John Scott-Railton

Reckless Exploit: Mexican Journalists, Lawyers, and a Child Targeted with NSO Spyware

Uncovering an operation using NSO Group’s Pegasus spyware and Trident exploit framework to target Mexican journalists, lawyers, and even a minor child.

Tainted Leaks: Disinformation and Phishing With a Russian Nexus

Documents stolen from a prominent journalist and critic of the Russian government were manipulated and then released as a “leak” to discredit domestic and foreign critics of the government. We call this technique “tainted leaks.”

Bitter Sweet: Supporters of Mexico’s Soda Tax Targeted With NSO Exploit Links

This report describes an espionage operation using government-exclusive spyware to target Mexican government food scientists and two public health advocates.

[updated] Nile Phish: Large-Scale Phishing Campaign Targeting Egyptian Civil Society

This report discusses the targeting of Egyptian NGOs by Nile Phish, a large-scale phishing campaign. Almost all of the targets we identified are also implicated in Case 173, a sprawling legal case brought by the Egyptian government against NGOs, which has been referred to as an “unprecedented crackdown” on Egypt’s civil society. Nile Phish operators demonstrate an intimate knowledge of Egyptian NGOs, and are able to roll out phishing attacks within hours of government actions, such as arrests.

Citizen Lab Senior Research Fellows at the 2016 Chaos Communications Congress

December 29 – Hamburg, Germany

It’s Parliamentary: KeyBoy and the targeting of the Tibetan Community

In this report we track a malware operation targeting members of the Tibetan Parliament that used known and patched exploits to deliver a custom backdoor known as KeyBoy. We analyze multiple versions of KeyBoy revealing a development cycle focused on avoiding basic antivirus detection.

Security for the High-Risk User

Citizen Lab Senior Research Fellow John Scott-Railton has published an updated version of his “Security for the High-Risk user” paper, first published in the IEEE Security & Privacy in spring 2016. The updates were made based on new evidence of attacks against two-factor and account recovery SMSes, underlining the need for innovation in two-factor authentication.

The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender

This report describes how a government targeted an internationally recognized human rights defender, Ahmed Mansoor, with the Trident, a chain of zero-day exploits designed to infect his iPhone with sophisticated commercial spyware.

Group5: Syria and the Iranian Connection

This report describes a malware operation against the Syrian Opposition. We name the operator Group5, and suspect they have not been previously-reported. Group5 used “just enough” technical sophistication, combined with social engineering, to target computers and mobile phones with malware.

Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents

Media Coverage: New York Times, Foreign Policy, International Business Times, Chicago Tribune, VICE Motherboard, Taipei Times, Forbes, Techworm, Sputnik News, Network World, BoingBoing. Authors: Bill Marczak, John Scott-Railton 1. Executive Summary This report describes a campaign of targeted spyware attacks carried out by a sophisticated operator, which we call Stealth Falcon.  The attacks have been conducted […]