One of the sad truths of today’s online world is that dissidents, lawyers and journalists are ripe targets for governments that want to suppress who they perceive to be their enemies.
At the Black Hat security conference in Las Vegas today, the Electronic Frontier Foundation’s Eva Galperin and Cooper Quintin gave a demonstration of just what lengths governments will go in hacking their opponents.
In When Governments Attack, Galperin and Quintin illustrated how Syria, Ethiopia and Vietnam are all countries whose hacking campaigns they’ve encountered but the particular focus was on Operational Menul, which resolved around the Kazakhstan regime’s attacks on its opponents.
The government of Nursultan Nazarbayev is well known for its corruption, intolerance and global harassment of its opponents as Quintin and Galperin showed. What’s of particular interest to them is the use of off the shelf malware tools.
Using cheap commodity tools has the advantage of not leaving distinctive patterns that may give investigators hints to who has developed the malware. The downside of course is that most anti-viruses can detect these tools.
For the regimes this is not such a problem as most of their targets are relatively unsophisticated, as most of the activists, lawyers and journalists targeted by government agencies or their contractors do not have high level tech skills or use advanced security tools.
Another concern is how private contractors are employed by these governments. An interesting tactic used by the EFF is to commence legal proceedings against US based corporation for operations they’ve conducted against dissidents visiting or living in the United States.
Galperin and Quintin have three conclusions from examining these attacks.
- Attacks don’t need to be sophisticated to work
- None of this research is sexy
- The tools and actors are not sophisticated
While the tools and actors in these sad tales are not sophisticated, the costs to the targets are usually high as they and their families can be subject to terrible consequences.
As we increasingly see both simple and sophisticated software tools available to be used against citizens we can expect to see more abuses by governments around the world. The job of organisations like the EFF is not going to get easier any time soon.
We citizens though need to do what we can to demand safeguards and legal protections from our governments. Those of us in democracies should be making that clear at the ballot box.