When Governments Hack Opponents: A Look at Actors and Technology

TitleWhen Governments Hack Opponents: A Look at Actors and Technology
Publication TypeConference Paper
Year of Publication2014
AuthorsMarczak, B., Scott-Railton J., Marquis-Boire M., & Paxson V.
Other Numbers3690

Repressive nation-states have long monitored telecommunications to keep tabs on political dissent. The Internet and onlinesocial networks, however, pose novel technical challenges tothis practice, even as they open up new domains for surveillance. We analyze an extensive collection of suspicious filesand links targeting activists, opposition members, and non-governmental organizations in the Middle East over the pastseveral years. We find that these artifacts reflect efforts to attack targets’ devices for the purposes of eavesdropping, stealinginformation, and/or unmasking anonymous users. We describeattack campaigns we have observed in Bahrain, Syria, and theUnited Arab Emirates, investigating attackers, tools, and techniques. In addition to off-the-shelf remote access trojans andthe use of third-party IP-tracking services, we identify commercial spyware marketed exclusively to governments, includingGamma’s FinSpy and Hacking Team’s Remote Control System (RCS). We describe their use in Bahrain and the UAE, andmap out the potential broader scope of this activity by conducting global scans of the corresponding command-and-control(C&C) servers. Finally, we frame the real-world consequencesof these campaigns via strong circumstantial evidence linkinghacking to arrests, interrogations, and imprisonment.


This work was partially supported by funding provided to ICSI through National Science Foundation grants CNS : 1223717 (“Censorship Counterstrike via Measurement, Filtering, Evasion, and Protocol Enhancement”) and CNS : 1237265 (``Beyond Technical Security: Developing an Empirical Basis for Socio-Economic Perspectives"). Additional funding was provided through a Citizen Lab Fellowship. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the authors or originators and do not necessarily reflect the views of the National Science Foundation or the Citizen Lab.

Bibliographic Notes

Proceedings of the 23rd USENIX Security Symposium, San Diego, California

Abbreviated Authors

W. R. Marczak, J. Scott-Railton, M. Marquis-Boire, and V. Paxson

ICSI Research Group

Networking and Security

ICSI Publication Type

Article in conference proceedings