EspañolEcuadorian free-speech NGO Fundamedios reports that Ecuadorian journalists and activists have likely been attacked with the same spyware used to target the late Argentinean prosecutor Alberto Nisman and Argentinean journalist Jorge Lanata.
On August 25, the NGO released a statement based on data collected for an article published on August 21 in the Intercept, a civil-libertarian publication. The report reveals that both Nisman and Lanata had received a file attachment named “estrictamente secreto y confidencial.pdf.jar” (strictly secret and confidential).
While the file was masked as a PDF, it was actually “an off-the-shelf commercial digital spying tool or remote access toolkit (RAT) known as AlienSpy,” First Look Media Director of Security Morgan Marquis-Boire explains in the article. According to Fidelis, an online-security provider, AlienSpy can be easily purchased on the web for between US$19.90 and $219.
Marquis-Boire had previously presented his findings regarding the spy software on Nisman’s cell phone during the Black Hat USA 2015 security conference in Las Vegas in early August.
During his presentation, he said the spyware was created around December 1, 2014, a few weeks prior to Nisman’s death. Shortly after the conference, Lanata came forward with evidence demonstrating he had received the same spyware.
Marquis-Boire further explains in his report for the Intercept that “the spyware that both Lanata and Nisman received spoke to the same ‘command and control’ domain, an internet address that points to a remote machine used by spies to control the software they have implanted on a victim’s machine.”
[adrotate group=”8″]
The researcher also found that two command and control domains — aynews.sytes.net and dyrep24.ddns.net — were linked to other spyware-infected documents that were distributed in Ecuador.
One of the files, “3 MAR PROYECTO GRIPEN.docx.jar,” appeared to be a letter from Ecuadorian Ambassador to Sweden Mario Guerrero to President Rafael Correa. The other file, “Reporte Confidencial.pdf.jar,” was created in January 2015 and comprised of a single blank sheet.
“We should note that Marquis-Boire’s investigation does not provide details on the spyware that has apparently been distributed in Ecuador. However, the connection to this server is clear, even though the owner or owners of the server itself remain unknown,” Fundamedios said in their press release.
Hackers often use deceptive names on email addressed and files to trick recipients into opening Java files and other malicious links. Once launched, the file then allows hackers to take nearly full control of the information found on the targeted device.
In their statement, Fundamedios relayed security advice from Access, an organization that aims to defend the digital rights of users around the world. The group recommends that users be wary of messages they are not expecting, and suggest not opening suspicious email attachments and links.
Access also advises keeping all operating systems, applications, and antivirus software up to date, and cautions users from installing applications from unknown sources.
Fundamedios has previously warned that since February 2015 “a number of journalists, public figures, and community administrators of Facebook pages not aligned with the ruling party have been subject to attacks from hackers.”
Ecuadorian journalist Janet Hinostroza says she has frequently been targeted by hackers and has received more than 100 emails of this sort, many of them disguised as messages sent from friends or colleagues.
She says the emails often contained messages like “look at the information that the National Intelligence Secretariat (SENAIN) has on you,” or included interview requests from fake journalists.
According to Fundamedios, Hinostroza says she has lost control of her email account on at least seven occasions due to these attacks. Recently, she also lost control of her iCloud account and all the information it contained.
The admin for Crudo Ecuador (Raw Ecuador), an anti-government satirical Facebook page, says he also received fake interview requests. After some research, the admin says he discovered that the Miami Herald journalist who supposedly sent the emails was actually dead.
He also explained that he stopped publishing memes critical of President Correa after receiving threats against his life and his family.
Other victims of these malicious emails include Facebook admins for Ecuatoriano Hasta las Huevas (Ecuadorian to the Core), Rokoto Feo (Ugly Rokoto), and Fundamedios Director César Ricaurte.