The Citizen Lab is an interdisciplinary research group at the Munk School of Global Affairs, University of Toronto, that investigates targeted digital espionage operations against civil society groups. We are dependent on the generous support of companies, like RiskIQ, to help us access and work with cyber threat intelligence products for our research.

Citizen Lab has been making key discoveries with RiskIQ PassiveTotal since the beginning of the service in May 2014. PassiveTotal is essential to our investigative and research workflow, and recently, a search using PassiveTotal led to the discovery of NSO Group’s Pegasus malware and iOS 0day delivery infrastructure, as well as other malware, phishing, and disinformation campaigns in the Middle East, Latin America, and the Tibetan community.

Million Dollar Dissident: A RiskiQ PassiveTotal Jackpot

While investigating the Stealth Falcon operation, a cyber threat actor targeting UAE dissidents, we ran a series of IP addresses through RiskIQ PassiveTotal. It returned to us a domain, as well as an email address that looked different from the Stealth Falcon infrastructure we were familiar with.

Pivoting out from these data points, we connected the email and domain to a domain that was registered to the NSO Group. Suspecting that these domains were part of an exploit delivery infrastructure, we began seeking evidence of messages containing links to the network:

A few months later, human rights defender Ahmed Mansoor shared two text messages with us that contained links we had identified as part of the exploit infrastructure. We were able to successfully trigger the exploit infrastructure to fire against a device and captured the payload.

This lead to the discovery of a remote jailbreak, using a string of zero-days. The report that we wrote received international attention, and illustrated the dangers associated with the proliferation of government-exclusive malware.

View the Stealth Falcon Public Project here: https://passivetotal.org/projects/a24e1b09-1dda-63e5-3bee-96422af0dc9c

Investigating PackRat

Our investigations often begin with a single domain, IP address, or piece of malware. RiskIQ PassiveTotal, either when used via the web interface or Maltego, enables us to quickly identify other potentially linked indicators.

When we identified a string of phishing e-mails in Latin America that targeted human rights defenders and journalists, we were able to connect the phishing infrastructure to both malware command and control servers, as well as a pattern of fake news websites.

Using RiskIQ PassiveTotal, we connected the domain registration information from an initial phishing e-mail to a range of other malicious and fake news websites:

RiskIQ PassiveTotal helped us characterize and make sense of a campaign that contained a vast array of elements, including phishing, malware, fake news, and fake organizations:

Ultimately, with the help of data pulled from RiskIQ PassiveTotal, we were able to characterize the Packrat group, an eight-year long malware campaign targeting civil society groups throughout Latin America.

View the PackRat Public Project here: https://passivetotal.org/projects/d4db582a-bb38-4004-e7e8-2d4d57356e05

Tracking Operations against the Tibetan Community

In the report Shifting Tactics: Tracking changes in years-long espionage campaign against Tibetans, The Citizen Lab tracked a technical shift in tactics from a cyber threat actor, called Scarlet Mimic, previously reported by Palo Alto Networks. The report found that Scarlet Mimic repurposed parts of their malware command and control infrastructure to serve phishing attacks that mimic popular online providers, like Google.

The investigation started when Tibetan groups sent us emails with links to fake Google login pages designed to steal credentials. Through a RiskIQ PassiveTotal search, we uncovered overlap between domains used to host the Google phishing pages and command and control infrastructure associated with previous Scarlett Mimic malware campaigns:

We mapped out the infrastructure in Maltego using the RiskIQ PassiveTotal Transform:

With RiskIQ PassiveTotal, we were able to track the activities of Scarlett Mimic over time and enrich our analysis of the group showing a shift in technical tactics from targeted malware campaigns to conventional phishing. This change in tactics may have been a response to defensive measures taken on by Tibetan groups, including avoiding sending and receiving file attachments by email.

View the Scarlet Mimic Public Project here: https://passivetotal.org/projects/8a7a2a68-9c77-c513-1b18-26fd2f8f1789

The Power of Collaboration

Tools like RiskIQ PassiveTotal help Citizen Lab researchers punch above our weight. RiskIQ PassiveTotal’s support of Citizen Lab is an excellent example of how a cyber threat intelligence product can be used to support investigations that contribute to the public good. View the Citizen Lab case study here.