Seth Hardy

Malware Attack Targeting Syrian ISIS Critics

This report describes a malware attack on a Syrian citizen media group critical of Islamic State of Iraq and Syria (ISIS). Though we are unable to conclusively attribute the attack to ISIS or its supporters, a link to ISIS is plausible. The malware used in the attack differs substantially from campaigns linked to the Syrian regime, and the attack is against a group that is an active target of ISIS forces. In the interest of highlighting a developing threat, this post analyzes the attack and provides a list of Indicators of Compromise.

Civil Society Organizations Face Onslaught of Persistent Computer Espionage Attacks

A new report, entitled “Communities @ Risk: Targeted Digital Threats Against Civil Society,” involved 10 civil society groups that enrolled as study subjects over a period of four years. The study sought to obtain greater visibility into an often overlooked digital risk environment affecting–whether they know it or not–many of society’s most essential institutions.

Asia Chats: LINE keyword filtering upgraded to include regular expressions

This report is part of a series which analyzes regionally-based keyword censorship in LINE, a mobile messaging application developed by LINE Corporation. The most recent update to the censorship keyword list include a number of new entries as well as the introduction of regular expressions for more advanced keyword matching.

Targeted Threat Research at USENIX Security 2014

At USENIX Security 2014 Citizen Lab researchers presented two papers on targeted threats against civil society communities as part of a dedicated session on the topic entitled Tracking Targeted Attacks against Civilians and NGOs.

Asia Chats: LINE and KakaoTalk Disruptions in China

In this post we examine how the Great Firewall of China is implementing DNS tampering and HTTP request filtering on KakaoTalk and LINE domains, which is disrupting service of the applications as a result. We find that Flickr and OneDrive are also blocked through DNS tampering. We also analyze recent changes to the LINE keyword filtering list.

Asia Chats: LINE Censored Keywords Update

This report is the third in a series which analyzes regionally-based keyword censorship in LINE, a mobile messaging application developed by LINE Corporation. We document recent changes to the list of keywords used by LINE to trigger regionally-based keyword filtering for users with accounts registered to Chinese phone numbers.

Asia Chats: Analyzing Information Controls and Privacy in Asian Messaging Applications

This post is an introduction to Asia Chats a research project analyzing
information controls and privacy in mobile messaging applications used
in Asia. The project will produce a series of reports that will begin
with a focus on WeChat, LINE, and KakaoTalk. Reports will include
analysis based on our technical investigation of censorship or
surveillance functionality, assessment of privacy issues surrounding
these applications’ use and storage of user data, and comparison of the
terms of service and privacy policies of the applications.

Asia Chats: Investigating Regionally-based Keyword Censorship in LINE

This report by Seth Hardy (Senior Security Analyst, Citizen Lab)
describes the technical details of client-side censorship functionality
in the LINE messenger client for Android, and a method for disabling it.
This post is the first in a series of research reports analyzing
information controls and privacy in mobile messaging applications used
in Asia. An introduction to the project can be found here

Targeted Threat Index

The Targeted Threat Index is a metric for assigning an overall threat ranking score to email messages that deliver malware to a victim’s computer. The TTI metric was first introduced at SecTor 2013 as part of the talk “RATastrophe: Monitoring a Malware Menagerie” by Katie Kleemola, Seth Hardy, and Greg Wiseman.

Surtr: Malware Family Targeting the Tibetan Community

In this post, we report on “Surtr”, a malware family that has been used in targeted malware campaigns against the Tibetan community since November 2012