Page 32 - ATODAY
P. 32
A32
FEATUREThursday 10 December 2015
South America Hacker Team Targets Dissidents, Journalists
FRANK BAJAK the spy and going where uador. Others received hosted by companies ware could even hijack mi-
you shouldn’t, well you a message falsely signed based in Argentina, Brazil, crophones and webcams.
AP Technology Writer should know that it has a by an opposition leader France, Spain, Sweden, The malware was skillfully
cost — your life!” claiming to reveal names Uruguay and the United packaged to avoid detec-
LIMA, Peru (AP) — A shad-
owy cyber-espionage
group that sent malware
to the prosecutor whose
mysterious death trans-
fixed Argentina early this
year has been hitting tar-
gets in left-leaning nations
across South America,
the Internet watchdog
group Citizen Lab reported
Wednesday.
The breadth and brazen-
ness of the hackers’ activ-
ity bear the hallmarks of
state sponsorship, the re-
searchers found. So do its
targets.
The group has been at-
tacking opposition figures
and independent journal-
ists in Ecuador with spy-
ware. It also ran dummy
websites. The most elabo-
rate, geared toward Ven-
ezuela, was a constantly
updated news site fea-
turing dubiously sourced
“scoops” on purported
corruption among that
country’s ruling socialists. In
Ecuador, a similarly bogus Ecuadorian journalist Janet Hinostroza poses for a photo at the Teleamazonas tv station in Quito, Ecuador, Monday, Dec. 7,
site seemed tailored to at- 2015. Hinostroza, who won a 2013 press freedom award from the New York-based Committee to Protect Journalists, said she was
tract disgruntled police of- hacked in January and then again in August, a month after the interior minister claimed she was involved in a plot to overthrow
ficers. the government. (AP Photo/Dolores Ochoa)
The researchers launched That’s rare behavior of people investigated States. tion by anti-virus programs,
among professional hack- by Ecuador’s espionage For much of the past two the researchers found.
the three-month probe ers, perhaps indicating agency. years, about two dozen The investigation was be-
little fear of criminal pros- Those who clicked on em- “seeding” sites resided at gun after it was deter-
after determining that ecution, said Morgan bedded links had their one time or other on serv- mined that Packrat had
Marquis-Boire, one of the computers infected with ers owned by U.S.-based targeted Nisman, the Ar-
spyware found on the researchers. spyware that secretly GoDaddy.com LLC, a gentine special prosecutor
In November, the group culled information from us- web hosting company. found dead of a gunshot
smartphone of Argentine attempted to infect the ers’ machines and sent it The domain names that wound last January while
computer of an Associ- to servers run by the group, GoDaddy hosted includ- trying — unsuccessfully —
prosecutor Alberto Nis- ated Press reporter with a which researchers dubbed ed soporte-yahoo.com, to bring criminal charges
phishing attack aimed at “Packrat.” update-outlook.com, against Argentina’s presi-
man was written to send stealing his Google pass- “We believe this is a highly mgoogle.us and login-of- dent.
word. targeted operation,” said fice365.com. Researchers said Packrat
pilfered data to the same The researchers identified John Scott-Railton, lead The researchers notified sent a top Argentine jour-
the group through inter- researcher on The Citizen most of the providers Fri- nalist, Jorge Lanata, the
command-and-control twined Internet domains Lab team at the University day, asking that Packrat’s identical virus that Nisman
and tell-tale digital signa- of Toronto’s Munk School known infrastructure be received a month before
structure as malware sent tures on emails sent to in- for Global Affairs. “Packrat shuttered. his death.
fect computers. They said seems to carefully choose GoDaddy spokesman Nick The virus’ digital fingerprints
to targets infected in Ec- it had been active for sev- and then relentlessly go af- Fuller said the company showed it was built to com-
en years, finding it to have ter its targets.” takes immediate action municate with the same In-
uador. They said the hack- used hosting services in The group has used the when it identifies a prob- ternet domains being used
Brazil since at least 2008. same Internet domains for lem website but did not to spy on Ecuadorean op-
ers had a “keen and sys- Determining who is behind years despite some ex- elaborate. position figures, who iden-
the hacking, however, posure, a technical con- Citizen Lab labeled the op- tified Packrat malware
tematic interest in the po- may be possible only with venience that would be eration Packrat because in their email with search
court orders due to Inter- shunned by garden-vari- the hackers use commer- scripts written by the re-
litical opposition and the net hosting companies’ ety cybercriminals wary of cially available packages searchers.
privacy policies. being identified by law en- of remote access trojans — Most of the targets iden-
independent press” in the In two examples, targets forcement agencies. or RATs — that infect com- tified were in Ecuador,
received an email from a The researchers found at puters and smartphones, though researcher Scott-
three nations, all of which phony organization pur- least 35 different types of allowing hackers to cap- Railton cautioned that
porting to oppose Presi- booby-trapped files, and ture keystrokes, emails and they likely represent a sliver
have been run by allied dent Rafael Correa of Ec- operated from domains text messages. The soft- of the group’s activity.q
left-wing governments.
That suggests it may have
operated on behalf of one
or more of those govern-
ments, the report said.
In September, the hackers
threatened a Citizen Lab
researcher as he poked
around in a U.S.-based
machine the group had
infected.
“We’re going to ana-
lyze your brain with a bul-
let — and your family’s,
too,” read a message that
popped up on his comput-
er screen. “You like playing
