(versão em português disponível aqui).
As part of the Infuse Program fellowship, recently I facilitated a series of workshops on malware triage and detection.
In the last session, I had the pleasure and honor of having Etienner Mainier, currently working with information security at Human Rights Watch and formerly a researcher with Amnesty Tech, the technology area of Amnesty International, as a guest speaker. Etienne, which also goes by the nick name tek, discussed malware, how to curb spyware like Pegasus, Malware, privacy the danger of data brokers and many other other topics on digital security and public interest technology.
Thanks to Etienne, a.k.a. Tek, for the his generosity in dropping by to this conversation with me and my students.
Celso Bessa (Tecnologia Humanista): So welcome officially to this last office-hours […] please introduce yourself and let us know you became a researcher on security, your career and then we start from there. Thank you.
Etienne: I worked in the industry some 15 years ago. I did a bunch of stuff for companies like pentesting, intrusion testing and intrusion detection and I got lost in the way. I did some development at some point and a bunch of technical projects for companies. I got to this point where I was working for a large company in Europe, where I was doing intrusion detection, but didn’t feel super useful and so I wanted to do something ethical an useful
So I worked for Citizen Lab from 2016, especially with Tibetan communities. which have been targeted by Chinese malware for so long, since at least 2008 and it’s one of the most documented cases of state-sponsored attacks against NGOs. It was great because if you talk about attacks attributed to Chinese authorities, depending on who is targeted, you get into more or less complex attacks, and usually Tibetans get pretty simple attacks. I’ve looked at a pretty badly written Chinese malware, which was a really great way to get into malware analysis because they just go for the very basic stuff, like they don’t try to obfuscate, don’t try to hide etc. They just go for the easy stuff: a bit of persistence here, a bit of sending data there but pretty simple techniques overall. I did a lot of malware analysis on that and then after that, I worked for Amnesty international for some years on more advanced attacks, a little on phishing and then all the Pegasus work. So I can’t say I’m a good malware analyst because I’ve never done that full-time and I don’t eat malware for breakfast, but I’ve seen enough of different aspects of it to know what it looks like. At some point one thing that became quite obvious to me is that even if malware analysis is pretty hard, you can get often quickly identify what it’s about and what it’s doing. But I felt one step that was missing was a lot of very simple forensic and I think that’s what you have focused your training on.
I think looking at processes running, persistence and stuff like that, not a lot of people look at that, because if you’re in a large company, you have tools that just do that for you and in civil society we don’t do that. It’s kind infosec applied for small organisations and individuals and I thought that was missing. So I spent some time developing some curriculum and trainings on how to do forensics at some point. I felt like looking at it this way is great because you understand what you can look for when you check a computer.
One thing I never had in the industry, that was having all the time in civil society was someone coming to me with a laptop or a device saying, Hey, is this compromised? Can you look at it? And so I felt that’s really not too hard but resources were missing about how to do that.
Now I’m working for Human Rights Watch which is going back to Infosec, more equipped than a lot of small organisations in civil society. Not as big as large corporations, so we have to manage with corporate infosec tools but also a lot of “scrapes and duct tape” and make it work.
Celso Bessa: You touch in something that is interesting, that it’s the difference between the resources available in the private sector and the civil society. Civil society and maybe also governments and multinational cooperation organisations face different risks than corporations. For example, APTs, state sponsored actors, or even private sector spying on CSOs. (Well, private sector probably also spies on their competitors, but the intentions and the incentives here are different),and civil society doesn’t have the same resources. Do you see other differences?
Etienne: Clearly you have a big difference in the risk versus the means you have to be protected. In a big corporations, for example, you have a large budget for INFOSEC and you get more or less targeted depending on what you do. But the thing is in civil society you are way more targeted by persistent actors, which means people want to get after you and you really don’t have any means to protect yourself. But I’ve worked with a lot of individual and independent journalists, who really at times didn’t even have money to change the laptops, right? People who have a 10 year old laptop and I’m like “really you can’t continue working with them”. But they don’t have money for that. So indeed, the difference in budget and knowledge is huge. I think it’s awesome to see there’s more and more organisations working with journalists and activists to fill that gap but it still is a pretty big gap and it’s also very unlikely you can centralise security in the same way.
On the attacks. It really depends on the context. I feel if you look at a group, like Ocean Lotus, which is largely attributed to Vietnam. They have been targeting the car industry largely because Vietnam is developing their car industry, but they also have been targeting human rights defenders and activists. The problem we have is what’s reported. If you look at reports on spyware, 90% of them come from the industry, working with large corporations and working with governments, so these reports are about what targets them.
And so you find a large proportion of them focusing on China, Russia, North Korea, and sometimes Vietnam. And so, you completely miss some countries who are just very aggressive on civil society but way less on companies and also in a lot of cases, you completely miss the civil society part. You have a bunch of reports like these where you see these [APT] groups, they’re actually targeting society but no one is reporting and paying attention to civil society.
The weird mystery to me is when we worked on Pegasus, no one was paying attention. First reports about Pegasus were in 2016 and as as far as we knew, it wasn’t threat for companies but a threat for civil society journalists and politicians.
But when we published a big report in 2021, for instance, the French authorities had no clue about how big this was, no one looked at it and no one looked at how to counter it or even how to look if you’re infected or anything. And these cases are really weird ones for me, authorities completely missed that. And a point I’ve made in an article in French, was that civil society is not covered enough and they are this canary in the mine.
I think now we see more people working on that. So it’s balancing that. But it’s hard and when I read a technical report, I feel we miss part of the story. Who is targeted and why?
I saw another good report today about Ocean Lotus targeting NGOs and it’s great. But why are they targeting NGOs. What’s happening? The political context is really missing in a lot of these reports.
Celso Bessa: Do you think is something to improve from the journalism side or maybe giving technical skills for civil society organisations, skill on how to communicate and investigate a little bit more and report the contes? Do you see any way, any strategy there? How we should be talking about it? What could we be doing to fill this gap that you mentioned ?
Etienne: I feel one of the things that happened with Pegasus is that it got a lot of coverage, which was needed. But at some point it’s become too much coverage and into “everything is spyware”. That’s really something that has changed from when no one paid attention to that. But now I regularly see things that are technically not spyware being just named spyware and I don’t know, I feel when you get something in media you will lose complexity and few people and journalists actually get the full context and have time to get the full context. In a lot of places I’ve seen better and better technical journalism, but not everywhere. And a lot of it is very simplified.
I think the only thing we can really do is keep talking about this problem and bringing nuances to this work. For instance, in a lot of places, there are a lot of problems with forensic capabilities by the police that are abused. Like activists being arrested and the phone being cloned for data and so on. This is not a spyware issue but it is a privacy and infosec issue.
And I feel we need to continue bringing nuances about that about, other spyware or other problems, and new things that are going to appear. I don’t know if there is a perfect way to do that but I agree that we need to be sure to have an initial set of knowledge about that, that we have people who can cover that in a way that human rights and activists at the centre of the story. It won’t solve everything, but I think we need to make sure we don’t fall into simplification of the problems, because it’s not going to help anyone.
I feel one problem is, for a lot of journalists and activist, it’s unlikely they will be targeted by something as advanced as Pegasus but it’s very likely to be targeted by something as simple as phishing, and phishing works. A lot of journalists still fall for phishing in email, are compromised and everything. And we need to make sure people don’t only pay attention to attacks like Pegasus and actually have a holistic vision of digital security.
And the other critical think I think is, for instance, I’ve had a lot of people come to me and say “Hey can you check my phone for Pegasus?” And generally what you need is to talk about digital security. You shouldn’t care [only] for Pegasus if you don’t know what phishing is or you don’t have 2fa authentication. You need to have the solid layers first and consider everything. So in one way people care about digital security in ways they didn’t before but if you only answer about Pegasus and not about the broader threats they face, that’s likely not gonna help really.
Celso Bessa: This speaks to a consideration about resources. I mean, Using spyware as powerful as Pegasus is costly. There is a lot in there to make it work the way it works, and considering that this is a commercial product, there’s a lot of costs involved in selling these to governments or whoever is buying it, so it’s expensive. And connecting to what you said about the Chinese malware, they did the easy and the low-cost things, because it’s efficient most of the time. So if you cover the basics, we are better protected and we are creating friction, and a small amount of friction for adversaries is better than no friction at all, and you never know what you stumble on.
Etienne: Yeah.
Celso Bessa (Tecnologia Humanista): You mentioned good examples of reports. Could you share an example of an outlet, or a country that has better reporting which we could look for inspiration?
Etienne: I think there is more good reporting by civil society. I think it’s great that this topic is not only CitizenLab or Amnesty anymore. Now we see reports by many organizations in different languages and organisations outside of Global North. I think that’s really great. It really depends on which country but in France, the tech reporting is much better than it used to be. Internationally you really have some reporters now who are really on top of this topic.
I’m kind of frustrated that there is also a model of reports by the industry side, because everything they focus about is really the technical aspects. They get into publishing because they want customers. You get eports where they focus on all these websites that were hacked but you don’t know which websites and then you realise the context was actually way more interesting than the act itself sometimes. I think we often lack the human rights angle to a lot of these reports. It’s better than it used to be but I think we need to make sure we have context on reports, context on who are targeted, what human rights defenders and journalist voices are there.
Celso Bessa: You mentioned a lot of things are being reported as a spyware and are not actually. Do you have examples of that?
Etienne: The example of what gets lost in spyware is a lot of time forensic tools like Celebrite , and all these companies are a huge problem and it’s really not a spyware, infection works in a different ways. It works really differently. There are a lot of human rights issues with that. I think that’s the main one that gets conflicted. But there were some really good reports about advertisement intelligence being used for spyware targeting. And I feel there are not a lot of reports on that, but there are some major privacy issues with it.
[Guest A of the session made questions on use and procurement of Pegasus and similar software in Mexico. To preserve the guest’s privacy and safety, we are not publishing the question to avoid details about them, only an edited version of Etienne’s comments]
Etienne: It’s hard to know if it’s still used. I think Mexico was one the earliest customers of the NSO group. It was also acquired by multiple state agencies within Mexico and as result was resold to multiple state agencies, and It was being really largely abused. I mean, I don’t exactly know how many proven cases we have now in Mexico but I think that’s more than 50 now.A couple of years ago, a lot of people thought that with the new government the contracts were stopped, but actually people discovered activists targeted in Mexico under the new government. The President actually said that they stopped the contract with NSO group. It’s hard because it’s not like the State is a centralised entity, right? You have multiple agencies working on multiple things. Whether it’s fighting against the Mafia, drug trade, etc.
NSO is based in Israel, and they need to have an export licence by the Israeli authorities. It seems that after the revelation of abuse of Pegasus, they have limited the export licence to some countries. So we don’t know how much the Israeli authorities accept export to Mexico. It’s possible that they would possibly wouldn’t. So there is basically no transparency. No transparency on the export from the Israel authorities and definitely no transparency Mexican authoritities.
How can we trust authorities, who say, they don’t have such tools when we have seen abuse even after they said they stopped contract with NSO group? I think the situation in Mexico is better now but I need to double check and look at the reports.
Celso Bessa: I would like to stress the point about the government not being a single entity, that there’s different agencies and bodies within the country and its states. At least from the reports that I saw it means it isn’t something exclusive of any state branch, because you see a lot of misuse of this technology by the executive and judicial branches alike. And also the point of transparency, which is something that is missing from reports, and not often regarded by the general audience. I started my work on public interest technology working on transparency and that’s something that it’s very hard to do: spread the idea of holding the government accountable. It has been changing, but it’s something that we still have a long way to go. So I think it’s interesting that you mentioned that.
But moving away from Pegasus again, let’s talk about skill building, as this is a skill building series. What would be a usual day for you? Both as malware analyst and a digital security researcher. And based on the outline of the series that I shared with you, what do you think that it’s missing, or something that someone working in triaging malware should focus on?
Etienne: [when I was on malware triaging/analysis], it was challenging. I mean, it’s a bit closer to what Access Now is doing now, making sure people work for civil society and so on. A lot of triaging is about what was targeted.
It still is part of my work. Some staff from NGOs come every day with new stuff, and sometimes it’s weird. A lot of them actually are not that targeted, it is [general] scam. For instance, right now, there are people telling us they have people emailing them, telling them they are hacked and that kind of stuff stresses people out, but once we know the threat it’s mostly a scammer trying to scare people.
Specifically about triage, I think that’s really a great question because I feel that is what we’re missing. I feel the first step of becoming a threat analyst, is really being able to triage that and then building skills in a few specific types of surveillance. Whether it’s spyware or something else.
There are a few things that are really important. I mean, the first one is understanding the attack and every attack is kind of different. You have to be curious and have some good bases in how systems work and just try to understand what did the attacker wants to achieve, right? When you get a [malicious] PDF, there is the idea of attack, but if you don’t see the end goal, if you don’t see what they want to achieve. If you are seeing a malicious website, what is the end goal right? If you don’t get that, you’re kind of missing the real questions: What is it to do? We used to have exploits in PDF for JavaScript in PDF and stuff like that, a lot of PDF, but now we see a lot of QR codes which hope that people will scan to bypass a lot of protections.
So the first question is “Okay what is trying to achieve”? Once you know it’s malicious and you have an understanding of that, I think often the second question is: “Is it targeted?”And it’s kind of hard to understand and really answer that sometimes, but often it’s not too hard. For instance, the big difference is targeted attacks target very few people while cybercrime is targeting a lot of people.
So if you get a phishing domain, you can look at threat databases, you check URLscan, VirusTotal or others. And if these domains appear in any phishing reports, most likely is cybercrime. Because by definition targeted attacks really attack very few people. Twenty, fifty max. Which means that very likely they are really not mentioned in any existing threat database.
Sometimes you find it has been reported over the last month, as a cybercrime organisation, or maybe you find actually something that has been reported a couple of months ago as an APT. That kind of thing is really helping and when you have that, you have to look at the context. Sometimes email is very custom like if the email is pretending to be someone working with you and really custom to the context and to the person targeted, then it’s very likely targeted. Otherwise it’s possibly cybercrime. And once you have that, it really helps you because cybercrime targets everyone. So if you’re a journalist targeted by cybercrime, it’s normal, right? Everyone’s target. But if someone is targeted by something else, like something that appears to be state sponsored, then you have to be more careful because in a lot of cases that means that you are on someone’s list, someone’s trying to get into your account. Some journalists know that it happens to them regularly and they are really careful with that. But for some people, it can be a sign that they are at increased risk and that increased risk can come in a lot of ways. Targeted attacks, and attacks in general, do not happen outside of the physical world. So for journalists, it may be a sign that there is a threat and maybe they should be careful with the physical security measures.
Very rarely you need to do deep malware analysis, I think even for advanced attacks. Often it’s very time consuming. What you need to know is a few things. Is it malicious, is it targeted? Find a few information about what’s doing. For instance, find a domain communicating or where it’s installed on the hard drives, you can check if computers are compromised by it. But you don’t really need to understand all the bits and pieces of the malware. And that’s great because it’s very time consuming, and sometimes you will be able to just get enough information you need by a quick analysis. The more I go, the more I’m going into that idea of doing a quick analysis. I spend, I don’t know, two or three hours looking into something and I have enough information and I can decide if I want to spend a week analysing it or find someone who can do that, right? In civil society we now have some people, like Amnesty, who have time to do that and actually focus their work on it. So that is great.
Celso Bessa: Are there trends that you are seeing, changes in the way that both APT and cybercrime works, their techniques. What are trends in malware and cybersecurity that you think we should pay attention to?
Etienne: It’s a good question. A very broad and good question. We’re looking at spyware now and it seems that it’s not growing too much. It’s mostly managed but they were more common within a couple of years ago. I feel like one trend that is scaring me is that there is a broader and broader surveillance industry.
We discovered there are so many new ways to monitor people that are acquired by governments. OSINT for instance, OSINT was used very early on for human rights, right? Satellite imagery and everything. And now you have hundreds of companies who developed those tools and sell them to the governments, to the police to actually track people. You also have a lot of advertisements as surveillance. There’s a good book that was published a couple of months ago, about how data acquired by commercial companies were gathered as part of surveillance, like find contacts and so on. And now, this data has been sold to the government. And you have these companies who gather data about hundreds of data brokers and sell that to the government.
You have the same thing with, I was talking about advertisement intelligence, which means using advertisement data to monitor people. This is a scary technique. We have an understanding of a few of these markets now, some good knowledge about this spyware ecosystem, but what about the ads ecosystem? We don’t know what’s happening there. Same with everything about these companies who are monitoring Internet traffic. You have companies now who just record a large part of Internet traffic and the possibility of abuse is wild.
What distresses me is making the link between abuse and the usage of these technologies. Because often it’s very hard. A journalist is being arrested but we don’t understand why. What is scaring me for the future is we have multiple new topics that need to be tackled that are going to require a lot of work from civil society to try to keep track of.
[Guest B asks: Do you have any further thoughts on data brokers? I mean these are private companies. And sometimes I get that they have more Information about people in general than the government itself and there is no [national, strong] privacy regulation in the US. So yeah, do you have any thoughts?]
Etienne: I think data brokers in the US are such a wild issue, that it is nowhere near what you see in Europe, for instance. You have way less issues with these brokers in Europe. But in the US where companies collect data for renting and for the old credit ecosystem is such a hard to understand Ecosystem. Multiple companies are getting data from different places and using it for very different uses and it’s very hard to understand exactly how much data they have. There are some real issues with how it’s used
I’ve started to read a great book – can’t find the name now, but I will look at it and share it after – about that for instance, when 9/11 happened, the US government realised that a lot of data about people who did the attacks were available in commercial companies collecting that to sell to other companies. And there was a switch there: these companies are definitely private, but now the state is one of the customers.
There was this massive scandal in the US with X Mode and this company selling geolocation data to the state and one thing that the FBI revealed was that they were actually buying this data because they don’t have to get a warrant in their investigation. So the fact these are private companies is also avoiding all the protection you have from the states. They don’t need to get a warrant that they would need to ask Google or telcos and so on to get this data. And it’s a massive issue because then you get into a completely unprotected ecosystem of completely unregulated companies
And if you have followed this case on the Muslim Pro app –honestly it’s the most scary example –, an app for Muslim people to find the right direction to Mecca for their praying. It needs the GPS for that. So, it finds your location, and tells you where Mecca is. It had, I think, 100 million users at that time. And the company collected this data, which people didn’t know, while actually the app was collecting location and selling it to the US Army. And in the current context how widely can this be abused? If the US Army has knowledge on geolocation of 100 million of Muslim in the world, right?
And so it’s very hard to make a link between the abuse and the surveillance. People can be arrested or killed because of some things they did and they were monitored by the smartphone and didn’t know. We’re talking about 100 million people having apps like this. A weather app requires your location most of the time so it can tell where you are. The weather app I tried was sharing my geolocation with 271 companies.
That’s wild that we have this advertisement ecosystem, and who knows which companies are they reselling data to. Ultimately will have to go through regulation, better regulation. Europe has GDPR and improved some laws, but it’s going to take a lot of time until things really change. And usually regulation is several years late on the issues. So, yeah, I don’t know if you’ve been fighting for that in the US for a long time, but it’s a hard fight.
Celso Bessa: You mentioned that you’re scared of the market for surveillance. And cybercrime is increasing. And right now we have the UN Cybercrime Conventions with some provisions that, according to some media outlets and digital rights organisations, can make independent research on cybersecurity more difficult.
Etienne: I haven’t looked in depth into this convention. And I don’t have any good answer in the conventions yet, sorry about that.
Now if you look even in the industry, very different people work on cybercrime versus targeted threats because cybercrime requires cooperation between states. And require collaboration between states and the industry. So it’s very common for instance, to have collaboration between companies and the police and police between different countries. When you look at state sponsored attacks, the question becomes way more political. For instance, we don’t fully know but there is strong suspicion that the governments from Spain and France had at least some of the ministries that had been targeted by Pegasus. And a lot of people think Moroccan authorities are behind it. And we’re in the case where states are authors of the problems. Many journalists in France were targeted with Pegasus. They think that the Moroccan authorities are behind it. And there is a lot of evidence to prove it, but when they go to the police and actually go into justice with it, how do you sue a state?
Celso Bessa: Back to spyware, what should be the mentality of someone that is doing this kind of work and paying attention to the changes of techniques and tools.
Etienne: The techniques haven’t changed much, the big difference is we now have ways to get partially protected against Pegasus. If anyone is at risk of being targeted by Pegasus, using lockdown mode on the iPhone offers great protection to that kind of attack.
One lesson is politically it has been very hard to get any meaningful political change. Surprisingly, the US was almost one of the few States who actually made some difference to limit spyware issues, probably with some political interest in that. But for instance, in Europe, we have had massive issues in a lot of countries with spyware abuse and there’s not any clear change on regulation or on the techniques.
We start to have some good knowledge of attacks against the iPhone. We have very little knowledge on attacks against Android, which is really the problem. But on iPhone. It seems that the zero-click attacks that we see in apps are getting harder and harder, and we see companies that only have one-click attacks, which means that if you don’t click on the link sent by email or anything, you don’t get compromised. So it’s going to be less efficient and we can still continue to tell people to be careful with what you click on and so on. But it’s really hard to see how this is going to evolve.
I’ve read multiple testimonies of people who are doing research saying, they say it is becoming harder to compromise smartphones. So it seems that in that space it’s going to be more expensive to find exploits. But you have some States ready to pay 50 million to have that, they will probably have it and it’s going to continue to be a cat and mouse game.
That said, one thing that’s changed over the last couple of years is that big companies are now paying attention. You have Google tracking these people, you have Apple tracking these companies, which wasn’t an issue before for them before, it wasn’t really on the radar. But now they have to teams dedicated to that. There was another great report published yesterday by Google about NSO exploits that is pretty new. That is not something we would not have seen in 2020/21. So I think that’s a really positive change. So it’s great, but you won’t be able to do really significant change without that political change. I’m not a big believer of technical change really solving that problem.
Celso Bessa: That’s a great point. Thank you. Do you have any closing thoughts?
Etienne: I am just thankful for the invitation, and I am really happy to see events and training like this happening in society, because I think it’s a huge need. And I really like the way you framed it, looking not only at hardcore reversing but looking at forensic, looking at different aspects. I think it’s a rich way to look at and a really efficient way to get on spyware questions.
Celso Bessa: Thanks. Credit where credit is due: The outline of the series was adapted from my experience with the Infused Fellowship, which this program and the interview are part of, conversations with my mentor while skilling up, and my own experiences. I really appreciate you making time for the conversation.
Etienne: Thank you.
You can ffindTek at his website and the fediverse at: https://mastodon.social/@tek@todon.eu