Summary: Citizen Lab uncovers cyber-attack against prominent UAE-based human rights defender

Toronto, August 25th 2016: SRT grantee Citizen Lab, together with US-based mobile security firm Lookout Security, has uncovered a sophisticated cyber-attack targeting human rights defender Ahmed Mansoor. A report into the attack, The Million Dollar Dissident: NSO Group’s iPhone Zero-Days used against a UAE Human Rights Defender, is being published today.

Ahmed Mansoor is an internationally recognised human rights defender based in the United Arab Emirates. On August 10th and 11th, he received text messages on his iPhone promising “secrets” about detainees tortured in UAE jails if he clicked on an included link. Mansoor sent the messages to Citizen Lab who recognised the links as belonging to NSO Group, an Israel-based “cyber war” company that sells government-exclusive “lawful intercept” spyware. NSO is owned by an American venture capital firm, Francisco Partners Management.

The ensuing investigation, a collaboration between researchers from Citizen Lab and Lookout Security, determined that the links led to a chain of so-called “zero-day exploits” that would have installed sophisticated spyware on Mansoor’s phone. Once infected, the phone would have been capable of employing its camera and microphone to monitor activity in its vicinity, recording internet calls, logging chat messages, and tracking Mansoor’s movements. Citizen Lab believes that based on the costs involved and prior targeting of Mansoor, the UAE government is probably responsible for the attack.

Once the researchers confirmed the presence of what appeared to be zero-days, they quickly notified Apple to share their findings. Apple responded by releasing a patch which closes the vulnerabilities that NSO appears to have been exploiting.

Bill Marczak, Senior Researcher at Citizen Lab, said, “We had been tracking what appeared to be NSO’s infrastructure for several months, but had not seen any spyware that talked to it until Mansoor forwarded us the links he received. Activists like Mansoor are the ‘canary in the coal mine’ for targeted digital attacks – the advanced threats they face today will face us all tomorrow.”

The full report is available here on Citizen Lab’s website.

Return to grantee stories