A group of hackers believed to have sent malware to an Argentine prosecutor who died mysteriously this year has been targeting South American journalists and dissidents, according to the Citizen Lab, an Internet watchdog, the Associated Press reported. The Argentine prosecutor, Alberto Nisman, made international headlines when he died mysteriously while attempting to bring charges against the country’s president.
The scope of the hackers’ targets indicate state sponsorship, as do the targets themselves.
The hackers have launched dummy websites and have attacked Ecuadorean journalists and opposition figures with spyware. One dummy website targeting Venezuela carried news that reported questionable “scoops” alleging corruption among the governing socialists. In Ecuador, a dummy website was tailored to attract dissatisfied former police officers.
A Three-Month Investigation
Researchers conducted a three-month investigation after determining the spyware on Nisman’s smartphone was written to transmit pilfered data to the same command-and-control structure as the malware sent to Ecuadorean targets. Investigators said the hackers demonstrated a systemic and keen interest in the independent press and the political opposition in the three countries, all of which are led by left-wing governments.
The hackers threatened a Citizen Lab researcher in September who investigated a U.S.-based machine that the group managed to infect. A message that appeared on the researcher’s computer screen threatened to “analyze your brain with a bullet – and your family’s too.” It said he should know that playing a spy has a cost “— your life.”
Morgan Marquis-Boire, one of the researchers, said the message displayed unusual behavior for professional hackers, indicating little fear of criminal prosecution.
The group tried to infect an Associated Press reporter’s computer with a phishing attack in order to steal a Google password in November.
The researchers were able to identify the group through intertwined Internet domains and email signatures sent to infect computers. The group has been active for seven years and has used hosting services in Brazil since 2008 at least, the researchers said.
Privacy Rules Impede Further Research
Identifying the source of the hacking may require court orders on account of the Internet hosting companies’ privacy rules.
Targets received an email from a dummy organization claiming to oppose Ecuador president Rafael Correa. Other targets received a message that was falsely signed by an opposition leader that claimed to reveal identities of persons investigated by Ecuador’s spy agency.
People who clicked on embedded links became infected with spyware that surreptitiously pulled information and sent it to the group’s servers.
Researchers referenced the servers as “Packrat.” The name Packrat was chosen since the hackers use commercial packages of remote access trojans that affect smartphones and computers. These enable hackers to capture text messages, emails and keystrokes. The software can also hijack webcams and microphones.
Researchers said the malware was packaged to evade anti-virus detection.
A Sophisticated Hacker Operation
John Scott-Railton, the lead Citizen Lab researcher at the University of Toronto’s Munk School for Global Affairs, said the operation is highly targeted. He said Packrat carefully chooses and relentlessly pursues its targets.
The hackers used the same Internet domains for years even though there was some exposure in doing this, a technical convenience. Cybercriminals normally do not do this for fear of being caught by law enforcement.
The researchers found 35 types of booby-trapped files and used domains hosted by companies in the U.S., Uruguay, Sweden, Spain, France, Brazil and Argentina.
About two dozen “seeding” sites resided on servers owned by GoDaddy.com LLC, a U.S.-based web hosting company, for much of the past two years. GoDaddy-hosted domain names included login-office365.com, mgoogle.us, update-outlook.com and soporte-yahoo.com.
Researchers alerted most of the providers Friday and asked that they shutter Packrat’s known infrastructure. Nick Fuller, a GoDaddy spokesperson, said GoDaddy acts immediately after identifying a problem website.
Packrat Targeted Nisman
The researchers started the investigation after determining that Packrat had targeted Nisman, who died mysteriously of a gunshot wound in January while attempting to bring charges against Argentina’s president.
Researchers said Packrat sent Jorge Lanata, an Argentine journalist, the same virus Nisman received a month prior to his death.
The virus was designed to communicate with the same Internet domains used to spy on Ecuadorean opposition figures who found Packrat malware in their emails using search scripts the researchers wrote.
Scott-Railton said the targets, most of which are in Ecuador, probably represent only a small portion of the group’s activity. He said he doubted that the Brazil-focused operations have stopped.
Packrat targeted Ecuadorean reporters, environmental activists and Crudo Ecuador, a satirist who mocked the president. It launched a website to mirror the Ecuador National Assembly’s email web interface, an attempt to gain lawmakers’ passwords and usernames, according to the researchers.
Janet Hinostroza, a journalist who won a press freedom award in 2013 from the Committee to Protect Journalists, claimed she was hacked in January and in August, a month after she was accused by the interior minister of plotting to overthrow the government. She said she believed the hackers had access to her information.
Hinostroza said she cannot access data on her Apple iCloud since the hackers changed her security questions and her password.
Packrat targets in Ecuador also include Cesar Ricuarte, director of Fundamedios, a press freedom watchdog, and Martha Roldos, an environmental activist. Roldos received 34 malicious emails from Packrat, according to Citizen Lab.
One Packrat-created website, “justice-desvinculados.com,” attempted to attract Ecuadorean police officers who were dismissed following a 2010 revolt over benefits. The website, which has been removed, included an affiliated Twitter account.
The most elaborate website created by the group is one in Venezuela called Pancaliente.info, a compendium of opposition-friendly news that includes inaccurate “scoops” and plagiarized articles. The website, taken offline on Tuesday, provided no contact information but asked readers to enter their email addresses.
Images from Shutterstock and Facebook.