware programs that can be found online for free, but they were assembled by someone with good technical knowledge.

Overall, it is not a very expensive and technically complex campaign compared to what we see in other contexts, but it definitely shows that there is a group dedicating time and money to making these attacks. And often simple attacks like phishing can be quite effective if they target people who are not aware of the risk.

– The report says that the hackers employed a technique called session hijacking, which allows an attacker to bypass two-factor authentication (by this method, the phishing site receives data from the user and sends it to the service that it is claiming to be, such as Google. After receiving access data in reply from the real site, the attackers then use this to hack into the account). Why can’t big companies like Google detect malicious servers that they relay data to?

– It is hard to know what Google is doing against this type of attacks. We know that they track attacks and take action in some cases, but they rarely communicate about it. For instance, they regularly inform users who have been targeted by state-sponsored attacks. It is hard to know if they can reliably detect and block these relay servers, but we definitely think that Google (and other tech companies) could do more to protect at-risk users.

– Could you explain how targeted individuals got malicious Windows and Android installers on their computers?

– We don't know how they were sent to the users. The Windows spyware was added to a modified Telegram Desktop installer and to a modified Adobe Flash Player installer, so they may have been presented somehow as legitimate installers in the attack, we have not identified how this occurred.

– In the report, you recommend people to defend themselves from phishing attacks using hardware security keys (physical devices that are pre-registered on sites that the user plans to visit. They do not initiate the authentication if they determine that the site is a fishing site). Is there a possibility that security keys can be also be bypassed or hacked?

– These security keys are the best security solution we know against phishing, including these session hijacking attacks, and we encourage human rights defenders to use them as much as possible. They do not protect against other attacks (like spyware), but, since phishing is very common, they are a robust protection against it. There are a few ways to bypass these security keys, like a technique called OAuth phishing, so it is still very important to be aware of what phishing is and to avoid clicking on suspicious emails.

Yegor Petrov