When Ahmed Mansoor opened an e-mail from “Arabic Wikileaks” last July, the Dubai human-rights activist didn’t expect he would unwittingly be downloading a virus that could monitor his key strokes, open his e-mails, even record his Skype conversations.
He wasn’t the only victim. Ten days before Mr. Mansoor’s desktop was infected, the same spying program, developed by a security company in Milan, had targeted a citizen journalist’s website in Morocco.
The connection between the Italian company and the spying on the Emirati activist is detailed in a report released Wednesday by the Citizen Lab, a unit of the University of Toronto’s Munk School of Global Affairs. The lab monitors the impact of computers on democracy.
Written by Google engineer Morgan Marquis-Boire, who is also an advisor at Citizen Lab, the report adds to the growing body of evidence that Middle Eastern governments have relied on commercial surveillance programs designed by Western companies to track political dissidents.
Mr. Mansoor, a student and blogger, was one of five activists in the United Arab Emirates, dubbed the “UAE 5,” who were charged last year with criminal defamation after they criticized government policies on an online forum. He received a three-year sentence, which was lifted under a presidential pardon. Though according to Amnesty International, his criminal record remains. Twice last month, unknown assailants attacked him on the campus of Ajman University, Mr. Mansoor has said.
In that context, the cyber-spying on Mr. Mansoor is “another example of commercial network intrusion tools being used against dissidents in countries with poor human rights records,” says the Citizen Lab report.
The report also says Mr. Mansoor received the “Arabic Wikileaks” e-mail on July 23, which contained an attachment, titled “veryimportant.doc,” that appeared to be a Microsoft Word document but was in fact spying malware.
Mr. Mansoor’s e-mail account was later accessed by suspicious IP addresses in the Emirates, says the report, which connected the server controlling the malware to an Abu Dhabi corporate office.
The report says Mr. Mansoor’s virus was similar to a “backdoor” program that bypassed the safeguards of the Windows operating system to infect Mamfakinch.com, a citizen website critical of the Moroccan government, in July.
Some of the backdoor programming code in the Mamfakinch infection alluded to a user named “Guido” and the software has been identified as a variant of a commercial spyware marketed by Hacking Team, a Milan company, the report says.
Promotional materials for Hacking Team says its spyware has remote-control ability to record a user’s web browsing history, the files that are opened or deleted, keystrokes, printed documents, online chat, instant messaging and Skype conversations.
“Frankly, the evidence that the Citizen Lab report presents in this case doesn’t suggest anything inappropriately done by us,” said a spokesman for Hacking Team, Eric Rabe.
“We recognize this software had very serious capabilities but we do take very measure we think we can take to prevent the abuse of the software and keep it from getting in the hands of anyone who would use it inappropriately,” he said.
He said Hacking Team only sells to government agencies and not individuals and the company respects international trade sanctions that would prevent it from transacting with countries such as Iran.
Neither the UAE nor Morocco are the object of trade sanctions.
Mr. Rabe said that clients are required to use Hacking Team products “only in the pursuant of legally permitted activities.”
However, he acknowledged that this would include using the spyware under the law of the country where the client operates.
The Citizen Lab report says the latest revelation underlines the dangers pro-democracy activists increasingly face every time they use their computers to e-mail or Skype.
“The use of social engineering and commercial surveillance software attacks against activists and dissidents is becoming more commonplace,” the report says.
Last July, the Citizen Lab linked the surveillance software FinFisher, sold by Gamma International UK Ltd., to malware attacks that targeted the pro-democracy movement in Bahrain. In May, Bahrain activists received e-mails purporting to come from an Al-Jazeera correspondent, Melissa Chan. The e-mails had attachments which, unbeknownst to the recipients, flipped the setting of their “right to left override” (RLO) character, the code that ensures that Arabic or Hebrew text flow right to left.
As a result, the activists clicked on e-mail attachments with names such as “exe.Rajab1.jpg” that suggested they were harmless pictures. In fact, they were activating a viral program named “gpj.1bajaR.exe.”
The malware then collected data from their computers – screenshots, passwords, audio from Skype chats, even individual key strokes – then transferred the content to an Internet address owned by the principal telecommunications company of Bahrain, the Citizen Lab said.