Activists on Front Lines Bringing Computer Security to Oppressed People

Security-related policy or legislation is enacted and then enforced to protect corporate, government or military interests. Civil organizations are often left flailing in the wind, fending for themselves with fewer IT resources and experience than a Middle America mom-and-pop operation. Yet these non-governmental—and not-for-profit—organizations have tasked themselves with helping those targeted by lethal adversaries who aren’t just after corporate secrets, but are out to deny people their freedom or, in some cases, their lives.

Security-related policy or legislation is enacted and then enforced to protect corporate, government or military interests. Civil organizations are often left flailing in the wind, fending for themselves with fewer IT resources and experience than a Middle America mom-and-pop operation. Yet these non-governmental—and not-for-profit—organizations have tasked themselves with helping those targeted by lethal adversaries who aren’t just after corporate secrets, but are out to deny people their freedom or, in some cases, their lives.

Targeted groups such as the Tibetans and Uyghur living in China or in exile, or other oppressed citizens in Syria, Iran and other political hotspots, rely on technology to communicate and organize resources often under the threat of incarceration or worse. Meanwhile, details of hacks and malware attacks against these groups are bubbling to the surface. Attackers are using malware to not only maintain a persistent presence on laptops and PCs to monitor web activities and steal data from those computers, but they’re moving toward attacks on mobile devices and adding surveillance capabilities to their repertoire.

“It’s a widespread assumption that the Internet, mobile devices, social media are empowering, but [attackers] are finding leverage there to put NGOs at risk,” said Ronald Deibert, director of Citizen Lab, Munk School of Global Affairs at the University of Toronto. “They lack awareness. They’re poorly resourced. They’re left out to dry when it comes to policy; government focuses on the private sector and civil society is left defenseless.”

Citizen Lab is one organization that has done intense research into understanding the threat environment facing those groups NGOs and human rights organizations seek to help. Often, these groups are desperate to communicate with others, and believe that social networks or tools such as Skype and other platforms are safe. But attackers, most of whom are believed to be state-sponsored, have infiltrated these networks and platforms with malware that reports back on the activities of these groups.

“Generally speaking, it’s becoming more widespread as autocratic regimes become more savvy about how to manipulate information technology to infiltrate and de-mobilize groups using them and causing them trouble,” Deibert said. “This is compounded by the growing commercial market for attack tools.”

In the last two weeks, researchers at Citizen Lab and Kaspersky Lab have discovered the first targeted attacks using malware for the Android mobile platform. Spear-phishing emails spoofed from prominent Tibetan activist leaders spread infected Android application package (.APK) files that not only opened backdoor channels to the attackers and collected contact and messaging data from the phone, but also relayed location information that could be used for surveillance. In the past, attacks using malware targeting Apple iOS devices went after Uyghur leaders, but now the stakes are higher given that the attackers can track a user’s physical location.

“In the last two years, we’ve been seeing an incredible ramping up and crackdown on Tibetans communicating via mobile devices or the Internet with people on the outside,” said Lhadon Tethong, director of the Tibet Action Institute. “Tibetans are getting two years, five years, seven years [in prison] just for communicating with the outside. There is an intense paranoia and desire to control the flow of information and nab all the people inside who dare speak out.”

Tethong is a recognizable figure in the Tibetan freedom movement. A Canadian-born Tibetan, she was program director and executive director of Students for a Free Tibet. Tethong traveled inside China blogging about the struggles of the Tibetans inside the country during the 2008 Beijing Summer Olympics; she was eventually detained and deported because of her work. Now as director of the Tibet Action Institute, she along with other volunteers, have helped establish the Guardian Project, which helps provide secure mobile communication on the Android platform.

Tibetan Android users, for example, are barred by the Great Firewall of China from accessing the Google Play store, forcing them to download apps from third-party resources that may be untrustworthy. It’s this dynamic Tethong and director of technology for the Tibet Action Institute and Guardian Project Nathan Freitas say the Chinese government is exploiting. The Guardian Project, in response, developed among other resources, the F-Droid repository of free and open source apps they hope Tibetans can use.

“Other movements and activists are under-served; most security tools are enterprise- or military-grade,” Freitas said. “Guardian is a suite of apps anyone can run on Android and iOS that are designed around activists and human rights organizations, rather than CEOs, bankers or lawyers. A lot of our threat modeling comes from the Tibetan realm where we have a deep connection, but we’ve expanded it to Syrians and Iranians and others where there are concerns about privacy and security.”

Freitas came to Students for Free Tibet in 1999 as a tech volunteer, Tethong recalled, and since then he’s worked on initiatives to help connect people shut off from the outside world, working together to create one of the first fusions of activism and technology, in particular social media. During the Beijing games, for example, Freitas developed a mobile technology to track activists involved in civil disobedience. Many times they could see that the phones were on but not moving, indicating the activist had been detained inside China for their activities. With Guardian Project, they hope to educate Tibetans about computer security risks, such as the consequences associated with third-party apps, as well as threats associated with email attachments, for example.

“This has long been a culture of emailing attachments,” Freitas said. “Our trainers have been teaching them that attachments are bad; it’s a whole area of behavior just waiting to be socially engineered. In terms of emailing (APK) apps, Google needs to do a better job of treating APKs like .exe files. With APKs, there’s no verification; it just launches the install manager. This isn’t behavior we encourage. The fear is that people won’t use or trust their phones to organize and defend themselves. We can’t let that happen.”

Freitas and Deibert of Citizen Lab shared examples of how oppressed people are monitored and targeted by governments. Skype accounts are a favorite target because they leak IP information; officials have been known to knock on doors after a Skype call between dissidents. Similar monitoring was done using the Dark Comet RAT in Syria to quash rebel activity. In China, the government controls the root certificate authority, Freitas said, enabling them to seamlessly pull off man in the middle attacks if they choose. “Not being able to trust the transport layer because a state actor has control of the root CA is problematic,” he said.

“For every Fortune 500 company or network that is breached, somewhere there is a NGO whose social network was compromised,” Deibert said. “The risk is greater, because we are talking about loss of life or imprisonment.”

Citizen Lab services 11 NGO groups, each with its own cause and regional focus, Deibert said, adding that the groups share email and network traffic data with Citizen Lab in an effort to aid their research. Tethong, for example, said she was phished by the 2nd bureau of the PLA General Staff Department’s (GSD) 3rd Department, also known as Unit 61398, the group that was outed by the Mandiant APT1 report. She sent Citizen Lab a sample of the malware she was targeted with in early 2011, two years before the Mandiant report; a link within the email led to the PlugX RAT and a Gh0st RAT variant. Tethong said she is targeted often by similar scams and malware looking to spy on her activities.

“We’re in a place where we’re seeing how quickly things change. It’s not just Tibetans, but Egyptians, Syrians—all of them resist and innovate and adapt, as do the authorities,” Tethong said. “Our network is so small, so inter-connected, everyone leads back to one another’s families. We have to be vigilant. For them, it’s life or death, freedom or incarceration.”

*Tibet image via Göran Höglund‘s Flickr photostream, Creative Commons

Suggested articles