UAE journalists, activists and dissidents are being targeted with custom-made spyware by a cyberespionage group called Stealth Falcon. The advanced persistent threat (APT) group is believed to be circumstantially linked to the UAE government and uses email and social media sites to deploy phishing attacks and infect victims' systems.
University of Toronto's Citizen Lab published a report that detailed that Stealth Falcon has been involved in attacks against those who have been actively critical of the UAE government. The report also indicated that the UAE government, which was once one of the most loyal and high profile clients of Hacking Team – the Milan-based intrusive surveillance merchandising firm – may now be making use of Stealth Falcon to target dissidents.
According to Citizen Lab's research, Stealth Falcon's digital actions can be traced back to the UAE government. "This report describes a campaign of targeted spyware attacks carried out by a sophisticated operator, which we call Stealth Falcon. The attacks have been conducted from 2012 until the present, against Emirati journalists, activists, and dissidents. We discovered this campaign when an individual purporting to be from an apparently fictitious organisation called 'The Right to Fight' contacted Rori Donaghy (UK based journalist and human rights activist). Circumstantial evidence suggests a link between Stealth Falcon and the UAE government," said Citizen Lab researchers Bill Marczak and John Scott-Railton.
Researchers also noted that the cyberespionage group used shortened URLs as part of their social media and email campaigns, which saw their targets being profiled, and in some cases their systems being infected with spyware via Office document attachments. Once installed, the spyware would then transfer data and send it to numerous command and control severs.
Citizen Lab researchers also claimed to have discovered the identities of the 27 Twitter accounts that were targeted by Stealth Falcon. Of these, five were arrested and two convicted by authorities in the UAE. The researchers also noted that all of those targeted by the cyberespionage group have had previous encounters with the UAE police. Additionally, a government Twitter account once also posted a tweet with the same shortened URL.
"Stealth Falcon's technical approach may not be cutting edge, but the operators are neither unsophisticated or ineffective. Analyzed holistically as an operation, Stealth Falcon is a logical and multi-pronged approach to compromising and unmasking a class of targets. Stealth Falcon's campaign highlights the power of social engineering, once a technical bar has been met, in conducting a large scale campaign," the researchers noted.
"Stealth Falcon is only the latest example of civil society-focused threat actors impersonating NGO's and journalists to conduct espionage operations. The tactic has been used by a wide range of actors, including Bahrain's government, Packrat in Latin America, Iranian groups and China related groups, among others," the researchers concluded.