🎖️🪖Military Tech🤖 Archives - Good Shepherd News - Fastest Growing Religious, Free Speech & Political Content

PATRIOT Act Author The NSA Is Actively Violating The Law

The Truth News — Tue, 16 Sep 2025 05:51:38 +0000

PATRIOT Act Author: The NSA Is Actively Violating The Law

Jim Sensenbrenner (R-WI), the author of the original USA PATRIOT Act, disagrees.

In a amicus brief filed in support of the American Civil Liberties Union’s lawsuit against the National Security Agency’s bulk collection of U.S. phone records, Sensenbrenner argues that the government has gone far beyond what the legislation authorizes.

Section 215, known as the business records provision, authorizes intelligence agencies to apply for information if “the records are relevant to an ongoing foreign intelligence investigation.”

In practice, the NSA uses section 215 to collect data pertaining to every phone call to, from, and within the U.S. in the name of combating terrorism.

Sensenbrenner and the other members of Congress who enacted Section 215 “did not intend to authorize the program at issue in this lawsuit or any program of a comparable scope,” according to the brief.

The brief goes on to propose this question (emphasis ours):

The NSA is gathering on a daily basis the details of every call that every American makes, as well as every call made by foreigners to or from the United States. How can every call that every American makes or receives be relevant to a specific investigation?“

Filed by the Electronic Frontier Foundation, the brief notes that Sensenbrenner “was not aware of the full scope of the program when he voted to reauthorize Section 215” and would have voted against it if he had known.

In Sensenbrenner’s words: “The suggestion that the administration can violate the law because Congress failed to object is outrageous. But let them be on notice: I am objecting right now.” source

Detecting IMSI Catchers: Tools, Apps and Methods You Should Know

The Truth News — Mon, 25 Aug 2025 21:49:26 +0000

Detecting IMSI Catchers: Tools, Apps and Methods You Should Know

An IMSI-catcher is a device that intercepts mobile phone communications, acting as a fake cell tower to eavesdrop on calls and track location data. It’s essentially a “man-in-the-middle” attack, placing the device between the target phone and the real cell network. While some security measures exist in newer standards (like 3G), sophisticated attacks can bypass these, especially on older networks. These devices, like the StingRay, are used by law enforcement and intelligence agencies, but their use raises privacy and civil liberty concerns.

IMSI catchers: a security threat

An IMSI catcher, sometimes called a Stingray, is a device that impersonates a legitimate cell tower. It works by mimicking cell tower signals and attracting nearby mobile devices, tricking them into connecting to the device instead of a genuine cell tower. Once a device connects, the IMSI catcher can capture the device’s unique identifier, the International Mobile Subscriber Identity (IMSI).

This allows the IMSI catcher to:

Track the device’s location by analyzing the signal strength of the phone.
Identify and monitor activity, and potentially even intercept communications, including SMS and calls, depending on the network protocol.

IMSI catchers can be used by law enforcement, and potentially by unauthorized actors including criminals or foreign intelligence services. The use of these devices raises significant privacy concerns due to the indiscriminate collection of data, which may include bystanders as well as targeted individuals.

Potential threats

Location Tracking: IMSI catchers can track a phone’s location and movements.
Communication Interception: Older generation networks (like 2G) are more vulnerable, allowing interception of calls and texts. While 3G, 4G, and 5G networks are more secure, some IMSI catchers can potentially force a device to downgrade to an older, less secure network.
Denial of Service: IMSI catchers can also disrupt mobile network connectivity.

Detection

Detecting IMSI catchers with a smartphone alone can be difficult. Hardware-based detection systems provide a more reliable means of identification.

Protecting yourself

Keep software updated: Ensure your phone’s operating system and applications are up to date.
Use encrypted communication tools: Utilize apps like Signal or WhatsApp that offer end-to-end encryption.
Consider using a VPN: A VPN can encrypt your internet traffic.
Enable Airplane mode: When not actively using your phone, switching to airplane mode can help prevent connections to cell towers, including IMSI catchers.
Be aware of your surroundings: Pay attention to suspicious devices resembling cell towers, especially in sensitive areas or during events like protests or rallies.
Consider a Faraday cage: A Faraday cage can block radio waves and protect your phone from interception.

IMSI catchers, sometimes referred to as cell-site simulators or fake cell towers, can be difficult to detect since they imitate real cell towers to capture mobile phone data. With proper cybersecurity testing measures, you can effectively be alert to these unwanted interceptions. Take a look at these common tools and methods that can efficiently assist in identifying IMSI catchers:

Top Techniques and Resources to Detect IMSI Catchers

1. Use Mobile Apps and Tools

Some apps and technologies are designed to monitor and detect irregularities in cell networks.

SnoopSnitch (Android): This app analyses your phone’s network traffic and alerts you of strange cell tower behaviour. It requires access to low-level network data, which is mostly limited to particular Android phones equipped with Qualcomm chipsets.

Cell Spy Catcher (Android): After starting the learning process of this app, it collects data on local networks to identify which one among them is a trap. Then it alerts you with a red interface screen.
AIMSICD (Android): Detects IMSI catchers and reports on odd network activity, such as quick cell tower changes or downgrades to earlier network technologies (such as 2G). Phones switching to older network technologies usually happen due to IMSI catchers.

Croatian Telecom’s AntiSpy (Android/iOS): An app that uses radio signal analysis to determine when your phone connects to a rogue cell tower.

Apple’s limitations on low-level network data access have led to a decrease in the number of apps accessible for iOS; however, network abnormalities can occasionally be found by keeping an eye on variations in signals.

2. Look for Unusual Network Activity

IMSI catchers can force phones to connect to low-security older networks (2G or 3G) to facilitate communication interceptions. Look out for:

Downgraded connection: Your phone may unexpectedly switch from 4G/5G to 2G/3G or lose high-speed internet connection. Specifically, if it happens in an area that has outstanding coverage, it could be due to an IMSI catcher.

Frequent disconnections: When an IMSI catcher is nearby, your phone might keep on disconnecting and reconnecting with the network.

Suspicious network names: IMSI catchers can also broadcast non-standard or dubious network IDs. For example, a tower with an unusual name or ID might be a fake one.

3. Observe Battery and Signal Behaviour

IMSI catchers compel gadgets to transmit at faster speeds and consume more power.

Rapid battery drain: If the battery on your phone runs out more quickly than usual, it can be because it’s transferring an unusual amount of data to a fake tower.

Unusual signal intensity: An IMSI catcher may be indicated by abrupt, inexplicable changes in signal strength or highly fluctuating signal bars. Strong signals can be sent by these devices to overpower authorised cell towers.

4. Monitoring Tools for Experts

Advanced phone users with proper cybersecurity knowledge can utilise monitoring software or equipment to analyse cellular networks themselves.

Software-defined radios (SDRs): SDR devices enable users to identify and analyse mobile phone signals. By identifying aberrant radio frequencies and patterns, an SDR can aid in the detection of IMSI catchers if used with the appropriate software.

Cellular anomaly detectors: These are sophisticated technologies used by security experts and researchers that monitor local signals. These help detect abnormal cell tower behaviour that is essential in the current rise of data breaches, unexpected cyber attacks, or traffic demand in Australia.

5. Network Data Monitoring

Certified cyber security consultants in Australia suggest users to monitor network data. This includes the phone’s network logs like signal strength, base station ID, and encryption status that certain apps or customised firmware can access. Keeping an eye on this data can help determine when the phone connects to a dubious tower that may have less secure encryption or an unidentified ID.

6. Physical Indicators

IMSI catchers are usually non-stationary and can be implanted on vehicles or drones. So if you observe any strange and unknown vehicles or equipment within your local area and your phone network falters near it, it could be a clue.

7. Use Encrypted Communication

If you are wary of an IMSI catcher but are tech savvy or cannot locate it, resolve to the simple methods of using end-to-end encrypted apps. Switch to apps like WhatsApp, Signal, or Telegram for calls and texts for that while. These platforms prevent intercepted communications from being decoded, even if you do not know how to use tools for detecting IMSI catcher.

Limitations

False positives: Certain apps, software, or devices may identify normal network issues as suspicious.

Limited detection on iPhones: iOS restricts access to low-level radio data, making it more difficult to operate apps that monitor cellular networks. source

With $20 of Gear from Amazon, Nearly Anyone Can Make This IMSI-Catcher in 30 Minutes

With some dirt cheap tech I bought from Amazon and 30-minutes of set-up time, I was streaming sensitive information from phones all around me. IMSIs, the unique identifier given to each SIM card, can be used to confirm whether someone is in a particular area. They can also be used as part of another attack to take over a person’s phone number and redirect their text messages. Obtaining this information was incredibly easy, even for a non-expert.

This attack isn’t revolutionary in any way—IMSI-catchers are certainly not new, and have become famous because they are commonly (and controversially) used by law enforcement to track suspected criminals. A commercial version made by Harris is called a “Stingray,” and they are sometimes called “cell-site simulators” or “fake cell towers.” This is because they spoof a cell phone tower’s connection, meaning that cell phones in the area will try to connect to it; in doing so, the IMSI-catcher is able to passively collect information about phones in the area.

Harris’s Stingray was so secretive that, for years, the FBI dropped criminal court cases that used Stingrays rather than reveal the details of how the evidence was gathered.

But a DIY IMSI catcher is relatively trivial to setup, and the technology is accessible to anyone with a cheap laptop, $20 of gear, and, the ability to essentially copy and paste some commands into a computer terminal. This is about ease of access; a lower barrier of technical entry. In a similar way to so-called spouseware—malware used by abusive partners—surveillance takes on different character when it trickles down to more ordinary, everyday users. The significance and threat from IMSI-catchers is multiplied when a lot more people can deploy one.

Got a tip? You can contact Joseph Cox securely on Signal on +44 20 8133 5190, OTR chat on jfcox@jabber.ccc.de, or email joseph.cox@vice.com.

For legal and technical reasons, our IMSI-catcher did not intercept text messages or phone calls, like more powerful versions can. It only captured IMSIs from devices, as well as provides some additional information such as the country and telecom operator of the phone. Motherboard did not store any of the collected data. You should be aware of the laws in your local region before attempting to do this; Motherboard does not condone or suggest you do anything illegal (and, even if legal, you shouldn’t use an IMSI catcher to do anything creepy.)

We’ll explain what each of these are, but in short, the process was:

Buy a cheap, software defined radio
Install Ubuntu
Download IMSI-catcher script with its dependencies
Find the right frequency to scan for
Start scanning on that frequency and picking up IMSIs

As the name implies, a software defined radio, or SDR, is simply a radio that instead of having its feature baked in at a hardware level, can be controlled by a computer program. We bought the ‘NooElec NESDR Mini’ from Amazon for around $20 and received it a few days later.

To get the SDR to talk to phones, I needed to give it some instructions. Fortunately, I didn’t need to write my own, but just take some code from GitHub. I used a Python tool simply called ‘IMSI-catcher’, written by the hacker known as Oros42. The program requires an up-to-date version of Ubuntu, a particular Linux distribution, that can be downloaded for free and written either to a USB stick or installed inside a virtual machine.

To install the IMSI-catcher software, I just followed the instructions on the project’s GitHub.

Once installed, I booted up grgsm_livemon, one of the programs included with the project. which presented a slider and a graph, to find a frequency to scan. This required a bit of trial and error—moving the frequency slider until finding a sweet spot where the graph represented a bell curve. The curve meant that the SDR had found what frequency nearby phones were broadcasting on. Depending on where you are, that frequency is going to be different.

Once I found the sweet spot, after a few seconds IMSIs started appearing on my screen.

Caption: A redacted photo of IMSIs captured by the SDR and related script. Image: Motherboard

If I wanted to make the IMSI-catcher a bit more portable, I could theoretically run it on a Raspberry-Pi, a miniature computer you can buy for as little as $30 or cheaper, depending on what model you need. Note that the IMSI-catcher would still need to have Ubuntu on the Pi, which it is not traditionally designed for, but it is likely possible. I would also need to make sure the SDR is receiving enough power from the USB port.

In all, the process of making an IMSI-catcher didn’t take much time at all, as I thankfully didn’t hit any roadblocks. I just made sure I had the latest version of Ubuntu, followed the instructions carefully, and ended up with an IMSI-catcher on my laptop. source

Oros42/IMSI-catcher DOWNLOAD HERE iMSI CATHER SOFTWARE AND BUILD YOUR OWN! TO OF COURSE SOLVE SECURITY FLAWS IN YOUR OWN SYSTEM ONLY

CellularPrivacy/Android-IMSI-Catcher-Detector DOWNLOAD HERE IMSI CATHER SOFTWARE AND BUILD YOUR OWN! TO OF COURSE SOLVE SECURITY FLAWS IN YOUR OWN SYSTEM ONLY

Gotta Catch ‘Em All: Understanding How IMSI-Catchers Exploit Cell Networks

Section 1: Introduction

You’ve probably heard of Stingrays or IMSI-catchers, which belong to the broader category of “Cell Site Simulators” (CSSs). These devices let their operators “snoop” on the phone usage of people nearby. There’s a lot of confusion about what CSSs are actually capable of, and different groups—from activists to policy makers to technologists—understand them differently.

In the research community, there has been a tendency to dismiss the prevalence of CSS and the threat they pose to the public. Congress recently asked the Department of Homeland Security for more information about their use by federal law enforcement, as well as state and local partners. It’s unclear how much oversight the Department has been exercising, and when it comes to state and local law enforcement, only a few cities have any protections at all. Many activists aren’t aware that CSSs could be in use around them without their knowledge, particularly during protests. The truth is that CSSs are significantly more widespread than most policy makers, researchers, and activists are aware, and their danger to privacy is more significant than most realize. Of course, it’s hard to acknowledge the prevalence of CSSs when law enforcement goes to great lengths to keep information about them from the public.

There is a plethora of low-level academic research in the area of cell network security, and many high-level posts that don’t really explain in any meaningful detail what’s going on with “IMSI-catcher” type cell network attacks. Our goal is to bridge that gap, and with this post we hope to make accessible the technical inner workings of CSSs, or rather, the details of the kind of attacks they might rely on. For example, what are the different kinds of location tracking attacks and how do they actually work? Another example: it’s also widely believed that CSSs are capable of communication interception, but what are the known limits around cell network communication interception and how does that actually work?

We won’t be updating this post with new kinds of attacks as they come out, and we can’t cover every potentially relevant detail of every attack we explain, but this post should form a basis for non-experts to better understand new attacks.

Section 2: Necessary background info

There’s a lot of confusion about what CSSs actually do and how they do it. This confusion comes from the fact that the term “cell site simulator” actually encapsulates quite a variety of different cell network attacks that have evolved significantly over the last 25 years or so. Adding to the confusion is the fact that the term “IMSI-catcher” is both used interchangeably with “cell site simulator” and also refers to specific capabilities that some CSSs have.

A very important distinction when talking about CSSs is which cell network generations they use when operating. The term “cell network generation” refers to the complete set of operating protocols covering everything from how cell towers are laid out geographically to how a mobile phone establishes a connection with a cell tower.

Here’s a high-level overview of the most relevant cell network generations:

2G (e.g. GSM): the oldest type of cell network still in use and still very widely used. 2G only supports calling/texting, but in 2.5G the capability to support data transmission (e.g. email and Internet access) was introduced.
3G (e.g. UMTS or CDMA2000): improved upon 2G by having much faster data rates (which could support video calls, for example) and adding better security (more on this later).
4G (e.g. LTE or WiMax): significantly faster speeds and better security.

The specifications for these networks are developed by working groups organized by the 3GPP,¹ an international organization that any group can apply to join (though it has a high membership fee). Members typically include mobile carriers, university research labs, and wireless gear manufacturers (including surveillance tech manufacturers).

It’s important to note that in practice there’s often a lot of variance between what the specifications say and what actually ends up being implemented. This is usually due to (1) implementers needing to differ from the specifications for practical reasons (many parts of the specifications get marked as optional), and (2) mistakes.

There’s a bit more vocabulary and background that needs to be introduced:

IMSI (International Mobile Subscriber Identity): the unique identifier linked to your SIM card that is one of the pieces of data used to authenticate you to the mobile network. It’s meant to be kept private (because, as we’ll see later, it can be linked to your physical location and your phone calls/messages/data).
TMSI: upon first connecting to a network, the network will ask for your IMSI to identify you, and then will assign you a TMSI (Temporary Mobile Subscriber Identifier) to use while on their network. The purpose of the pseudonymous TMSI is to try and make it difficult for anyone eavesdropping on the network to associate data sent over the network with your phone.
IMEI (International Mobile Equipment Identity): the unique identifier linked to your physical mobile device.
Ki: a secret cryptographic key also stored on the SIM card used to authenticate your phone to the network (and prove you are who you say you are).
MCC (Mobile Country Code): your mobile country code, but not to be confused with a country’s mobile telephone prefix. For example, Canada’s MCC is 302, but its telephone prefix is +001.
MNC (Mobile Network Code): the code that represents which carrier you’re using. For example, 410 is one of AT&T’s MNCs.
Cell ID: each cell tower is responsible for serving a small geographic area called a cell, which has a cell ID attached it.
LAC/TAC (“Location Area Code”): in GSM, groups of nearby cells are organized by ID into “Location Areas” (“LA” for short), with each LA’s identifier being referred to as a “Location Area Code”. In 4G these are respectively referred to as Tracking Area (TA) and Tracking Area Code (TAC).
BTS (“base station”): a more general term for devices like cell towers (and CSSs pretending to be cell towers).²

It’s important to note that some of this terminology varies by network generation. For example, in LTE a base station is referred to as an eNodeB, and in 3G/UMTS the LAC and Cell ID are replaced by PSC (primary scrambling code) and CPI (Cell Parameter ID). For simplicity, we will be sticking to the above terminology.

Section 3: Overview of attacks

To be clear, as far as we know no one (outside of government or surveillance tech vendors) has ever gotten their hands on a commercial CSS (e.g. a Harris Corp Stingray) and published publicly available details of its inner workings, so this information all comes from academic literature and the work of open source hackers attempting to reproduce how commercial CSSs might work.

There are three main categories of attacks that will be covered:

Communication interception
Denial of service and service downgrading
Location tracking

Practical implementation details are left out of the following explanations for the sake of brevity.

Section 3.1: Basic IMSI-catcher

Classic “IMSI-catchers” simply record nearby IMSIs, and then don’t interact with their target phones in a significant way beyond that. They quite literally “catch” (i.e. record) IMSIs by pretending to be real base stations and then release the target phones (Paget, 2010). Let’s go over how they work in more detail.

In GSM networks, phones will try to connect to whatever base station is broadcasting at the highest signal strength.

Once a phone has identified a base station as having the best signal strength, it can begin negotiating a connection to it. The base station first asks the phone to send its encryption capabilities to it. If the base station is a CSS rather than a cell tower, it can then either ignore the response or set it to have no encryption.³

After this, the base station sends an Identity Request, which the phone responds to with its IMSI. The phone does this because the IMSI is stored on your SIM card, which was issued by your mobile carrier, and the phone network needs to identify that you are in fact a paying customer associated with a mobile carrier. After receiving your IMSI, the CSS then releases your phone back to the real network and moves on to try and capture another phone’s IMSI. That’s all it takes to collect an IMSI from a nearby phone!

The CSS sends an Identity Request to collect the target mobile phone’s IMSI. Afterwards, it proceeds to repeat this same action with other phones.

If law enforcement is operating such a CSS in a geographic area, once they’ve obtained the relevant IMSIs, they can then use legal process to get more data on all the users who were present.⁴

From here, many more sophisticated attacks can be launched, but that’s how the most basic kind of IMSI-catchers work: they simply collect IMSIs during the connection procedure, then abort the connection procedure and move on to their next target.

In later protocols (e.g. 4G/LTE), phones are a bit smarter about not connecting to any random base station with high signal strength, so an attacker needs more involved techniques to convince a phone to connect to their CSS. See section 3.3 for details.

Section 3.2: Communication interception

As far as we know, communication interception between a mobile phone and a legitimate cell tower is only possible in GSM (as opposed to later 3G or 4G protocols). There are two reasons for this:

Communicating over GSM doesn’t always require encryption.
Even when encryption is enabled, several of the cryptographic algorithms used in GSM can be broken (and in real time).

Imagine that the CSS is trying to launch an active attack where it intercepts a phone’s communications. The CSS must be able to situate itself between the phone and the tower to be able to do so, which is what’s usually referred to as a “machine in the middle” (MitM) attack.

There are two main steps to completing the MitM:

Spoofing authentication: the CSS needs to convince the network that it’s actually the targeted mobile phone. (Section 3.2.1)
Deal with any encryption the network tries to set (i.e. disable it or try to break it). (Section 3.2.2)

Section 3.2.1: Spoofing authentication

Picking up from Section 3.1 where the CSS has already obtained a phone’s IMSI via an Identity Request:

The CSS reaches out to a legitimate cell tower with a Location Update Request. This type of request is used to update the cell network about a phone’s location (specifically, its LAC), which the phone needs to do periodically in order for the network to be able to route calls and messages to it quickly.
In response to the Location Update Request, the cell network asks the CSS to identify itself using an Identity Request. The CSS responds using the stolen IMSI.
At this point the tower responds with a cryptographic challenge that requires the secret key Ki (stored on the SIM card) to solve. Since the CSS doesn’t have access to Ki, it passes it onto the phone to solve. The phone solves the challenge, passes it to the CSS, who then passes it back to the network.
After this, the network accepts the connection between it and the CSS as being authenticated.

Reminder: this is only applicable to 2G.

An illustration of steps 1-4 from above on how the CSS is able to complete the authentication MitM.

Section 3.2.2: Dealing with encryption

There are several encryption algorithms used in GSM, and at a high level, they have names like: A5/1, A5/2, etc … with A5/0 being used to indicate that no encryption is being used.

If the network tries to specify that it wants to communicate using encryption, the CSS can just respond by saying it doesn’t have encryption capabilities and defaults to A5/0. The CSS has now completed the MitM attack and can read the plaintext messages being sent between the phone and the real network.

Alternatively, if the network decides to use the A5/1 algorithm to communicate, this type of encryption can be broken in real time. The details of this attack are beyond the scope of this post, but you can read about it in the Barkan et al 2006 paper. Additionally, the A5/2 algorithm is so weak that its use has been banned since 2006. While there are known attacks against A5/3, there are no known real-time attacks.

Section 3.2.3: Why aren’t users alerted that encryption is off?

At this point, many people ask: why doesn’t their phone tell them something’s up? According to the GSM specifications, cell phone users are supposed to be notified when encryption is disabled, and in some markets they used to be. However, this caused a lot of confusion because:

People would travel with their phones to places where cell towers were configured very differently (e.g. in some countries cell network encryption is banned) and it would cause a “Warning: encryption disabled” pop-up to come up a lot.
Cell towers everywhere were misconfigured, also causing this pop-up to appear a lot.

These issues led to many confused consumers and support calls to mobile carriers, resulting in the warning ultimately being disabled.

Section 3.2.4: Service downgrading

Even though, as far as we know, communication interception is only possible in GSM, it’s trivial to downgrade a target cell phone’s connection from 3G or 4G to GSM (see Section 3.5 for more information). This is because in general the base station gets to pick whatever configuration settings it wants, which includes the ability to request a protocol downgrade. Alternatively, someone could jam the 3G or 4G bands by pumping lots of white noise into them, making it too noisy to establish a connection, and phones will downgrade in search of a usable signal. LTE service downgrading is covered in detail at the end of Section 3.5.

Section 3.3: LTE CSS connection techniques

It’s also important to understand how it’s possible for a CSS to get around the safeguards in LTE and other modern protocols that are meant to stop phones from connecting to any base station with a high enough power.

In GSM, phones are always scanning looking for a tower with a higher signal strength to connect to. However, in LTE if the signal strength is above a certain sufficient threshold, the phone will not scan for other towers to connect to in order to save power.

Additionally, in LTE phones keep track of a “nearest neighbors” list that is broadcast from the tower that they are connected to. If for any reason they lose the connection with the tower they’re connected to (or the ability to connect to it), they’ll try to connect to ones that were advertised in the nearest neighbors list first, before doing a full scan of the available LTE bands for other eligible cell towers.

So, how can an attacker force a phone using LTE into connecting to their CSS? One technique would be to masquerade as a tower in the nearest neighbor’s list (e.g. same frequency, same cell id, etc …) and transmit at a higher power, so the phone will eventually switch over.

But there is a faster technique! It relies on the fact that LTE frequencies are assigned various priorities (this is referred to as “absolute priority based cell reselection”), and if a phone sees that there is a base station operating on a higher priority frequency than the one it’s on, it must switch to it, regardless of its signal strength. To discover the higher priority frequencies used in a given area, all that’s required is to extract them from the unencrypted configuration messages from base stations, which anyone can monitor (Shaik et al, 2017).

Using these techniques, attackers can probably force even an LTE phone to connect to their CSS, which reveals the phone’s IMSI and allows followup attacks.

Section 3.4: Location tracking attacks

Often when the dangers of CSSs are being discussed, the focus is on their communication interception ability. However, in practice the consequences of real time location tracking are often much more severe. The potential for location tracking by your cell provider is unavoidable, so the specific threat model being used here is a 3rd party (such as a law enforcement agency) trying to get your location without cooperation from your cell provider.

There are generally two types of location tracking that CSSs are capable of:

Presence testing: check if a phone is present in or absent from a geographic area (where geographic area usually means a “Location Area” from before, i.e. a group of cells)
Fine-grained location: figure out the exact or rough GPS coordinates of a phone either through trilateration or by getting the phone to tell the attacker its exact GPS coordinates

Section 3.4.1: Presence Testing in LTE

Passive Presence Testing

The simplest way to do presence testing in LTE doesn’t actually require someone to have what we usually consider a CSS (e.g. a device that pretends to be a legitimate cell tower). Instead, all that’s required is simple radio equipment to scan the LTE frequencies, e.g. an antenna, an SDR (Software Defined Radio), and a laptop. Passive presence testing gets its name because the attacker doesn’t actually need to do anything other than scan for readily available signals (Shaik et al, 2017).

A fundamental aspect of wireless technology is the paging model. When the network has a message it wants to route to a phone, it sends an “RRC paging message” which is received by every phone listening to their carrier’s paging frequency in that area (which is basically every phone),⁵ asking for that particular phone to contact the base station to negotiate completing a connection to receive a call or message. Thus, phones are constantly listening for RRC paging messages and receiving and discarding ones not addressed to them.

RRC is short for Radio Resource Control, which is the protocol used to communicate between a cell phone and a base station. The RRC takes care of connection establishment and paging notifications that you’re getting a message or phone call, among other things.

The exact way paging works varies based on several factors, including the type of message the network is trying to route to you. For example, say the network is trying to route a phone call to you. Phone calls are considered high priority (since there’s someone on the other side waiting for you to connect), so the network notifies every cell tower in the last Location Area your phone was in to send out the RRC paging message addressed to your phone (as opposed to only the last cell tower the phone was using). More on this later!

RRC paging messages are usually addressed to a TMSI, but sometimes IMSI and IMEI are also used. By monitoring these unencrypted paging channels, anyone can record the IMSIs and TMSIs the network believes is in a given area. In the next section, we’ll see how an attacker can correlate a TMSI to a specific target phone, as right now collecting TMSIs simply means recording pseudonyms.

Additionally, phones periodically transmit unencrypted messages about their location and measurements of cell service quality that anyone with the right equipment can easily intercept. Sometimes these messages contain the phone’s exact GPS location, but usually the information about the signal strength of nearby cells is enough to calculate the phone’s location. We’ll look at these measurement reports in detail in the Exact GPS Coordinates section below.

Semi-Passive Presence Testing

Semi-passive means that the attacker only uses network functions in ways in which they are meant to be used. An example of what it means for an adversary to be “semi-passive”: the attacker can text the person they’re trying to track (assuming they know their phone number) in order to generate a paging message being sent to their phone, but they can’t go and send malicious or malformed data to phones or towers in the area (Shaik et al, 2017).

In this section, we are going to cover two location attacks: one which checks for a phone in a given Location Area (“Basic Location Area Test”), and one which checks for a phone connected to a specific cell tower (the “Smart Paging Test” method, which has a much smaller radius of use).

Basic Location Area Test

The first step of a basic Location Area test is to trigger about 10-20 notifications to the target’s phone via phone calls while also monitoring the RRC paging messages that are sent out. To not alert the user, the attacker can almost immediately hang up after initiating the call so that the paging message makes it to the phone, but the user doesn’t actually get an incoming call notification.

Because there’s someone waiting on the other line to connect to you, phone calls are considered higher priority, so the network notifies every cell tower in the last Location Area the phone was in to send out the RRC paging message (as opposed to only the last cell tower the phone was using). The attacker can then use set intersection analysis (explained in ⁶) with their well-timed calls to figure out the target’s TMSI from the RRC messages.

CSS triggering many RRC paging requests to determine if a phone is in a given LA.

Smart Paging Test

Usually the radius of a Location Area is quite large, so from here the attacker can use something referred to as “smart paging” (explained below) to figure out the exact cell tower the target is using (which translates to knowing the user’s location within a ~2 km radius) (Shaik et al, 2017).

Because general data messages (e.g. WhatsApp and FB Messenger messages) are not high priority, the network initially only broadcasts paging messages for them from the last tower the phone was known to be connected to (this is referred to as “smart paging”). Thus, once the attacker has confirmed the target’s location in a TA (“Tracking Area”), they can test various cells to find the target’s cell. (Note: we’re switching briefly from the “Location Area” terminology to “Tracking Area” here for the sake of a concept covered below.) Similar to before, they send timed WhatsApp or FB Messenger messages and use set intersection analysis to verify the TMSIs being sent in RRC messages in that cell.⁷

Note that in order for this to work, the attacker needs to either have equipment in every cell (which is expensive), or move about through cells repeating this procedure until they get a match.

Section 3.4.2: Active location tracking and exact GPS coordinates

In this section, the attacker’s assumed goal is to find the target’s exact or rough GPS coordinates. In this section, we’ll be describing active attacks, meaning ones in which the attacker can use any means available to them to figure out their target’s information, including operating a CSS and sending malicious or false information to the phone or other cell towers.

In this scenario, suppose the attacker has a CSS and they’ve managed to lure their target into trying to connect using techniques described in Section 3.3. After completing the initial connection procedure steps, the phone enters into a CONNECTED state.

Now the attacker creates a “RRC Connection Reconfiguration” command, which contains the cell IDs of at least 3 neighbouring cell towers and their connection frequencies and sends this command to their target’s phone.

Usually, the “RRC Connection Reconfiguration” command is used to modify an existing connection to a base station, but the attacker is only interested in the target phone’s initial response to its message. This response contains the signal strengths of the previously specified cell towers, which can then be used to find the phone’s location via trilateration:

In short, trilateration involves calculating the intersection of circles drawn around the previously specified cell towers, where the radius of each circle is a function of the reported signal strength. Note: trilateration is different than triangulation.

For newer phones and networks which support the “locationInfo-r10” feature, this report will also contain the phone’s exact GPS coordinates, meaning no trilateration calculations are required. The exact GPS coordinates are just a field in the response (Shaik et al, 2017).

In addition to the technique described above, there is another way to get similar trilateration and GPS data by using RLF (“Radio Link Failure”) reports, but we will not cover it in any detail as it’s similar to the techniques just covered.

Section 3.5: Denial of Service and Downgrading

Cell network denial of service and protocol downgrade attacks are possible (and can have quite similar implementation details, as we’ll see below). Additionally, downgrade attacks make it such that a target phone can be forced down to a less secure protocol, where more severe privacy invasive attacks can be launched.

Section 3.5.1: Protocol downgrade attacks

Suppose that the attacker has set up their CSS and tricked the target into trying to connect (which was covered in Section 3.3). After the initial connection procedure, the phone will send a “Tracking Area Update Request” (“TAU” for short). This kind of message is used by the phone to keep the cell network updated about the phone’s most recent location, so that the network can route calls to it faster. TAU Requests are usually sent by phones whenever they’re connecting to a new base station.

The CSS responds with a “TAU Reject” message. Within the Reject message is something referred to as the “EMM cause numbers”, which indicates why the message was rejected. In this case, the attacker sets it to 7 (“LTE services not allowed”).

Upon receiving this EMM value, the phone deletes all information it had about the previous real network it was connected to, and then puts itself in a state where it considers its SIM card to be invalid for LTE. It then searches for 3G and GSM networks to connect to, and will not again try to negotiate an LTE connection until it is rebooted (Shaik et al, 2017).

The key reason why protocol downgrade attacks are so bad is that it renders LTE-capable phones vulnerable to attacks that normally only work on earlier protocols (e.g. the communication interception from Section 3.2).

Section 3.5.2: Denial of Service (DoS)

If the attacker is looking to launch a large scale DoS attack, the simplest thing is to jam the LTE frequencies by pumping them full of white noise. However, there are also techniques for DoS attacks that only target individual phones.

Launching a denial of service attack against an individual phone is exactly the same as the protocol downgrade attack described above, except the CSS responds with EMM cause number 8 (“LTE and non-LTE services not allowed”). The phone then puts itself in a state where it does not try to negotiate any network connections until it’s been rebooted.

Additionally, there has been some research done into denying select network services (e.g. only allowing SMS, and disallowing calls and data), but for the sake of space we will not be covering this. Please see Shaik et al, 2017 below for details.

Section 4: Detection methods & apps

At this point you’re probably wondering:

Are there ways to detect CSSs?
How to defend oneself from a CSS?
What led to these vulnerabilities in the cell networks and what do we do about them?

These are three questions we’re going to explore in this section, and unfortunately they don’t have simple answers.

Section 4.1: Detection methods

To reiterate an important truth from before: a fundamental problem when researching detection methods is that we don’t know how commercial CSSs work. Instead we rely on how we think they might work based on research findings. It’s important to keep this in mind when going over some of the known detection methods below. This following list is not exhaustive, and instead is meant to be an introduction to this topic.

Unusual base station parameters or fingerprints

There’s been some speculation that commercial CSSs mask themselves as cell towers that are normally in the area, but with some configuration parameters or characteristics being subtly off (e.g. broadcast power is suddenly much higher), enough so that the “fingerprint” of the tower is different. While configuration parameters and other characteristics differ across network operators, they’re usually uniform across a specific operator (Dabrowski et al, 2014).

Missing normal base station capabilities

It’s unlikely that a CSS manufacturer will have implemented the full set of capabilities of a normal base station. Missing capabilities, such as not broadcasting certain standard System Information Broadcast (SIB) messages, being unable to respond to certain standard requests, or there being very little to no paging traffic coming from the base station might be indicators of a CSS (Dabrowski et al, 2014).

Ephemerality

It’s generally believed that CSSs don’t stay in a single place for a significant period of time, and so a base station appearing for only a short period of time could be worth investigating. However, there are also many completely normal reasons why something would only appear for a short period of time. For example, it could simply be testing equipment, or if there’s a large event happening, it could be there to help facilitate the increased traffic load.

The cell landscape is ever changing. Large scale and long term data collection is the best way to survey an area to be able to determine what’s normal versus what’s unusual. The University of Washington’s Sea Glass project is a great example of this.

You can read much more about this topic in Dabrowski et al’s IMSI-Catch Me If You Can: IMSI-Catcher-Catchers. To reiterate, while these could be indicators that something’s amiss, there are also many completely normal reasons (that have nothing to do with surveillance) as to why we’d be seeing unusual behaviour. E.g. testing equipment, temporary equipment brought in for a large event (e.g. at a sporting event), a cell tower crashed and upon restarting broadcasts temporarily incorrect values until it’s completely finished restarting, and so on.

Section 4.2: Detection apps

Many apps have been released that claim to alert users when it seems likely they’re connected to a CSS. The most popular ones include: Android IMSI-Catcher Detector (AIMSICD), SnoopSnitch, Sitch, GSM Spy Finder, Cell Spy Catcher. The quality of these apps varies, and some are still popular despite no longer being maintained.

Most of these apps implement at least some of the detection methods listed above and in Dabrowski et al. Even though sometimes multiple apps will have implemented the same detection methods, they won’t necessarily produce the same result when evaluating if a particular base station is suspicious or not (Borgaonkar et al, 2017). Let’s look at some examples of how detection apps have failed to include basic detection heuristics, as well as how there could be discrepancies in the evaluations they produce.

Varying power levels

One of the previously described detection methods is to track if a tower you’ve seen before suddenly broadcasts at much higher power. In Borgaonkar et al’s White-Stingray: Evaluating IMSI Catchers Detection Applications, researchers analyzed four of the previously mentioned apps and found that while most of them stored regular measurements of BTS power levels, none of them compared new values to historical values. This means that none of the apps could detect when towers had an unusually high broadcast power.

LAC change

As we saw in Section 3.2.1, when phones move to a new Location Area (or when they’re in the process of connecting to a base station that’s advertising as having a different LAC), they’ll need to update their information. As a result, they’ll eventually respond to an Identity Request (the command that reveals a phone’s IMSI). It’s generally believed that CSSs advertise as having a different LAC than the one that corresponds to the area they’re in, allowing them to exploit this mechanism to force phones to hand over their IMSIs or connect to them.

All previously mentioned detection apps monitor for LAC changes. As Borgaonkar et al point out, one of them checks to see if the LAC matches that of neighbouring base stations, and displays a warning to the user when it’s close to the edge of an LA. Since LAC changes are common when the user is near the edge of a LA, these warnings are often false positives. Another app stores all LACs the phone has seen before, and sends out warnings whenever a new one appears, meaning false positive warnings are constantly sent out when the user travels to new places. Another app defaults to marking anything broadcasting a LAC value between 0-9 as suspicious. This is an example of how even though all the detection apps have heuristics for detecting if a base station is suspicious based on a determination that a required value (the LAC) is unusual, their interpretations of how to do this and their implementations vary so much that they produce different results.

Because we don’t have global standards for what’s normal, and because things vary so wildly by country, carrier, etc, it’s difficult to come up with heuristics that could universally work for detecting CSSs. As a result, the apps that have attempted to tackle this problem so far have ended up having dramatically different thresholds for alerts.

Section 4.3: Defending against CSSs

CSSs have such a wide range of capabilities (based on what we know about possible cell network attacks they could be based on) that there is no feasible way to defend against all of the things they can do. Defense should begin by considering what someone’s specific threat model is and coming up with ways to defend after that.

Examples

At the time of writing, there are no publicly known confirmed examples of CSSs being used by law enforcement for communication interception or service denial. However, there are quite a few examples of CSSs being used for location tracking.

Since the main threat CSSs pose is that of real time location tracking, and there are no adjustable user settings one can change to affect this, there are currently no immediate steps one can take to defend themselves against these devices, other than either not having a cell phone, (which isn’t a reasonable option for many of us) or turning off and/or leaving behind your phone when doing something important.

Despite that, there are many steps you can take to defend against online surveillance, many of which we’ve outlined in EFF’s Surveillance Self Defense Guide.

Conclusion: the past & future of cell network security

The intersection of cell networks, security, and user privacy has historically not been an accessible field, but that’s slowly changing. Each year there is more research in this field being published and open source projects (such as srsLTE) that enable this research are improving dramatically—and more people are starting to question why more work isn’t being done to fix these issues.

Cell network security is broken in some pretty fundamental ways. It’s up to all of us over the next few years to demand lawmakers pay closer attention to the issue, and to put pressure on standards groups, carriers, network operators, and vendors to make necessary improvements. Together, we can protect and defend users’ privacy.

References

IMSI-Catch Me If You Can: IMSI-Catcher-Catchers. Adrian Dabrowski, Nicola Pianta, Thomas Klepp, Martin Mulazzani, Edgar Weippl. https://www.sba-research.org/wp-content/uploads/publications/DabrowskiEtAl-IMSI-Catcher-Catcher-ACSAC2014.pdf (Dabrowski et al, 2014)

IMSI Catcher Detection Apps Might Not Be All That Good, Research Suggests. Joseph Cox. https://www.vice.com/en_us/article/neeb5g/stingray-detection-apps-might-not-be-all-that-good-research-suggests

Instant Ciphertext-Only Cryptanalysis of GSM Encrypted Communication. Elad Barkan, Eli Biham, Nathan Keller. http://www.cs.technion.ac.il/users/wwwb/cgi-bin/tr-get.cgi/2006/CS/CS-2006-07.pdf (Barkan et al, 2006)

Practical Attacks Against Privacy and Availability in 4G/LTE Mobile Communication Systems. Altaf Shaik, Ravishankar Borgaonkar, N. Asokan, Valtteri Niemi§and Jean-Pierre Seifert. https://arxiv.org/pdf/1510.07563.pdf (Shaik et al, 2017)

Practical Cellphone Spying. Kristen Paget. Defcon 18. https://www.youtube.com/watch?v=fQSu9cBaojc (Paget, 2010)

White-Stingray: Evaluating IMSI Catchers Detection Applications. Ravishankar Borgaonkar, Andrew Martin, Shinjo Park, Altaf Shaik, Jean-Pierre Seifert. https://ora.ox.ac.uk/objects/uuid:15738ed0-c144-49e9-a4fa-466362cf7754 (Borgaonkar et al, 2017)

Notes

The name “3GPP” is confusing since it contains “3G”. While they didn’t exist when GSM (a 2G technology) was originally being developed, they did later absorb some of the organizations that were responsible for developing GSM. It is still one of the main organizations that develops and maintains existing and future protocols.
Unfortunately, most phones usually don’t have an ability to specify connection settings. Recently some phones have begun to implement features like “use LTE only” though.
Unfortunately, most phones usually don’t have an ability to specify connection settings. Recently some phones have begun to implement features like “use LTE only” though.
According to the Department of Justice, some CSSs can directly collect a subscriber’s phone number, meaning LE can skip the step of subpoenaing a service provider to obtain the subscriber’s phone number. See page 6 of https://www.eff.org/files/2015/11/30/illinois.dist_.ct_.stingrays.pdf.
Generally, the network will first direct the message to the last known cell tower the phone was connected to, and that tower will send out a paging message to everyone listening on its paging frequency. If it doesn’t get a response, then it will spread out and try all the towers in a given Location Area, and so on. The exact details of how this works varies by type of data being routed (e.g. SMS vs phone call vs LTE data message) and by carrier.
Basically, you compare the paging identities in the RRC messages sent out after each short call you initiate, and extract the value(s) that are repeated the number of times you placed calls. You can read a much more here in the Revealing Identities section here: https://www-users.cs.umn.edu/~hoppernj/celluloc.pdf
Note that Facebook messages have the advantage of not needing to know your target’s phone number to be able to trigger a notification being sent to their phone! (The attacker doesn’t need to be Facebook friends with their target either, as Facebook Messenger messages sent to strangers end up in the ‘Other’ folder, but still trigger LTE push notifications that aren’t displayed to the user.)

Downloads

Gotta Catch ‘Em All

source

Understanding and Detecting IMSI Catchers around the World

One of the good things about working in the area of core network security, is the opportunity to find new and unexpected types of attacks. These are attacks you didn’t even know could happen, much less have a chance to prevent. Finding these unexpected attacks doesn’t just happen though, it requires experience and investigation, but most importantly it needs the mindset to dig deeper into any strange events that are encountered, and try to understand them, rather than just assuming they are random malicious events.

In this particular case, we are discussing IMSI Catchers. First off, the term IMSI catcher is a misused and sometimes contradictory term however. As explained here, there are actually 2 types of equipment that those in the public (and many in the industry) would conflate into what they would call IMSI catchers.

‘Active’ IMSI Catchers, also termed Cell Site Simulators (CSS) or Fake Base Stations – these attempt to force local devices to connect to a Call Site Simulator, in order to decrypt the conversation and texts, and to execute man in the middle interception. These would be considered the more ‘traditional’ type of IMSI catchers most would be aware of. Stingrays are also a common term used for these (named after the brand built by Harris Corporation). A good overview of how the Active IMSI /Cell Site Simulators work is here.
Passive IMSI Catchers – these passively listen into the paging of mobile devices as they move and register to new real Cell towers in the local area, in order to get the IMSI numbers of these devices. They are far less precise, and are unable to do any of the more sophisticated type of interception, but involve no interaction between the mobile device and the IMSI Catcher. An overview of how these could work, and how they function is here.

The primary difference between these two is that the more traditional Active IMSI Catcher/CSSs always involves some form of interaction with the mobile device, whereas the Passive IMSI Catcher doesn’t – it literally just listens in to the paging that occurs in the local areas as the mobile device changes between legitimate cell towers in the vicinity. This makes a big difference when it comes to detection of these IMSI Catcher types.

A lot of research has gone into various ways of detecting Active IMSI Catchers, by looking at how they differ from real Cell towers. One distinctive example of what an Active IMSI Catcher might do is the forced downgrading of their target mobile device to use a less secure radio interface. This detection of an Active IMSI Catchers can be difficult, involves a lot of local measurements and often can and has in the past led to false positives, but it gives some results. From the attacker’s perspective it’s also a trade-off in that they must make the effort to physically deploy an Active IMSI Catchers in a sensitive area, and then hope its radio activity doesn’t give it away. This is often why more sophisticated attackers may often resort to using attacks over signalling interfaces such as SS7 and Diameter to achieve their aims, which can be sent from any part of the world.

A Passive IMSI Catcher changes things somewhat. It still involves physical deployment of a system to listen in the local targeted area, but it is essentially undetectable on the radio interface, as it emits nothing that would allow it to be detected. This makes it very valuable to perform long-term surveillance in sensitive areas, when the goal is to have the least chance of being detected, while still trying to determine the IMSIs of who is in the local area.

The issue with both types of IMSI Catchers, from the attacker’s perspective, is that what they are left with are a collection of IMSIs from around the world. While this information may be useful, often you need more information to profile who has been ‘caught’. For Active IMSI Catcher deployments; the attackers may also intercept calls/text messages etc, so have a better idea of the target, but for passive IMSI catchers they won’t have that. What the attackers really need is the co-corresponding phone number – the MSISDN of the mobile device associated with the IMSI – in order to truly figure out the identities of the mobile device their IMSI catcher has caught.

This is where our analysis and investigation has come in. Over time, we have been seeing patterns of unusual requests over the SS7 interface, for particular IMSIs. Specifically, what we have been seeing is our Signalling Firewalls, deployed at multiple customer mobile operators, receiving suspicious MAP_RESTORE_DATA packets for IMSIs from unexpected sources. A MAP_RESTORE_DATA packet is a particular command that requests that the home operator sends details for a particular IMSI to the roamed-to network. Details in this case includes MSISDN (the actual phone number), call forwarding setting and other specific information. Further investigation showed that we always received this command when these IMSIs were near or attached to specific Cell Sites while roaming in a 3rd country and nowhere else.

Our working theory, is that what we are observing is what we now call “IMSI Profilers”. These IMSI Profilers work in conjunction with IMSI Catchers – they take the list of IMSIs that have been detected and request profile information, in order to feed these phone numbers back to the IMSI catcher operator. The sequence of events that we believe to happen is shown above. From log analysis it also seems likely (but can’t be confirmed 100%) that the IMSI Catcher in the 3rd country is of the passive variety. In this particular case, the IMSI Profiler is using a source SS7 address (called a SCCP Global Title or GT) in a small European mobile operator that we have detected previously in our SIGIL/Signalling Intelligence system to be used by multiple surveillance companies, further confirming our suspicion that it is malicious.

Regardless of the IMSI catcher type used, this method of analysing incoming suspicious signalling activity gives the opportunity for mobile operators to partially protect their subscribers against IMSI Catchers around the world, something they didn’t have in the past. It won’t stop an Active IMSI Catcher from forcing a subscriber to connect to them, but it would stop additional information being retrieved. And in the case of passive IMSI catcher it is potentially one of the only ways to detect these remotely and block any more useful information being obtained.

In the long term, improvements in the new 5G radio and core network standards means that mobile operators should be able to greatly improve the ability to block IMSI Catchers over 5G. If these are implemented correctly and no loopholes are introduced then effective 5G IMSI Catchers may never arise. In the interim however, IMSI Catchers – both Passive and Active – are being used globally in the world to track and record individuals without their consent. By analysing incoming signalling traffic, and detecting and blocking these IMSI Profilers, mobile operators now have the opportunity to help protect their subscribers globally, regardless of how stealthy the IMSI Catcher is. source

How to Catch an IMSI Catcher

IMSI catchers, or fake antennas, are a common cell phone surveillance method. The FADe project helped local NGOs in Latin America detect and document these devices.

Civil Society Needs Help Catching IMSI Catchers

Law enforcement, criminals, and repressive governments monitor cell phone signals for the purpose of counter-terrorism, espionage, or political persecution. One common surveillance method is the placement of fake antennas—or IMSI catchers—which imitate legitimate cell towers in order to track individual mobile subscribers, monitor their communications, or even disable their network connections.

In a high-profile example, a Guatemalan investigation revealed large-scale illegal spying targeting “activists, entrepreneurs, politicians, journalists, diplomats, and social leaders.” Many governments engage in similar practices, often without any meaningful oversight or accountability.

The battle against authoritarian or illegal spying demands a range of methodologies—from legal policies and telecommunications regulations to physical interventions like “Faraday bags,” which shield devices in a casing that blocks electromagnetic transmissions. But the fight between eavesdroppers and victims (often human rights defenders) is not an even one. Most civil society organizations lack the equipment or expertise to effectively monitor phone surveillance.

Equipping Civil Society with Resources to Expose Surveillance

To help Latin American NGOs level the playing field, South Lighthouse created the Fake Antenna Detection project (FADe), with support from Open Technology Fund’s Internet Freedom Fund. The project’s primary focus was detecting and documenting IMSI catchers—surveillance devices that imitate legitimate cell towers in order to track individual mobile subscribers, monitor their communications, or even disable their network connections.

The FADe team provided training, equipment, and other support to enable local partners to scan for IMSI catchers, analyze their findings and, ideally, make use of the results for advocacy. “A fundamental principle of the program has been partnership and capacitation,” says Andrés Schiavi, Executive Director of South Lighthouse.

FADe’s technology coordinator, Carlos Guerra says, “We wanted to open up a discussion for NGOs about how cell technology works and about how it should work to ensure optimal benefits to people’s safety and people’s rights.”

Using methods initially developed by the SEAGLASS project at the University of Washington and the Electronic Frontier Foundation (EFF), FADe partners assembled simple sensors using a few off-the-shelf electronics, a smartphone, and a “feature phone” (a basic device resembling an early mobile phone that is usually more affordable and durable than a smartphone). The sensor setup sits in a moving vehicle and collects signal information over several weeks from local cell towers.

By analyzing the resulting data, groups can differentiate between signals consistent with legitimate cell towers and signals showing anomalous behaviors, such as a “tower” that changes locations (see animation below); or only operates during certain times; or uses frequencies or signal parameters not used anywhere else in the network. Another common warning sign is suspicious instructions sent to a device, such as a request to disconnect from all other towers, or a command to downgrade from 3G or 4G to a 2G network, which will make the device more vulnerable to surveillance.

A specific cell tower physically moving among different locations is one of the anomalous behaviors that can help identify an IMSI-catcher.

But analysis of these signals can be tricky, says Guerra. “There is no cookie-cutter method,” he says. The data is “noisy,” and cell providers configure their towers differently. It takes many days of monitoring to set a baseline that helps distinguish between legitimate and fake antennas.

The FADe team began working with local organizations in 2018. To mitigate technical and security risks, Schiavi says the first FADe partners were drawn from among South Lighthouse’s network of Latin American organizations. But interest grew rapidly, he says, in part because nothing comparable to the FADe/SEAGLASS approach had ever been available to these organizations. From 2019 to 2022, FADe worked with partners in nine different countries, documenting signals from almost 9,000 antennas, catching more than 150 likely IMSI-catchers.

One of FADe’s local partners, a digital security specialist from Nicaragua, says he was familiar with FADe in 2018 when he read the bombshell reports about Guatemalan surveillance. “The media found the police were using an IMSI-catcher,” he says. “We have known about methods like this in Central America, but we never had the evidence. I said, ‘We need to monitor that. I need to bring this to Nicaragua.’”

Some of the Findings

The results in Nicaragua revealed 23 antennas around Managua with anomalies that indicated the presence of an IMSI catcher. The local partner (who is remaining anonymous for security reasons) says the findings informed a wider discussion in Nicaragua about telephone eavesdropping. Although it was common knowledge that the government had an “open door” from the national ISP to eavesdrop online, the FADe data drove new public scrutiny and media coverage about the use of fake antennas.

Among the other FADe sites, Mexico and Venezuela recorded an especially high number of fake antennas, as experts from PODER recounted in the Washington Post (ES). Data from Caracas, Venezuela, showed 33 different devices with irregular readings that could indicate IMSI-catchers. In Buenos Aires, Argentina, out of 1,000 cell towers monitored, suspicious patterns were found in 17 antennas, with most concentrated around the downtown and university areas. Notably, the suspicious antennas found in Buenos Aires were all on the 2G network, with no irregularities seen in the smaller group of devices on the 4G network, which is known to be harder to surveil. For summaries of the observations in all locations, see the project’s results section. source

Cell-site simulators/ imsi catchers aka Stingray phone tracker

Cell-site simulators/ imsi catchers aka Stingray phone tracker

The Truth News — Sun, 24 Aug 2025 21:49:24 +0000

Cell-site simulators/ imsi catchers aka Stingray phone tracker

Cell-site simulators/ imsi catchers

Cell-site simulators, also known as Stingrays or IMSI catchers, are devices that masquerade as legitimate cell-phone towers, tricking phones within a certain radius into connecting to the device rather than a tower.

Cell-site simulators operate by conducting a general search of all cell phones within the device’s radius, in violation of basic constitutional protections. Law enforcement use cell-site simulators to pinpoint the location of phones with greater accuracy than phone companies and without needing to involve the phone company at all. Cell-site simulators can also log IMSI numbers, (International Mobile Subscriber Identifiers) unique to each SIM card, of all of the mobile devices within a given area. Some cell-site simulators may have advanced features allowing law enforcement to intercept communications.

DOWNLOAD IMSI CATHER SOFTWARE AND BUILD YOUR OWN! TO OF COURSE SOLVE SECURITY FLAWS IN YOUR OWN SYSTEM ONLY

How Cell-Site Simulators Work

Standard Communication

Cellular networks are distributed over geographic areas called “cells.” Each cell is served by one transceiver, also known as a cell-site or base station. Your phone naturally connects with the closest base station to provide you service as you move through various cells.

Source: EFF

Generally, there are two types of device used by law enforcement that are often referred to interchangeably: passive devices (which we will call IMSI catchers), and active devices (which we will call cell-site simulators.) Passive devices, as a rule, do not transmit any signals. They work by plucking cellular transmissions out of the air, the same way an FM radio works. They then decode (and sometimes decrypt) those signals to find the IMSI of the mobile device and track it.

Active cell-site simulators are much more commonly used by law enforcement, and work very differently from their passive cousins. Cellular devices are designed to connect to the cell site nearby with the strongest signal. To exploit this, cell-site simulators broadcast signals that are either stronger than the legitimate cell sites around them, or are made to appear stronger. This causes devices within range to disconnect from their service providers’ legitimate cell sites and to instead establish a new connection with the cell-site simulator. Cell-site simulators can also take advantage of flaws in the design of cellular protocols (such as 2G/3G/4G/5G) to cause phones to disconnect from a legitimate cell-site and connect to the cell-site simulator instead. For the purposes of this article we will focus on active cell-site simulators.

It is difficult for most people to know whether or not their phone’s signals have been accessed by an active cell-site simulator, and it is impossible for anyone to know if their phone’s signals have been accessed by a passive IMSI catcher. Apps for identifying the use of cell-site simulators, such as SnoopSnitch, may not be verifiably accurate. Some more advanced tools have been built, which may be more accurate. For instance, security researchers at the University of Washington have designed a system to measure the use of cell-site simulators across Seattle, and EFF researchers have designed a similar system.

What Kinds of Data Cell-Site Simulators Collect

Data collected by cell-site simulators can reveal intensely personal information about anyone who carries a phone, whether or not they have ever been suspected of a crime.

Source: EFF

Cell-site simulator surveillance: Cell-site simulators trick your phone into thinking they are base stations.

Once your cellular device has connected to a cell-site simulator, the cell-site simulator can determine your location and trigger your device to transmit its IMSI for later identification. If the cell-site simulator is able to downgrade the cellular connection to a 2G/GSM connection then it can potentially perform much more intrusive acts such as intercepting call metadata (what numbers were called or called the phone and the amount of time on each call), the content of unencrypted phone calls and text messages and some types of data usage (such as websites visited). Additionally, marketing materials produced by the manufacturers of cell-site simulators indicate that they can be configured to divert calls and text messages, edit messages, and even spoof the identity of a caller in text messages and calls on a 2G/GSM network.

How Law Enforcement Uses Cell-Site Simulators

Police can use cell-site simulators to try to locate a person when they already know their phone’s identifying information, or to gather the IMSI (and later the identity) of anyone in a specific area. Some cell-site simulators are small enough to fit in a police cruiser, or even on the vest of an officer, allowing law enforcement officers to drive to multiple locations, capturing from every mobile device in a given area—in some cases up to 10,000 phones at a time. These indiscriminate, dragnet searches include phones located in traditionally protected private spaces, such as homes and doctors’ offices.

Law enforcement officers have used information from cell-site simulators to investigate major and minor crimes and civil offenses. Baltimore Police, for example, have used their devices for a wide variety of purposes, ranging from tracking a kidnapper to trying to locate a man who took his wife’s phone during an argument (and later returned it to her). In one case, Annapolis Police used a cell-site simulator to investigate a robbery involving $56 worth of submarine sandwiches and chicken wings. In Detroit, U.S. Immigration and Customs Enforcement used a cell-site simulator to locate and arrest an undocumented immigrant. In California, the San Bernardino county sheriff’s office used their cell-site simulator over 300 times in a little over a year.

Police may have deployed cell-site simulators at protests. The Miami-Dade Police Department apparently first purchased a cell-site simulator in 2003 to surveil protestors at a Free Trade of the Americas Agreement conference. And it is suspected that they have been used more recently than that during protests against police violence in 2020.

Cell-site simulators are used by the FBI, DEA, NSA, Secret Service, and ICE, as well as the U.S. Army, Navy, Marine Corps, and National Guard. U.S. Marshals and the FBI have attached cell-site simulators to airplanes to track suspects, gathering massive amounts of data about many innocent people in the process. The Texas Observer also uncovered airborne cell-site simulators in use by the Texas National Guard. In 2023 it was revealed that ICE, DHS, and the Secret Service have all used cell-site simulators many times without following their own rules on deployment or getting a warrant.

A recent Congressional Oversight Committee report called on Congress to pass laws requiring a warrant before using cell-site simulators. Some states, such as California, already require a warrant, except in emergency situations.

Who Sells Cell-site Simulators

Harris Corporation is the most well known company providing cell-site simulators to law enforcement. Their Stingray product has become the catchphrase for these devices, but they have subsequently introduced other models, such as Hailstorm, ArrowHead, AmberJack, and KingFish. Harris has stopped selling cell-site simulator technology to local law enforcement agencies but still works with the federal government. Digital Receiver Technology, a division of Boeing, is also a common supplier of the technology, often referred to as “dirtboxes.”

Other sellers of cell-site simulators include Keyw, Octastic, Tactical Support Equipment, Berkeley Varitronics, Cogynte, X-Surveillance, Atos, Rayzone, Martone Radio Technology, Septier Communication, PKI Electronic Intelligence, Datong (Seven Technologies Group), Ability Computers and Software Industries, Gamma Group, Rohde & Schwarz, Meganet Corporation. Manufacturers Septier and Gamma GSM both provide information on what the devices can capture. The Intercept published a secret, internal U.S. government catalogue of various cellphone surveillance devices, as well as an older cell-site simulator manual made available through a Freedom of Information Act request.

Threats Posed by Cell-Site Simulators

Cell-site simulators invade the privacy of everyone who happens to be in a given area, regardless of the fact that the vast majority have not been accused of committing a crime. These are general searches that violate the Fourth Amendment requirement that warrants “particularly” describe who or what is to be searched.

The use of cell-site simulators have been shrouded in government secrecy. Police have used cell-site simulators to track location data without a warrant, by deceptively obtaining “pen register” orders from courts without explaining the true nature of the surveillance. In Baltimore, a judge concluded that law enforcement had intentionally withheld the information from the defense, in violation of their legal disclosure obligations. For a while, police departments tried to keep the use of cell-site simulators secret from not just the public but also the court system, withholding information from defense attorneys and judges—likely due in part to non-disclosure agreements with Harris Corporation. Prosecutors have accepted plea deals to hide their use of cell-site simulators and have even dropped cases rather than revealing information about their use of the technology. U.S. Marshalls have driven files hundreds of miles to thwart public records requests. Police have tried to keep information secret in Sarasota, Florida, Tacoma, Washington, Baltimore, Maryland, and St. Louis, Missouri.

To preserve this secrecy, the FBI told police officers to recreate evidence from the devices, according to a document obtained by the nonprofit investigative journalism outlet Oklahoma Watch.

Cell-site simulators often disrupt cell phone communications within as much as a 500-meter radius of the device, interrupting important communications and even emergency phone calls. Cell-site simulators have been shown to disproportionately affect low-income communities and communities of color. In Baltimore, the use of cell-site simulators disproportionately impacted African-American communities, according to a map included in an FCC complaint that overlaid where Baltimore Police were using stingrays over census data on the city’s black population.

Cell-site simulators can also disrupt emergency calls, such as 911 in the US, making them not only a menace to privacy but to public safety as well.

Cell-site simulators rely on vulnerabilities in our communications system that the government should help fix rather than exploit.

EFF’s Work on Cell-Site Simulators

For the reasons above, EFF opposes police use of cell site simulators. Insofar as law enforcement agencies are using cell-site simulators in criminal investigations, EFF argues that use should be limited in the following ways:

Law enforcement should obtain individualized warrants based on probable cause;
Cell-site simulators should only be used for serious, violent crimes;
Cell-site simulators should only be used for identifying location of a particular phone;
Law enforcement must minimize the collection of data from people who are not the targets of the investigation.
Companies making cell-site simulators must confirm that their technology does not disrupt calls to emergency services.

Litigation

We filed a Freedom of Information Act lawsuit to expose and shine light on the U.S. Marshals Service’s use of cell-site simulators on planes.

Along with the ACLU and ACLU of Maryland, we filed an amicus brief in the first case in the country where a judge threw out evidence obtained as a result of using a cell-site simulator without a warrant.

We filed an amicus brief, along with the ACLU, pointing a court to facts indicating that the Milwaukee Police Department secretly used a cell-site simulator to locate a defendant through his cell phone without a warrant in U.S. vs. Damian Patrick. (The government then admitted to having used it.)

Legislation

We were original co-sponsors of the California Electronic Communications Privacy Act (CalECPA), along with the ACLU and the California Newspaper Publisher Association. This law requires California police to get a warrant before using a cell-site simulator. Any evidence obtained from a cell-site simulator without a warrant is inadmissible in court.

EFF supported S.B. 741, which requires transparency measures regarding the use of cell-site simulators. We collected many of these policies.

Further Research

We have written a report on the technical means possibly used by cell-site simulators called “Gotta Catch ‘em All”, and we have developed a proof of concept technical means of detecting cell-site simulators called Crocodile Hunter.

EFF Cases

State of Maryland v. Kerron Andrews

U.S. v. Damian Patrick

EFF v. U.S. Department of Justice

Detecting IMSI-Catchers by Characterizing Identity Exposing Messages in Cellular Traffic

Tyler Tucker (University of Florida), Nathaniel Bennett (University of Florida), Martin Kotuliak (ETH Zurich), Simon Erni (ETH Zurich), Srdjan Capkun (ETH Zuerich), Kevin Butler (University of Florida), Patrick Traynor (University of Florida)

IMSI-Catchers allow parties other than cellular network providers to covertly track mobile device users. While the research community has developed many tools to combat this problem, current solutions focus on correlated behavior and are therefore subject to substantial false classifications. In this paper, we present a standards-driven methodology that focuses on the messages an IMSI-Catcher textit{must} use to cause mobile devices to provide their permanent identifiers. That is, our approach focuses on causal attributes rather than correlated ones. We systematically analyze message flows that would lead to IMSI exposure (most of which have not been previously considered in the research community), and identify 53 messages an IMSI-Catcher can use for its attack. We then perform a measurement study on two continents to characterize the ratio in which connections use these messages in normal operations. We use these benchmarks to compare against open-source IMSI-Catcher implementations and then observe anomalous behavior at a large-scale event with significant media attention. Our analysis strongly implies the presence of an IMSI-Catcher at said public event ($p << 0.005$), thus representing the first publication to provide evidence of the statistical significance of its findings. source

Detecting IMSI Catchers: Tools, Apps and Methods You Should Know

DHS: Salt Typhoon hackers breached Army National Guard, exposing admin credentials and network diagrams

The Truth News — Wed, 23 Jul 2025 20:16:24 +0000

DHS: Salt Typhoon hackers breached Army National Guard, exposing admin credentials and network diagrams

Following the “Salt Typhoon” breach, which compromised U.S. Army National Guard networks, a former Air National Guard servicemember stated that all U.S. forces should now operate under the assumption that their networks are compromised and will be degraded, according to Nextgov/FCW. This reflects a heightened state of alert and a need for enhanced cybersecurity measures due to the severity of the breach, which has been described as the “worst telecom breach” in American history.

The Salt Typhoon breach, attributed to hackers connected to China, targeted a U.S. state’s Army National Guard network, starting in March. The extent of the compromise and the potential for further damage have prompted this call for a more cautious approach to network security across all U.S. forces, according to Nextgov/FCW.

Officials with both the National Guard Bureau and the Department of Homeland Security (DHS) confirmed to MeriTalk today that the China-based Salt Typhoon hacking group targeted National Guard networks for attacks between March and December 2024.

These attacks have potentially far-reaching implications for the security of other National Guard unit networks and critical infrastructure entities that the guard helps to protect.

Both agencies indicated that the attacks targeted multiple National Guard networks, and that they have been working on steps to mitigate the impact of the attacks.

A report from NBC News last night broke the news of the attacks, and cited as a primary source of its reporting a June 11 memo from DHS’s Office of Intelligence and Analysis detailing the Salt Typhoon attacks. That memo lays out how extensive the blast radius of the attack may have been.

“A recent compromise of a US state’s Army National Guard network by People’s Republic of China (PRC)-associated cyber actors – publicly tracked as Salt Typhoon – likely provided Beijing with data that could facilitate the hacking of other states’ Army National Guard units, and possibly many of their state-level cybersecurity partners,” the DHS memo says.

“If the PRC-associated cyber actors that conducted the hack succeeded in the latter, it could hamstring state-level cybersecurity partners’ ability to defend US critical infrastructure against PRC cyber campaigns in the event of a crisis or conflict,” the DHS memo warns.

The memo also offers guidance to help the National Guard and state governments to detect, prevent, and mitigate against threats emanating from the Salt Typhoon attacks.

The DHS memo goes on to say that that the Salt Typhoon attacks “extensively compromised” the unnamed state National Guard’s network, “and, among other things, collected its network configuration and its data traffic with its counterparts’ networks in every other US state and at least four US territories, according to a DOD [Defense Department] report.”

“This data also included these networks’ administrator credentials and network diagrams – which could be used to facilitate follow-on Salt Typhoon hacks of these units,” the memo says.

“Salt Typhoon has previously used exfiltrated network configuration files to enable cyber intrusions elsewhere,” the memo says, adding, “Between January and March 2024, Salt Typhoon exfiltrated configuration files associated with other US government and critical infrastructure entities, including at least two US state government agencies. At least one of these files later informed their compromise of a vulnerable device on another US government agency’s network.”

“Salt Typhoon’s success in compromising states’ Army National Guard networks nationwide could undermine local cybersecurity efforts to protect critical infrastructure,” the memo warns, adding, “In some 14 states, Army National Guard units are integrated with state fusion centers responsible for sharing threat information – including cyber threats. In at least one state, the local Army National Guard unit directly provides network defense services.”

“DHS regularly communicates threat information with its partners and in June shared an update on the People’s Republic of China-affiliated hacking group, Salt Typhoon, targeting National Guard networks between March and December 2024,” a DHS spokesperson said today.

“DHS is continuing to analyze these types of attacks and is coordinating closely with the National Guard and other partners to prevent future attacks and mitigate risk,” the spokesperson said.

“The National Guard is aware of recent Department of Defense and Department of Homeland Security reporting regarding the Peoples Republic of China-affiliated hacking group, Salt Typhoon, and their targeting of Army National Guard networks between March and December 2024,” a spokesperson for the National Guard Bureau told MeriTalk today.

“While we cannot provide specific details on the attack or our response to it, we can say this attack has not prevented the National Guard from accomplishing assigned state or federal missions, and that NGB continues to investigate the intrusion to determine its full scope,” the spokesperson said.

“We are taking this matter extremely seriously,” the spokesperson said. “Security protocols are in place to mitigate further risk and contain any potential data compromises, and the response is ongoing. We are coordinating closely with DHS and other federal partners.”

At least one private sector cybersecurity expert reacted with considerable alarm to the news.

“Salt Typhoon’s compromise of the US National Guard is a significant event and potentially poses a serious threat to many Department of Defense systems,” said Gary Barlet, Illumio’s public sector chief technology officer.

“Going forward, all US forces must now assume their networks are compromised and will be degraded,” Barlet warned.

This isn’t the first breach of Department of Defense systems we’ve seen,” Barlet said. “There have been numerous instances across both the public and private sector where sensitive information has been compromised and critical systems accessed via lateral movement.”

“In fact, the Ponemon Institute highlighted that 55% of organizations admitted a compromised device had infected other devices on the network,” he said.

“The ability of groups such as Salt Typhoon to move laterally across different units and systems is why government agencies must accelerate Zero Trust adoption and go even further with a breach containment strategy,” Barlet emphasized. “It is critical that services and data remain secure even when attackers have compromised a section of the network.”

The Salt Typhoon and related Volt Typhoon hacking groups backed by the Chinese government have emerged in recent years as sophisticated threat actors. Earlier this year, a U.S. intelligence community report said that the PRC poses the biggest cyber threat to the United States. source

An elite Chinese cyberspy group hacked at least one state’s National Guard network for nearly a year, the Department of Defense has found.

The hackers, already responsible for one of the most expansive cyberespionage campaigns against the U.S. to date, are alleged to have burrowed even further than previously known and may have obtained sensitive military or law enforcement information. Authorities are still working to discover the extent of the data accessed.

A Department of Homeland Security memo from June, describing the Pentagon’s findings, said that the group, publicly known by the nickname Salt Typhoon, “extensively compromised a U.S. state’s Army National Guard network” from March 2024 through December. The memo did not say which state.

The report was provided to NBC News through the national security transparency nonprofit Property of the People, which obtained it through a freedom of information request.

The Department of Defense didn’t respond to a request for comment. A National Guard Bureau spokesperson confirmed the compromise but declined to share details.

A spokesperson for China’s embassy in Washington did not deny the campaign but said the U.S. has failed to prove China is behind the Salt Typhoon hacks.

“Cyberattacks are a common threat faced by all countries, China included,” the spokesperson said, adding that the U.S. “has been unable to produce conclusive and reliable evidence that the ‘Salt Typhoon’ is linked to the Chinese government.

Salt Typhoon is notorious even by the standards of China’s massive cyberspy efforts because of its ability to jump from one organization to another. Last year, U.S. authorities found that it had hacked at least eight of the country’s largest internet and phone companies, including AT&T and Verizon, using access to spy on the calls and text messages of both the Harris and Trump presidential campaigns, as well as the office of then-Senate Majority Leader Chuck Schumer.

While part of the Department of Defense, National Guard units are also under the authority of their states; some are deeply integrated with local governments or law enforcement, which may have given the Salt Typhoon hackers the ability to compromise other organizations.

The hack “likely provided Beijing with data that could facilitate the hacking of other states’ Army National Guard units, and possibly many of their state-level cybersecurity partners,” the DHS report found. The National Guard in 14 U.S. states work with law enforcement “fusion centers” to share intelligence, the DHS memo notes. The hackers accessed a map of geographic locations in the targeted state, diagrams of how internal networks are set up, and personal information of service members, it said.

In January, the Treasury Department — also a recent target of alleged Chinese hacking — sanctioned a Sichuan company for allegedly helping Beijing’s Ministry of State Security conduct Salt Typhoon operations.

Salt Typhoon can be pernicious and hard to root out once the hackers take hold. In the AT&T case, the company announced in December that it appeared as if they were no longer being affected and Verizon said in January it had “contained” the incident. Both companies stopped short of saying they were fully protected from the hackers returning. A report from Cisco said that, in at least one instance, Salt Typhoon hackers remained in an affected environment for up to three years. source

DHS: Salt Typhoon hackers breached Army National Guard, exposing admin credentials and network diagrams

A U.S. Department of Homeland Security (DHS) memo circulated in June revealed that a Chinese cyberespionage group known as Salt Typhoon ‘extensively compromised a U.S. state’s Army National Guard network over nine months in 2024. The memo, which cites findings from the Department of Defense, said the breach lasted from March through December and did not specify which state was targeted. It also revealed that the stolen data included administrator credentials and detailed network diagrams, basically information that could enable Salt Typhoon hackers to carry out follow-on attacks against the compromised installations.

The memo, however, noted that “If the PRC-associated cyber actors that conducted the hack succeeded in the latter, it could hamstring state-level cybersecurity partners’ ability to defend US critical infrastructure against PRC cyber campaigns in the event of a crisis or conflict.”

The DHS also identified that in 2023 and 2024, Salt Typhoon also stole 1,462 network configuration files associated with approximately 70 U.S. government and critical infrastructure entities from 12 sectors, including energy, communications, transportation, and water and wastewater sectors. “These configuration files could enable further computer network exploitation of other networks, including data capture, administrator account manipulation, and lateral movement between networks, according to CISA reporting and NSA guidance.”

Salt Typhoon, already tied to some of the most aggressive cyber operations against the U.S., is now believed to have gained deeper access than previously known, raising concerns that the hackers may have obtained sensitive military or law enforcement information. Federal officials are still investigating the extent of the data exposure.

A National Guard Bureau spokesperson confirmed the compromise to NBC News, but declined to share details. “While we cannot provide specific details on the attack or our response to it, we can say this attack has not prevented the National Guard from accomplishing assigned state or federal missions, and that NGB continues to investigate the intrusion to determine its full scope,” the spokesperson said.

The DHS revealed that between January and March 2024, Salt Typhoon exfiltrated configuration files associated with other U.S. government and critical infrastructure entities, including at least two U.S. state government agencies. At least one of these files later informed them of a compromise of a vulnerable device on another U.S. government agency’s network.

It added that Salt Typhoon’s success in compromising states’ Army National Guard networks nationwide could undermine local cybersecurity efforts to protect critical infrastructure. “In some 14 states, Army National Guard units are integrated with state fusion centers responsible for sharing threat information—including cyber threats. In at least one state, the local Army National Guard unit directly provides network defense services.”

The memo also identified that Salt Typhoon access to Army National Guard networks in these states could include information on state cyber defense posture, as well as the personally identifiable information (PII) and work locations of state cybersecurity personnel data that could be used to inform future cyber-targeting efforts.

According to DOD reporting, in 2024, Salt Typhoon used its access to a US state’s Army National Guard network to exfiltrate administrator credentials, network traffic diagrams, a map of geographic locations throughout the state, and PII of its service members.

The DHS memo surfaces as senior cybersecurity officials from the National Security Agency and the FBI report progress in disrupting Chinese cyber campaigns targeting U.S. critical infrastructure.

Speaking Tuesday at the International Conference on Cyber Security at Fordham University in New York City, experts detailed Beijing’s so-called Typhoon campaigns, where coordinated efforts involving both Chinese government entities and private sector actors aimed at infiltrating U.S. government agencies and critical infrastructure installations.

Kristina Walter, director of the NSA’s Cybersecurity Collaboration Center, focused on Volt Typhoon, an effort by Chinese actors to preposition themselves on U.S. critical infrastructure for disruptive or destructive cyberattacks in the event of a kinetic conflict centered around Taiwan.

“The good news is, they really failed. They wanted to persist in domestic networks very quietly for a very long time so that if and when they needed to disrupt those networks, they could. They were not successful in that campaign,” she said.

“We, with private sector, with FBI, found them, understood how they were using the operating systems, how they’re using legitimate credentials to maintain persistence, and frankly, we equipped the entire private sector and U.S. government to hunt for them and detect them.”

Walter did not offer further details about those efforts. She said that after the NSA and other agencies released a public advisory in 2024, owners of critical infrastructure reached out to them to confirm that they had found evidence of Volt Typhoon and ask for help.

Brett Leatherman, who was recently appointed assistant director for cyber at the FBI, echoed those remarks and noted that Volt Typhoon was specifically focused on critical infrastructure centered around the U.S. Navy, particularly in island communities like Guam.

He said U.S. efforts to shine a light on the campaign forced Chinese actors to pull back, adapt their tactics, and burn previous methods they used to breach critical infrastructure systems. The publicity fostered by U.S. agencies forced Chinese groups to come up with new ways to breach organizations while also providing ways for private industry to better defend itself.

“Even if you’re not dismantling that network — we’re never going to dismantle the CCP hacking apparatus — but if you can bring real relief to victims, you’re also protecting national security by doing that, and that’s why public attribution is so important when it comes to PRC hacking activity,” he said.

Commenting on the DHS memo, Ensar Seker, CISO at SOCRadar, wrote in an emailed statement that the revelation that Salt Typhoon maintained access to a U.S. National Guard network for nearly a year is a serious escalation in the cyber domain.

“This isn’t just an opportunistic intrusion. It reflects deliberate, long-term espionage designed to quietly extract strategic intelligence. The group’s sustained presence suggests they were gathering more than just files, they were likely mapping infrastructure, monitoring communication flows, and identifying exploitable weak points for future use,” according to Seker. “What’s deeply concerning is that this activity went undetected for so long in a military environment. It raises questions about visibility gaps, segmentation policies, and detection capabilities in hybrid federal-state defense networks.”

He added that it’s another reminder that advanced persistent threat actors like Salt Typhoon are not only targeting federal agencies but also state-level components, where the security posture might be more varied.

“In a time where we are often fooled into thinking cybercrime means somebody telling us that we missed jury duty, or convincing our loved ones of a long-distance romantic relationship, we sometimes miss the fact that this is more than a game and is played at the nation state level,” Erich Kron, security awareness advocate at KnowBe4, wrote in an emailed statement. “Cybercrime has real dangers for real people and real governments as well. The Typhoon groups, several different alleged Chinese-backed cybercrime groups that carry the ‘Typhoon’ moniker as part of their name, have been known to be very stealthy and very effective. While this was at the state level with the National Guard, it still goes to demonstrate that even our military forces are at risk from these cybercrime groups.”

He added that “These criminal groups must be taken seriously, which means that everyone from senior government leadership to the average citizen needs to be at least somewhat aware of the threats, how to spot them, and who to report them to. Whether it’s stealing money from individuals to fund other operations or trying to cripple infrastructure through cyberattacks, these bad actors are a clear and present danger.” source

Major US telecom hack prompts security push after Salt Typhoon attack

Officials urge stronger defences after Chinese hackers infiltrated major US telecom networks.

Lawmakers have called for urgent measures to strengthen US telecommunications security following a massive cyberattack linked to China. The hacking campaign, referred to as Salt Typhoon, targeted American telecom companies, compromising vast amounts of metadata and call records. Federal agencies have briefed Congress on the incident, which officials say could be the largest telecom breach in US history.

Senator Ben Ray Luján described the hack as a wake-up call, urging the full implementation of federal recommendations to secure networks. Senator Ted Cruz warned of future threats, emphasising the need to close vulnerabilities in critical infrastructure. Debate also surfaced over the role of offensive cybersecurity measures, with Senator Dan Sullivan questioning whether deterrence efforts are adequate.

The White House reported that at least eight telecommunications firms were affected, with significant data theft. In response, Federal Communications Commission Chairwoman Jessica Rosenworcel proposed annual cybersecurity certifications for telecom companies. Efforts to replace insecure Chinese-made equipment in US networks continue, but funding shortfalls have hampered progress.

China has dismissed the allegations, claiming opposition to all forms of cybercrime. However, US officials have cited evidence of data theft involving companies like Verizon, AT&T, and Lumen. Congress is set to vote on a defence bill allocating $3.1 billion to remove and replace vulnerable telecom hardware. source

Setting Up A Police Scanner With An RTL-SDR

The Truth News — Mon, 10 Mar 2025 00:15:19 +0000

Setting Up A Police Scanner With An RTL-SDR

The RTL-SDR Blog V4 dongle can be used with SDRTrunk software to listen to trunked police radio and other communications. The RTL-SDR is a wide band radio scanner that can be used for a variety of purposes, including police radio scanning, listening to EMS and fire communications, and more.

https://goodshepherdmedia.net/wp-content/uploads/2025/01/police-scanner.mp4

How it works

The RTL-SDR uses a control channel to listen to a frequency that changes often during a conversation.
The SDRTrunk software can import trunked system network data from a RadioReference subscription.
The SDRTrunk software can also blacklist unwanted talkgroups.
The SDRTrunk software can record and upload trunked radio conversations to a site like openmhz.com.

What you’ll need RTL-SDR Blog V4 dongle, SDRTrunk software, A decent antenna, and A computer with a dual core processor or more.

shopping

you’ll need an RTL-SDR unit. i recommend the dipole antenna kit as well, so you don’t need to make any additional purchases. if you’re a radio enthusiast already, you might have a better antenna available, but if you’re like me you do not and it’s worth the US$10. mine took a bit over a week to arrive. if you’re extremely unlucky, you might need two of them, but i was fine with just one. buy here

basic setup

once your RTL-SDR arrives, you’ll want to put together your antenna. if you’re lucky, like i am, you can just extend the antennas arbitrarily and it’ll work fine; if you’re cursed, the RTL-SDR website has resources on how long is ideal for various frequencies.

connect the antenna to the RTL-SDR unit, plug it in, and follow the RTL-SDR quick start guide. SDRSharp will work, or any of the other Windows options. some of what we’ll need is only available on windows.

once your RTL-SDR’s drivers are sorted out, find the specifications for police radio in your area on RadioReference. click your state, click your county, scroll down and see if there’s a link above a frequency table for you. if you’re lucky, there is, and if you click it there’s a page with a table with System Type and System Voice entries at the top. mine has a system type of EDACS Networked Standard and a system voice of ProVoice and Analog, so the rest of this assumes that’s what you’ve got as well. if not, good luck.

there should be a table for System Frequencies on your RadioReference page. start up SDRSharp and tune your radio to the first frequency listed there. you’ll probably hear a bunch of static and the UI will look something like this:

see how there’s one constant signal and a bunch of other signals that appear and disappear all over the place? well, that’s trunking, and the constant signal is our control channel. if you don’t see it, you can click and drag on the bottom axis of the top panel to change the view. once you’ve found that constant signal, click on it to get the approximate frequency, go back to your frequency table and the closest thing to that will be the exact frequency. it should sound like a series of weird beeps instead of static. remember that frequency, it’ll be important later.

update 2020-07-31: that control channel can change between the frequencies listed on RadioReference. if things randomly quit working, come back to this step, and see if the control channel has moved. i’ll mark down below the places that need changing accordingly.

specific setup

EDACS is a trunked system, so we’re using RTL-SDR’s trunked radio tutorial as our guide, mostly. that guide assumes we have two RTL-SDRs, but there’s a piece at the end explaining how to do it with just one. that sucks. i’m going to paraphrase it here.

first, we’re going to download the software we need: Unitrunker, VB-Cable, and DSD+ (extract both the regular and DLL downloads to the same folder). install unitrunker and VB-Cable and extract dsd+ somewhere convenient. you might need to reboot after installing VB-Cable because computers are bad. VB-Cable might set your default input and output devices to the wrong things when you install it, so switch them back if it does. https://www.unitrunker.com/download.html

or dowmload zippped MSI file from us HERE UniTrunker-2.1.0.108

open up dsd+. it’ll open four different windows, one of them should have a list of audio input and output devices. check the number in the input list that goes with CABLE Output – for me it’s 3. pull up notepad and make a new file. since my input was number 3, i’m typing

DSDPlus.exe -i3M

in that file: if yours is not 3, put whatever the correct number is for you instead of 3. then, save the file, find your DSDPlus folder, make sure the type is set to “All Files”, and name the file run.bat. close dsd+, go to that folder, and open that run.bat file you just created. it should pull up dsd+ and if you’re lucky it’ll print

audio input device #3 (CABLE Output (VB-Audio Virtual ) initialized

or something like that. leave that open.

open up unitrunker. click the + to add a new receiver, and click the RTL2832 button to add your RTL-SDR. set your settings around like this:

the most important things are the RTL Device, the sample rate (2.56 msps), and the VCOs (2 VCOs). i do not know what a VCO is and i do not care enough to find out. we should now have two VCO tabs next to our info tab. the first one needs to look kinda like this:

the important things are the Role being Signal, the Park frequency being the control channel we found earlier (mine is 851.7625), and the Mute box being checked.

update 2020-07-31: if the control channel changes, this Park frequency is one of the two things you’ll need to update.

the second VCO should look kinda like this:

the important things are the Role being Voice, the Deemphasis box being unchecked, and the Digital Output being set to your CABLE Input. this means it will connect up with dsd+ listening to our CABLE Output.

press Play now; it should pull up a window with a Channels tab. the Channels tab should look something like this:

but the Frequency column will all be zeroes except for the control frequency we found earlier. you’ll need to copy over the rest of the frequencies manually from the RadioReference site.

update 2020-07-31: if the control channel changes, you’ll need to uncheck the Control box on the old control channel, and check the Control box on the new control channel.

press the stop button and the play button again, and everything should in theory be working. ideally, the Call History tab will be crowded and updating pretty frequently, and unitrunker will be passing things along to dsd+ which will give us the audio we want. technically, this is enough.

groups

the thing, though, is we don’t have context for any of this. for now, at least. RadioReference should have a table or several of talkgroups – the “list all in one table” button may come in handy – and we can use that information to figure out who we’re hearing, and have at least some control over who takes priority if multiple people in different contexts are talking at once.

find the main unitrunker window – it’s titled “Universal Trunker” and if you don’t have it open just click the home button a bunch until it opens – and then open the Systems tab and double-click the one that exists. open the Groups tab in that window, and it should give you a massive list with columns for ID, Label, and a bunch of stuff we don’t care about right now. the ID matches up with the DEC column in the RadioReference table, and the Label can be either “Description” or “Alpha Tag” or something you make up yourself if you feel creative. if you pay RadioReference $15 for a Premium subscription then unitrunker can import that data automatically.

once you’ve filled that all in, open the Sites tab and double-click the entry you see there, then open the Call History tab. the group labels you added should now be appearing in the Audience column; the LCN and Frequency should turn green for what unitrunker is currently listening to.

back in the Groups tab, you can edit the Priority values to control which groups will be chosen more often – as far as i can tell, higher priority groups will interrupt lower priority groups, and equal priority groups will just play whoever started talking first.

broadcasting

this setup lets you listen to things locally, but what if you want your comrades with no hardware to be able to also listen? the laziest option is to just stream the Call History window on Twitch or something, but in theory there are better options. RadioReference runs Broadcastify, which is designed for hosting police scanner livestreams, but they have to manually approve your broadcast, which is annoying for short term activity. you could run an icecast server yourself or something, but that takes effort to configure. honestly all of those kinda suck but those are your options as far as i know.

update 2020-07-31: you can also let your friendly neighborhood succulent run an icecast server for you; reach out to me if you need something like this. if you’ve got an icecast server, you’ll need to pay for (or otherwise obtain) VB-CABLE A+B, set up VB-CABLE A, and grab butt (broadcast using this tool).

you’ll need to set DSD+ to output to “CABLE-A Input” like how you set it to input from “CABLE Output” – Cable A is the fourth output in DSD+, so my run.bat now looks like this:

DSDPlus.exe -i3M -o4

run butt, pull up the settings, and under the Audio tab set the Input Device to “CABLE-A Output”. (for bonus points, set the Streaming Codec to AAC+.) under the Main tab, Add a new Server and put in whatever info your icecast server admin told you to use. now restart your DSD+ and hit butt’s play button to start streaming, and you should be running a livestream of your police scanner that is accessible over the internet. source

Understanding, Listening and Recording Trunked Radio Systems with an RTL-SDR and Trunk-Recorder

rtl-sdr.com

RTL-SDR (RTL2832U) and software defined radio news and projects. Also featuring Airspy, HackRF, FCD, SDRplay and more.

Trunked radio systems for voice communications can be easily found when browsing the spectrum with an SDR. Listening to a voice communication is easy, but actually following a conversation along is almost impossible to do manually. This is because in a trunking system the frequency in use during a conversation can change often. The frequency of the voice is dictated by a control channel that all radios listen to. This allows multiple talk groups (Police, EMS, business etc) to share one chunk of the spectrum without having to allocate fixed channels for each user.

Over on his blog Andrew Nohawk has uploaded an excellent guide that explains trunked radio, how it works, how to use radioreference to look up trunked radio frequencies in your area, and how to use an RTL-SDR to listen in. He then shows how to use a program called “trunk-recorder” which will automatically record and upload trunked radio conversations to a site like openmhz.com for sharing. source

NSA Plans to Infect Millions of Computers with Malware using AI

The Truth News — Sat, 25 Jan 2025 19:43:47 +0000

NSA Plans to Infect Millions of Computers with Malware using AI

Top-secret documents reveal that the National Security Agency is dramatically expanding its ability to covertly hack into computers on a mass scale by using automated systems that reduce the level of human oversight in the process.

The classified files – provided previously by NSA whistleblower Edward Snowden – contain new details about groundbreaking surveillance technology the agency has developed to infect potentially millions of computers worldwide with malware “implants.” The clandestine initiative enables the NSA to break into targeted computers and to siphon out data from foreign Internet and phone networks.

The covert infrastructure that supports the hacking efforts operates from the agency’s headquarters in Fort Meade, Maryland, and from eavesdropping bases in the United Kingdom and Japan. GCHQ, the British intelligence agency, appears to have played an integral role in helping to develop the implants tactic.

In some cases the NSA has masqueraded as a fake Facebook server, using the social media site as a launching pad to infect a target’s computer and exfiltrate files from a hard drive. In others, it has sent out spam emails laced with the malware, which can be tailored to covertly record audio from a computer’s microphone and take snapshots with its webcam. The hacking systems have also enabled the NSA to launch cyberattacks by corrupting and disrupting file downloads or denying access to websites.

The implants being deployed were once reserved for a few hundred hard-to-reach targets, whose communications could not be monitored through traditional wiretaps. But the documents analyzed by The Intercept show how the NSA has aggressively accelerated its hacking initiatives in the past decade by computerizing some processes previously handled by humans. The automated system – codenamed TURBINE – is designed to “allow the current implant network to scale to large size (millions of implants) by creating a system that does automated control implants by groups instead of individually.”

In a top-secret presentation, dated August 2009, the NSA describes a pre-programmed part of the covert infrastructure called the “Expert System,” which is designed to operate “like the brain.” The system manages the applications and functions of the implants and “decides” what tools they need to best extract data from infected machines.

Mikko Hypponen, an expert in malware who serves as chief research officer at the Finnish security firm F-Secure, calls the revelations “disturbing.” The NSA’s surveillance techniques, he warns, could inadvertently be undermining the security of the Internet.

“When they deploy malware on systems,” Hypponen says, “they potentially create new vulnerabilities in these systems, making them more vulnerable for attacks by third parties.”

Hypponen believes that governments could arguably justify using malware in a small number of targeted cases against adversaries. But millions of malware implants being deployed by the NSA as part of an automated process, he says, would be “out of control.”

“That would definitely not be proportionate,” Hypponen says. “It couldn’t possibly be targeted and named. It sounds like wholesale infection and wholesale surveillance.”

The NSA declined to answer questions about its deployment of implants, pointing to a new presidential policy directive announced by President Obama. “As the president made clear on 17 January,” the agency said in a statement, “signals intelligence shall be collected exclusively where there is a foreign intelligence or counterintelligence purpose to support national and departmental missions, and not for any other purposes.”

“Owning the Net”

The NSA began rapidly escalating its hacking efforts a decade ago. In 2004, according to secret internal records, the agency was managing a small network of only 100 to 150 implants. But over the next six to eight years, as an elite unit called Tailored Access Operations (TAO) recruited new hackers and developed new malware tools, the number of implants soared to tens of thousands.

To penetrate foreign computer networks and monitor communications that it did not have access to through other means, the NSA wanted to go beyond the limits of traditional signals intelligence, or SIGINT, the agency’s term for the interception of electronic communications. Instead, it sought to broaden “active” surveillance methods – tactics designed to directly infiltrate a target’s computers or network devices.

In the documents, the agency describes such techniques as “a more aggressive approach to SIGINT” and says that the TAO unit’s mission is to “aggressively scale” these operations.

But the NSA recognized that managing a massive network of implants is too big a job for humans alone.

“One of the greatest challenges for active SIGINT/attack is scale,” explains the top-secret presentation from 2009. “Human ‘drivers’ limit ability for large-scale exploitation (humans tend to operate within their own environment, not taking into account the bigger picture).”

The agency’s solution was TURBINE. Developed as part of TAO unit, it is described in the leaked documents as an “intelligent command and control capability” that enables “industrial-scale exploitation.”

TURBINE was designed to make deploying malware much easier for the NSA’s hackers by reducing their role in overseeing its functions. The system would “relieve the user from needing to know/care about the details,” the NSA’s Technology Directorate notes in one secret document from 2009. “For example, a user should be able to ask for ‘all details about application X’ and not need to know how and where the application keeps files, registry entries, user application data, etc.”

In practice, this meant that TURBINE would automate crucial processes that previously had to be performed manually – including the configuration of the implants as well as surveillance collection, or “tasking,” of data from infected systems. But automating these processes was about much more than a simple technicality. The move represented a major tactical shift within the NSA that was expected to have a profound impact – allowing the agency to push forward into a new frontier of surveillance operations.

The ramifications are starkly illustrated in one undated top-secret NSA document, which describes how the agency planned for TURBINE to “increase the current capability to deploy and manage hundreds of Computer Network Exploitation (CNE) and Computer Network Attack (CNA) implants to potentially millions of implants.” (CNE mines intelligence from computers and networks; CNA seeks to disrupt, damage or destroy them.)

Eventually, the secret files indicate, the NSA’s plans for TURBINE came to fruition. The system has been operational in some capacity since at least July 2010, and its role has become increasingly central to NSA hacking operations.

Earlier reports based on the Snowden files indicate that the NSA has already deployed between 85,000 and 100,000 of its implants against computers and networks across the world, with plans to keep on scaling up those numbers.

The intelligence community’s top-secret “Black Budget” for 2013, obtained by Snowden, lists TURBINE as part of a broader NSA surveillance initiative named “Owning the Net.”

The agency sought $67.6 million in taxpayer funding for its Owning the Net program last year. Some of the money was earmarked for TURBINE, expanding the system to encompass “a wider variety” of networks and “enabling greater automation of computer network exploitation.”

Circumventing Encryption

The NSA has a diverse arsenal of malware tools, each highly sophisticated and customizable for different purposes.

One implant, codenamed UNITEDRAKE, can be used with a variety of “plug-ins” that enable the agency to gain total control of an infected computer.

An implant plug-in named CAPTIVATEDAUDIENCE, for example, is used to take over a targeted computer’s microphone and record conversations taking place near the device. Another, GUMFISH, can covertly take over a computer’s webcam and snap photographs. FOGGYBOTTOM records logs of Internet browsing histories and collects login details and passwords used to access websites and email accounts. GROK is used to log keystrokes. And SALVAGERABBIT exfiltrates data from removable flash drives that connect to an infected computer.

The implants can enable the NSA to circumvent privacy-enhancing encryption tools that are used to browse the Internet anonymously or scramble the contents of emails as they are being sent across networks. That’s because the NSA’s malware gives the agency unfettered access to a target’s computer before the user protects their communications with encryption.

It is unclear how many of the implants are being deployed on an annual basis or which variants of them are currently active in computer systems across the world.

Previous reports have alleged that the NSA worked with Israel to develop the Stuxnet malware, which was used to sabotage Iranian nuclear facilities. The agency also reportedly worked with Israel to deploy malware called Flame to infiltrate computers and spy on communications in countries across the Middle East.

According to the Snowden files, the technology has been used to seek out terror suspects as well as individuals regarded by the NSA as “extremist.” But the mandate of the NSA’s hackers is not limited to invading the systems of those who pose a threat to national security.

In one secret post on an internal message board, an operative from the NSA’s Signals Intelligence Directorate describes using malware attacks against systems administrators who work at foreign phone and Internet service providers. By hacking an administrator’s computer, the agency can gain covert access to communications that are processed by his company. “Sys admins are a means to an end,” the NSA operative writes.

The internal post – titled “I hunt sys admins” – makes clear that terrorists aren’t the only targets of such NSA attacks. Compromising a systems administrator, the operative notes, makes it easier to get to other targets of interest, including any “government official that happens to be using the network some admin takes care of.”

Similar tactics have been adopted by Government Communications Headquarters, the NSA’s British counterpart. As the German newspaper Der Spiegel reported in September, GCHQ hacked computers belonging to network engineers at Belgacom, the Belgian telecommunications provider.

The mission, codenamed “Operation Socialist,” was designed to enable GCHQ to monitor mobile phones connected to Belgacom’s network. The secret files deem the mission a “success,” and indicate that the agency had the ability to covertly access Belgacom’s systems since at least 2010.

Infiltrating cellphone networks, however, is not all that the malware can be used to accomplish. The NSA has specifically tailored some of its implants to infect large-scale network routers used by Internet service providers in foreign countries. By compromising routers – the devices that connect computer networks and transport data packets across the Internet – the agency can gain covert access to monitor Internet traffic, record the browsing sessions of users, and intercept communications.

Two implants the NSA injects into network routers, HAMMERCHANT and HAMMERSTEIN, help the agency to intercept and perform “exploitation attacks” against data that is sent through a Virtual Private Network, a tool that uses encrypted “tunnels” to enhance the security and privacy of an Internet session.

The implants also track phone calls sent across the network via Skype and other Voice Over IP software, revealing the username of the person making the call. If the audio of the VOIP conversation is sent over the Internet using unencrypted “Real-time Transport Protocol” packets, the implants can covertly record the audio data and then return it to the NSA for analysis.

But not all of the NSA’s implants are used to gather intelligence, the secret files show. Sometimes, the agency’s aim is disruption rather than surveillance. QUANTUMSKY, a piece of NSA malware developed in 2004, is used to block targets from accessing certain websites. QUANTUMCOPPER, first tested in 2008, corrupts a target’s file downloads. These two “attack” techniques are revealed on a classified list that features nine NSA hacking tools, six of which are used for intelligence gathering. Just one is used for “defensive” purposes – to protect U.S. government networks against intrusions.

“Mass exploitation potential”

Before it can extract data from an implant or use it to attack a system, the NSA must first install the malware on a targeted computer or network.

According to one top-secret document from 2012, the agency can deploy malware by sending out spam emails that trick targets into clicking a malicious link. Once activated, a “back-door implant” infects their computers within eight seconds.

There’s only one problem with this tactic, codenamed WILLOWVIXEN: According to the documents, the spam method has become less successful in recent years, as Internet users have become wary of unsolicited emails and less likely to click on anything that looks suspicious.

Consequently, the NSA has turned to new and more advanced hacking techniques. These include performing so-called “man-in-the-middle” and “man-on-the-side” attacks, which covertly force a user’s internet browser to route to NSA computer servers that try to infect them with an implant.

To perform a man-on-the-side attack, the NSA observes a target’s Internet traffic using its global network of covert “accesses” to data as it flows over fiber optic cables or satellites. When the target visits a website that the NSA is able to exploit, the agency’s surveillance sensors alert the TURBINE system, which then “shoots” data packets at the targeted computer’s IP address within a fraction of a second.

In one man-on-the-side technique, codenamed QUANTUMHAND, the agency disguises itself as a fake Facebook server. When a target attempts to log in to the social media site, the NSA transmits malicious data packets that trick the target’s computer into thinking they are being sent from the real Facebook. By concealing its malware within what looks like an ordinary Facebook page, the NSA is able to hack into the targeted computer and covertly siphon out data from its hard drive. A top-secret animation demonstrates the tactic in action.

The documents show that QUANTUMHAND became operational in October 2010, after being successfully tested by the NSA against about a dozen targets.

According to Matt Blaze, a surveillance and cryptography expert at the University of Pennsylvania, it appears that the QUANTUMHAND technique is aimed at targeting specific individuals. But he expresses concerns about how it has been covertly integrated within Internet networks as part of the NSA’s automated TURBINE system.

“As soon as you put this capability in the backbone infrastructure, the software and security engineer in me says that’s terrifying,” Blaze says.

“Forget about how the NSA is intending to use it. How do we know it is working correctly and only targeting who the NSA wants? And even if it does work correctly, which is itself a really dubious assumption, how is it controlled?”

In an email statement to The Intercept, Facebook spokesman Jay Nancarrow said the company had “no evidence of this alleged activity.” He added that Facebook implemented HTTPS encryption for users last year, making browsing sessions less vulnerable to malware attacks.

Nancarrow also pointed out that other services besides Facebook could have been compromised by the NSA. “If government agencies indeed have privileged access to network service providers,” he said, “any site running only [unencrypted] HTTP could conceivably have its traffic misdirected.”

A man-in-the-middle attack is a similar but slightly more aggressive method that can be used by the NSA to deploy its malware. It refers to a hacking technique in which the agency covertly places itself between computers as they are communicating with each other.

This allows the NSA not only to observe and redirect browsing sessions, but to modify the content of data packets that are passing between computers.

The man-in-the-middle tactic can be used, for instance, to covertly change the content of a message as it is being sent between two people, without either knowing that any change has been made by a third party. The same technique is sometimes used by criminal hackers to defraud people.

A top-secret NSA presentation from 2012 reveals that the agency developed a man-in-the-middle capability called SECONDDATE to “influence real-time communications between client and server” and to “quietly redirect web-browsers” to NSA malware servers called FOXACID. In October, details about the FOXACID system were reported by the Guardian, which revealed its links to attacks against users of the Internet anonymity service Tor.

But SECONDDATE is tailored not only for “surgical” surveillance attacks on individual suspects. It can also be used to launch bulk malware attacks against computers.

According to the 2012 presentation, the tactic has “mass exploitation potential for clients passing through network choke points.”

Blaze, the University of Pennsylvania surveillance expert, says the potential use of man-in-the-middle attacks on such a scale “seems very disturbing.” Such an approach would involve indiscriminately monitoring entire networks as opposed to targeting individual suspects.

“The thing that raises a red flag for me is the reference to ‘network choke points,’” he says. “That’s the last place that we should be allowing intelligence agencies to compromise the infrastructure – because that is by definition a mass surveillance technique.”

To deploy some of its malware implants, the NSA exploits security vulnerabilities in commonly used Internet browsers such as Mozilla Firefox and Internet Explorer.

The agency’s hackers also exploit security weaknesses in network routers and in popular software plugins such as Flash and Java to deliver malicious code onto targeted machines.

The implants can circumvent anti-virus programs, and the NSA has gone to extreme lengths to ensure that its clandestine technology is extremely difficult to detect. An implant named VALIDATOR, used by the NSA to upload and download data to and from an infected machine, can be set to self-destruct – deleting itself from an infected computer after a set time expires.

In many cases, firewalls and other security measures do not appear to pose much of an obstacle to the NSA. Indeed, the agency’s hackers appear confident in their ability to circumvent any security mechanism that stands between them and compromising a computer or network. “If we can get the target to visit us in some sort of web browser, we can probably own them,” an agency hacker boasts in one secret document. “The only limitation is the ‘how.’”

Covert Infrastructure

The TURBINE implants system does not operate in isolation.

It is linked to, and relies upon, a large network of clandestine surveillance “sensors” that the agency has installed at locations across the world.

The NSA’s headquarters in Maryland are part of this network, as are eavesdropping bases used by the agency in Misawa, Japan and Menwith Hill, England.

The sensors, codenamed TURMOIL, operate as a sort of high-tech surveillance dragnet, monitoring packets of data as they are sent across the Internet.

When TURBINE implants exfiltrate data from infected computer systems, the TURMOIL sensors automatically identify the data and return it to the NSA for analysis. And when targets are communicating, the TURMOIL system can be used to send alerts or “tips” to TURBINE, enabling the initiation of a malware attack.

The NSA identifies surveillance targets based on a series of data “selectors” as they flow across Internet cables. These selectors, according to internal documents, can include email addresses, IP addresses, or the unique “cookies” containing a username or other identifying information that are sent to a user’s computer by websites such as Google, Facebook, Hotmail, Yahoo, and Twitter.

Other selectors the NSA uses can be gleaned from unique Google advertising cookies that track browsing habits, unique encryption key fingerprints that can be traced to a specific user, and computer IDs that are sent across the Internet when a Windows computer crashes or updates.

What’s more, the TURBINE system operates with the knowledge and support of other governments, some of which have participated in the malware attacks.

Classification markings on the Snowden documents indicate that NSA has shared many of its files on the use of implants with its counterparts in the so-called Five Eyes surveillance alliance – the United Kingdom, Canada, New Zealand, and Australia.

GCHQ, the British agency, has taken on a particularly important role in helping to develop the malware tactics. The Menwith Hill satellite eavesdropping base that is part of the TURMOIL network, located in a rural part of Northern England, is operated by the NSA in close cooperation with GCHQ.

Top-secret documents show that the British base – referred to by the NSA as “MHS” for Menwith Hill Station – is an integral component of the TURBINE malware infrastructure and has been used to experiment with implant “exploitation” attacks against users of Yahoo and Hotmail.

In one document dated 2010, at least five variants of the QUANTUM hacking method were listed as being “operational” at Menwith Hill. The same document also reveals that GCHQ helped integrate three of the QUANTUM malware capabilities – and test two others – as part of a surveillance system it operates codenamed INSENSER.

GCHQ cooperated with the hacking attacks despite having reservations about their legality. One of the Snowden files, previously disclosed by Swedish broadcaster SVT, revealed that as recently as April 2013, GCHQ was apparently reluctant to get involved in deploying the QUANTUM malware due to “legal/policy restrictions.” A representative from a unit of the British surveillance agency, meeting with an obscure telecommunications standards committee in 2010, separately voiced concerns that performing “active” hacking attacks for surveillance “may be illegal” under British law.

In response to questions from The Intercept, GCHQ refused to comment on its involvement in the covert hacking operations. Citing its boilerplate response to inquiries, the agency said in a statement that “all of GCHQ’s work is carried out in accordance with a strict legal and policy framework which ensures that our activities are authorized, necessary and proportionate, and that there is rigorous oversight.”

Whatever the legalities of the United Kingdom and United States infiltrating computer networks, the Snowden files bring into sharp focus the broader implications. Under cover of secrecy and without public debate, there has been an unprecedented proliferation of aggressive surveillance techniques. One of the NSA’s primary concerns, in fact, appears to be that its clandestine tactics are now being adopted by foreign rivals, too.

“Hacking routers has been good business for us and our 5-eyes partners for some time,” notes one NSA analyst in a top-secret document dated December 2012. “But it is becoming more apparent that other nation states are honing their skillz [sic] and joining the scene.” source

FBI’s Encrypted Phone Platform Infiltrated Hundreds of Criminal Syndicates; Result is Massive Worldwide Takedown

The Truth News — Mon, 09 Dec 2024 09:00:14 +0000

FBI’s Encrypted Phone Platform ANØM Infiltrated Hundreds of Criminal Syndicates; Result is Massive Worldwide Takedown

SAN DIEGO – A wave of hundreds of arrests that began in Australia and stretched across Europe culminated today with the unsealing of a federal grand jury indictment in San Diego charging 17 foreign nationals with distributing thousands of encrypted communication devices to criminal syndicates.

The 500-plus arrests that took place during a worldwide two-day takedown were possible because of a San Diego-based investigation like no other. For the first time, the FBI operated its own encrypted device company, called “ANOM,” which was promoted by criminal groups worldwide. These criminals sold more than 12,000 ANOM encrypted devices and services to more than 300 criminal syndicates operating in more than 100 countries, including Italian organized crime, Outlaw Motorcycle Gangs, and various international drug trafficking organizations, according to court records.

During the course of the investigation, while ANOM’s criminal users unknowingly promoted and communicated on a system operated lawfully by the FBI, agents catalogued more than 27 million messages between users around the world who had their criminal discussions reviewed, recorded, and translated by the FBI, until the platform was taken down yesterday.

The users, believing their ANOM devices were protected from law enforcement by the shield of impenetrable encryption, openly discussed narcotics concealment methods, shipments of narcotics, money laundering, and in some groups—violent threats, the indictment said. Some users negotiated drug deals via these encrypted messages and sent pictures of drugs, in one instance hundreds of kilograms of cocaine concealed in shipments of pineapples and bananas, and in another instance, in cans of tuna, in order to evade law enforcement.

The indictment charges 17 alleged distributors of the FBI’s devices and platform. They are charged with conspiring to violate the Racketeer Influenced and Corrupt Organizations Act (RICO), pertaining to their alleged involvement in marketing and distributing thousands of encrypted communication devices to transnational criminal organizations worldwide.

During the last 24 to 48 hours, in addition to the more than 500 arrests around the world, authorities searched more than 700 locations deploying more than 9,000 law enforcement officers worldwide and seized multi-ton quantities of illicit drugs.

CLICK HERE – Video Messages from International Partners

Grand totals for the entire investigation include 800 arrests; and seizures of more than 8 tons of cocaine; 22 tons of marijuana; 2 tons of methamphetamine/amphetamine; six tons of precursor chemicals; 250 firearms; and more than $48 million in various worldwide currencies. Dozens of public corruption cases have been initiated over the course of the investigation. And, during the course of the investigation, more than 50 clandestine drug labs have been dismantled. One of the labs hit yesterday was one of the largest clandestine labs in German history.

“This was an unprecedented operation in terms of its massive scale, innovative strategy and technological and investigative achievement,” said Acting U.S. Attorney Randy Grossman. “Hardened encrypted devices usually provide an impenetrable shield against law enforcement surveillance and detection. The supreme irony here is that the very devices that these criminals were using to hide from law enforcement were actually beacons for law enforcement. We aim to shatter any confidence in the hardened encrypted device industry with our indictment and announcement that this platform was run by the FBI.”

“Today marks the culmination of more than five years of innovative and complex investigative work strategically aimed to disrupt the encrypted communications space that caters to the criminal element,” said Suzanne Turner, Special Agent in Charge of the Federal Bureau of Investigation (FBI) – San Diego Field Office. “The FBI has brought together a network of dedicated international law enforcement partners who are steadfast in combating the global threat of organized crime. The immense and unprecedented success of Operation Trojan Shield should be a warning to international criminal organizations – your criminal communications may not be secure; and you can count on law enforcement worldwide working together to combat dangerous crime that crosses international borders.”

“Operation Trojan Shield is a perfect example of an OCDETF case – an investigation driven by intelligence and maximizing the strengths of partner law enforcement agencies in coordinated efforts to dismantle command and control elements of criminal networks,” said OCDETF Director Adam W. Cohen. “Coordination is the cornerstone of the OCDETF program, and the impressiveness of the combined efforts of the U.S. Attorney’s Office, FBI, and our foreign partners cannot be overstated. This effort has created lasting disruptive impacts to these transnational criminal organizations.”

“The AFP and FBI have been working together on a world-first operation to bring to justice the organised crime gangs flooding our communities with drugs, guns and violence,” said AFP Commissioner Reece Kershaw APM. “The FBI provided an encrypted communications platform while the AFP deployed the technical capability which helped unmask some of the biggest criminals in the world. This week the AFP and our state police partners will execute hundreds of warrants and we expect to arrest hundreds of offenders linked to the platform. This is the culmination of hard work, perseverance and an invaluable, trusted relationship with the FBI.

We thank the FBI for their long and integral partnership with the AFP.”

Europol’s Deputy Executive Director Jean-Philippe Lecouffe: “This operation is an exceptional success by the authorities in the United States, Sweden, the Netherlands, Australia, New Zealand and the other European members of the Operational Task Force. Europol coordinated the international law enforcement community, enriched the information picture and brought criminal intelligence into ongoing operations to target organised crime and drug trafficking organisations, wherever they are and however they choose to communicate. I am very satisfied to see Europol supporting this operation and strengthen law enforcement partnerships by emphasizing the multi-agency aspect of the case.”

“I am exceptionally proud of our New Zealand Police staff who supported Operation Trojan Shield,” said New Zealand Police Commissioner Andrew Coster. “This operation will have an unprecedented impact on organised crime syndicates across the globe. We value our strong relationship with the FBI, AFP and Europol and it is through these partnerships and the unrelenting efforts by law enforcement agencies from multiple countries that this operation has seen such incredible success This is a fantastic result and reiterates the importance of our transnational partnerships with law enforcement agencies across the globe in our common ongoing efforts to dismantle organised crime groups and the enormous harm they cause to our communities.”

“This remarkably successful operation demonstrates what can be accomplished when law enforcement agencies throughout the world work together,” said DEA Los Angeles Division Special Agent in Charge Bill Bodner. “Through strong relationships with our partners in more than 67 countries, professionals throughout the DEA, including experts in the Los Angeles Division, supported this unprecedented collaboration and our own mission to disrupt and dismantle the criminal organizations that profit from the distribution of illegal drugs.”

According to the San Diego indictment, ANOM’s administrators, distributors, and agents described the platform to potential users as “designed by criminals for criminals” and targeted the sale of ANOM to individuals that they knew participated in illegal activities.

All defendants are foreign nationals located outside of the U.S. In total, eight of the indicted defendants were taken into custody last night. Authorities are continuing to search for the remaining nine defendants.

The indictment alleges the defendants knew the devices they distributed were being used exclusively by criminals to coordinate drug trafficking and money laundering, including in the U.S. The defendants personally fielded “wipe requests” from users when devices fell into the hands of law enforcement.

The FBI’s review of ANOM users’ communications worked like a blind carbon copy function in an email. A copy of every message being sent from each device was sent to a server in a third-party country where the messages were collected and stored. The data was then provided to the FBI on a regular basis pursuant to an international cooperation agreement. Communications such as text messages, photos, audio messages, and other digital information were reviewed by the FBI for criminal activity and disseminated to partner law enforcement agencies in other countries. Each user was using ANOM for a criminal purpose. Those countries have built their own cases against ANOM users, many of whom were arrested in takedowns in Europe, Australia and New Zealand over the last several days.

Intelligence derived from the FBI’s communications platform presented opportunities to disrupt major drug trafficking, money laundering, and other criminal activity while the platform was active. For example, over 150 unique threats to human life were mitigated.

This operation was led by the FBI and coordinated with the U.S. Drug Enforcement Administration, the U.S. Marshals Service, Australian Federal Police, Swedish Police Authority, National Police of the Netherlands, Lithuanian Criminal Police Bureau, Europol, and numerous other law enforcement partners from over a dozen other countries.

This investigation began after Canada-based encrypted device company Phantom Secure was dismantled by the FBI in 2018 through a San Diego-based federal RICO indictment and court-authorized seizure of the Phantom Secure platform, forcing many criminals to seek other secret communication methods to avoid law enforcement detection. The FBI—along with substantial contributions by the Australian Federal Police—filled that void with ANOM.

When the FBI and the San Diego U.S. Attorney’s Office dismantled Sky Global in March 2021, the demand for ANOM devices grew exponentially as criminal users sought a new brand of hardened encryption device to plot their drug trafficking and money laundering transactions and to evade law enforcement. Demand for ANOM from criminal groups also increased after European investigators announced the dismantlement of the EncroChat platform in July 2020. The ANOM platform – unlike Phantom Secure, EncroChat, and Sky Global – was exploited by the FBI from the very beginning of ANOM’s existence and was not an infiltration of an existing popular encrypted communications company.

In October 2018, Phantom Secure’s CEO pleaded guilty to a RICO conspiracy in the Southern District of California. He was sentenced to nine years in prison and ordered to forfeit $80 million in proceeds from the sale of Phantom devices.

For further information, please see https://www.justice.gov/usao-sdca/pr/chief-executive-communications-company-sentenced-prison-providing-encryption-services and https://www.justice.gov/usao-sdca/pr/sky-global-executive-and-associate-indicted-providing-encrypted-communication-devices.

Operation Trojan Shield is an Organized Crime Drug Enforcement Task Forces (OCDETF) investigation. OCDETF identifies, disrupts, and dismantles the highest-level drug traffickers, money launderers, gangs, and transnational criminal organizations that threaten the United States by using a prosecutor-led, intelligence-driven, multi-agency approach that leverages the strengths of federal, state, and local law enforcement agencies against criminal networks.

Assistant U.S. Attorneys Meghan E. Heesch, Joshua C. Mellor, Shauna Prewitt, and Mikaela Weber of the U.S. Attorney’s Office for the Southern District of California are prosecuting the case, with assistance from Paralegal Specialist Tracie Jarvis. Former Assistant U.S. Attorney Andrew P. Young made invaluable contributions during his tenure on the case team.

Acting U.S. Attorney Grossman praised federal prosecutors and FBI agents and international law enforcement partners for their relentless pursuit of justice in this extraordinary case. Additionally, Acting U.S. Attorney Grossman thanked the coordinated efforts of the Department of Justice’s Office of International Affairs which facilitated many international components of this complex investigation.

The charges and allegations contained in an indictment are merely accusations, and the defendants are considered innocent unless and until proven guilty.

DEFENDANTS 21-CR-1623-JLS	COUNTRY
*Joseph Hakan Ayik (1)
Domenico Catanzariti (2)	Australia
*Maximilian Rivkin (3)
Abdelhakim Aharchaou (4)	The Netherlands
*Seyyed Hossein Hosseini (5)
Alexander Dmitrienko (6)	Spain
*Baris Tukel (7)
*Erkan Yusef Dogan (8)
*Shane Geoffrey May (9)
Aurangzeb Ayub (10)	The Netherlands
James Thomas Flood (11)	Spain
*Srdjan Todorovic aka Dr. Djek (12)
*Shane Ngakuru (13)
Edwin Harmendra Kumar (14)	Australia
Omar Malik (15)	The Netherlands
Miwand Zakhimi (16)	The Netherlands
*Osemah Elhassen (17)
*Fugitive

SUMMARY OF CHARGES

Conspiracy to Conduct Enterprise Affairs Through Pattern of Racketeering Activity (RICO Conspiracy), in violation of 18 U.S.C. § 1962(d)

Maximum Penalty: Twenty years in prion

AGENCIES

Federal Bureau of Investigation

Drug Enforcement Administration

United States Marshals Service

Department of Justice, Office of International Affairs

Australian Federal Police

Swedish Police Authority

Lithuanian Criminal Police Bureau

National Police of the Netherlands

EUROPOL

For further information, please see

https://www.europol.europa.eu/newsroom/news/800-criminals-arrested-in-biggest-ever-law-enforcement-operation-against-encrypted-communication

https://www.afp.gov.au/news-media/media-releases/afp-led-operation-ironside-smashes-organised-crime

Updated June 8, 2021 SOURCE

Encrypted Phone Company Was Secretly Commandeered by FBI to Track Criminals’ GPS Data

CLOAK AND DAGGER

The agency’s backdoor access to Anom phones collected the locations of users across the world, transferring the data to authorities.

FBI Sold Criminals Fake Encrypted Phones That Actually Copied Their Messages

The Anom company helped international law enforcement arrest over 800 suspected criminals in what marks the FBI’s latest attempt to overcome encryption.

An encrypted chat platform that catered to criminals is actually an FBI sting operation.

Since 2019, the FBI has been secretly operating Anom, a company that pretended to offer encrypted messaging to criminal organizations. In reality, the Anom app would relay to federal investigators a copy of every message sent.

The operation enabled the FBI and international law enforcement to arrest over 800 suspected criminals across the globe, according to Europol.

Anom ended up serving more than 12,000 devices belonging to over 300 criminal organizations, including the Italian mafia, outlaw motorcycle gangs, and crime syndicates based in Asia. The encrypted chat platform recorded messages covering assassination plots, mass drug trafficking, and illegal gun distribution.

Credit: Australian Federal Police

The operation marks US law enforcement’s latest attempt to circumvent encryption on smartphones. For years now, the FBI has been urging Apple to create a backdoor into its iPhones, citing the need to collect evidence against suspected criminals. Apple has thus far refused, so the agency has contracted professional smartphone hacking services to help it unlock devices seized in investigations.

With Anom, the FBI used an entirely different strategy to tackle the challenge of encryption. The genesis for the sting operation occurred with the FBI takedown of a separate encrypted chat platform popular among criminals called Phantom Secure.

“When we took down Phantom Secure in 2018, we found the criminal organizations moved quickly to back-up options with other encrypted platforms,” said FBI San Diego Assistant Special Agent in Charge Jamie Arnold in a statement.

As a result, the FBI and its law enforcement partners attempted to fill the void with Anom. According to Vice, a confidential source who sold phones using Phantom Secure had been developing their own encrypted chat platform; the source then offered up the platform to the FBI, which began working to circulate Anom in criminal underground circles.

According to Australian Federal Police, the Anom encrypted messaging app was installed on special phones that had been stripped of other capabilities. “The mobile phones, which were bought on the black market, could not make calls or send emails. It could only send messages to another device that had the organized crime app. Criminals needed to know a criminal to get a device,” Australian Federal Police added.

To market itself, Anom also had its own YouTube, Twitter, Facebook, and Reddit pages, which advertised the app as a secure communications platform.

The FBI has since replaced the Anom.io website with a notice that says: “Law enforcement has been monitoring messages and attachments from the ANØM platform. A number of investigations have been initiated and are ongoing.” Users of Anom can learn if they’re under investigation by typing in their username and smartphone details into a form on the site. SOURCE

We Got the Phone the FBI Secretly Sold to Criminals

Unlocking the Google Pixel 4a with a PIN code reveals some common apps: Tinder, Instagram, Facebook, Netflix, and even Candy Crush. But none of those apps work, and tapping their icons doesn’t do anything. Resetting the phone and typing in another PIN opens up an entirely different section of the device, with a new background and new apps. Now in place of the old apps sit a clock, a calculator, and the device’s settings.

“Enter Anom ID” and a password, the screen reads. Hidden in the calculator is a concealed messaging app called Anom, which last month we learned was an FBI honeypot. On Anom, criminals believed they could communicate securely, with the app encrypting their messages. They were wrong: an international group of law enforcement agencies including the FBI were monitoring their messages and announced hundreds of arrests last month. International authorities have held press conferences to tout the operation’s success, but have provided few details on how the phones actually functioned.

Motherboard has obtained and analyzed an Anom phone from a source who unknowingly bought one on a classified ads site. On that site, the phone was advertised as just a cheap Android device. But when the person received it, they realized it wasn’t an ordinary phone, and after being contacted by Motherboard, found that it contained the secret Anom app.

The person Motherboard bought the phone from said they panicked “when I realised what I had just purchased.” Motherboard granted the person anonymity to protect them from any retaliation.

When booting up the phone, it displays a logo for an operating system called “ArcaneOS.” Very little information is publicly available on ArcaneOS. It’s this detail that has helped lead several people who have ended up with Anom phones to realize something was unusual about their device. Most posts online discussing the operating system appear to be written by people who have recently inadvertently bought an Anom device, and found it doesn’t work like an ordinary phone. After the FBI announced the Anom operation, some Anom users have scrambled to get rid of their device, including selling it to unsuspecting people online. The person Motherboard obtained the phone from was in Australia, where authorities initially spread the Anom devices as a pilot before expanding into other countries. They said they contacted the Australian Federal Police (AFP) in case the phone or the person who sold it was of interest to them; when the AFP didn’t follow up, the person agreed to sell the phone to Motherboard for the same price they paid. They said they originally bought it from a site similar to Craigslist.

Another person Motherboard spoke to who bought one of the phones said they were in Lithuania.

“I bought this phone online, for ridiculously low price, now I understand why,” that second person said. That person also provided Motherboard with photos and a video of their device. In that case, the Anom login screen appeared inaccessible, but other settings such as the decoy PIN code remained. “Probably this phone was used by some drug dealer :D,” they said.

For the past few months, members of Android hobbyist and developer forums have been trying to help the people who bought the strange phones return them to a usable state.

“I cannot install any apps because there is no [App Store], everything has been removed,” one person who said they bought the phone second-hand wrote on a German language forum in March, before the FBI and its partners stopped the operation.

“If he also had access to/data, he could change all of the cell phone’s settings manually,” one forum user replied.

A photo of the scrambled PIN entry screen on the Anom device. Image: Motherboard.

“That’s strange… You have the boot screen saying that the phone has been modified, yet you seem to have a locked bootloader… Doesn’t make any sense to me :/,” a user on another forum replied to someone facing similar issues.

“I have the same thing. A friend got a used pixel 4a and it’s running arcaneos with the same issues described by the OP. Nothing works when attempting to flash,” someone else added to the thread.

After Motherboard determined that ArcaneOS was linked to the Anom devices and had bought the phone, someone else on one of the forums also made the connection.

“This is a phone the used with that FBI ANON [sic] application to read the message with the users,” a user wrote on a thread. That user did not respond to a request for comment on how they also came to the same conclusion.

The Phone

Besides ArcaneOS, the phone has a few other interesting features and settings.

Ordinarily, Android phones have a setting to turn location tracking off or on. There appears to be no setting for either on this device.

The phone offers “PIN scrambling,” where the PIN entry screen will randomly rearrange the digits, potentially stopping third-parties from figuring out the device’s passcode if watching someone type it in. The status bar at the top of the screen includes a shortcut for what appears to be a wipe feature on the phone, with an icon showing a piece of paper going through a shredder. Users can also set up a “wipe code,” which will wipe the device from the lockscreen, and configure the phone to automatically wipe if left offline for a specific period of time, according to the phone’s settings reviewed by Motherboard.

Encrypted phone companies typically offer similar data destruction capabilities, and at least in some cases companies have remotely wiped phones while they’re in authorities’ possession, hindering investigations. The Department of Justice has charged multiple people who allegedly worked for Anom in part for obstructing law enforcement by using this wipe feature.

Daniel Micay, lead developer of security and privacy focused Android operating system GrapheneOS, also provided Motherboard with images someone had recently sent him of a third Anom device. That phone was a Google Pixel 3a, suggesting Anom loaded its software onto multiple iterations of phones over time, and the Anom login screen was not immediately accessible.

“The calculator theoretically opens chat but it doesn’t work anymore. They said it requires entering a specific calculation,” Micay said. “Quite amusing security theater.”

A photo of the hidden apps page of the Anom device. Image: Motherboard.

A photo of the normal apps page of the Anom device. Image: Motherboard.

Micay said others claimed that Anom used GrapheneOS itself, but “it sounds like they may have advertised it to some people by saying it uses GrapheneOS but it has no basis.”

“Basically [it] sounds like people have heard of GrapheneOS so these companies either use it in some way (maybe actual GrapheneOS, maybe a fork) or just claim they did when they didn’t,” he said.

The phone obtained by Motherboard and the one included in the video both have an identical list of contacts saved to the innocuous looking section of the device. However, at least some of these appear to be placeholder contacts generated by a specific tool available on Github. None of the people included in the contact list responded to a request for comment.

With its wipe features and the hidden user interface, the Anom device does look like one from any of the other encrypted phone firms that serious organized criminals have used in the past, such as Encrochat and Phantom Secure. That was very much on purpose, according to Andrew Young, a partner in the Litigation Department in law firm Barnes & Thornburg’s San Diego office and former Department of Justice lead prosecutor on the Anom case.

“We can’t just run a good investigation; we have to run a good company,” he previously told Motherboard in a phone call. That included providing customer service and solving users’ tech issues, and potentially dealing with hackers who may target the company too.

Anom started when an FBI confidential human source (CHS), who had previously sold devices from Phantom Secure and another firm called Sky Global, was developing their own product. The CHS then “offered this next generation device, named ‘Anom,’ to the FBI to use in ongoing and new investigations,” court documents read.

In June the FBI and its law enforcement partners in Australia and Europe announced over 800 arrests after they had surreptitiously been listening in on Anom users’ messages for years. In all, authorities obtained over 27 million messages from over 11,800 devices running the Anom software in more than 100 countries by silently adding an extra encryption key which allowed agencies to read a copy of the messages. People allegedly smuggling cocaine hidden inside cans of tuna, hollowed out pineapples, and even diplomatic pouches all used Anom to coordinate their large-scale trafficking operations, according to court documents.

The FBI declined to comment. SOURCE

How to Check if Your Cellphone Is Infected With Pegasus Spyware

The Truth News — Tue, 30 Jul 2024 20:54:24 +0000

They’re watching us: How to detect Pegasus and other spyware on your iOS device?

The infamous Pegasus spyware created by Israeli firm NSO can turn any infected smartphone into a remote microphone or camera. Here’s how to stay safe and know if you’ve been hacked

How does Pegasus and other spyware work discreetly to access everything on your iOS device?

Introduction

In today’s digital age, mobile phones and devices have evolved from being exclusive to a few to becoming an absolute need for everyone, aiding us in both personal and professional pursuits. However, these devices, often considered personal, can compromise our privacy when accessed by nefarious cybercriminals.

Malicious mobile software has time and again been wielded as a sneaky weapon to compromise the sensitive information of targeted individuals. Cybercriminals build complex applications capable of operating on victims’ devices unbeknownst to them, concealing the threat and the intentions behind it. Despite the common belief among iOS users that their devices offer complete security, shielding them from such attacks, recent developments, such as the emergence of Pegasus spyware, have shattered this pretense.

The first iOS exploitation by Pegasus spyware was recorded in August 2016, facilitated through spear-phishing attempts—text messages or emails that trick a target into clicking on a malicious link.

What is Pegasus spyware?

Developed by the Israeli company NSO Group, Pegasus spyware is malicious software designed to gather sensitive information from devices and users illicitly. Initially licensed by governments for targeted cyber espionage purposes, it is a sophisticated tool for remotely placing spyware on targeted devices to pry into and reveal information. Its ‘zero-click’ capability makes it particularly dangerous as it can infiltrate devices without any action required from the user.

Pegasus can gather a wide range of sensitive information from infected devices, including messages, audio logs, GPS location, device information, and more. It can also remotely activate the device’s camera and microphone, essentially turning the device into a powerful tool for illegal surveillance.

Over time, NSO Group has become more creative in its methods of unwarranted intrusions into devices. The company, which was founded in 2010, claims itself to be a “leader” in mobile and cellular cyber warfare.

Pegasus is also capable of accessing data from both iOS and Android-powered devices. The fact that it can be deployed through convenient gateways such as SMS, WhatsApp, or iMessage makes it an effortless tool to trick users into installing the spyware without their knowledge. This poses a significant threat to the privacy and security of individuals and organizations targeted by such attacks.

How does Pegasus spyware work?

Pegasus is extremely efficient due to its strategic development to use zero-day vulnerabilities, code obfuscation, and encryption. NSO Group provides two methods for remotely installing spyware on a target’s device: a zero-click method and a one-click method. The one-click method includes sending the target a regular SMS text message containing a link to a malicious website. This website then exploits vulnerabilities in the target’s web browser, along with any additional exploits needed to implant the spyware.

Zero-click attacks do not require any action from device users to establish an unauthorized connection, as they exploit ‘zero-day’ vulnerabilities to gain entry into the system. Once the spyware is installed, Pegasus actively captures the intended data about the device. After installation, Pegasus needs to be constantly upgraded and managed to adapt to device settings and configurations. Additionally, it may be programmed to uninstall itself or self-destruct if exposed or if it no longer provides valuable information to the threat actor.

Now that we’ve studied what Pegasus is and the privacy concerns it raises for users, this blog will further focus on discussing precautionary and investigation measures. The suggested methodology can be leveraged to detect not just Pegasus spyware but also Operation Triangulation, Predator spyware, and more.

Let’s explore how to check iOS or iPadOS devices for signs of compromise when only an iTunes backup is available and obtaining a full file system dump isn’t a viable option.

In recent years, targeted attacks against iOS devices have made headlines regularly. Although the infections are not widespread and they hardly affect more than 100 devices per wave, such attacks still pose serious risks to Apple users. The risks have appeared as a result of iOS becoming an increasingly complex and open system, over the years, to enhance user experience. A good example of this is the flawed design of the iMessage application, which wasn’t protected through the operating system’s sandbox mechanisms.

Apple failed to patch this flaw with a security feature called BlastDoorin iOS 14, instead implementing a Lockdown Mode mechanism that, for now, cybercriminals have not been able to bypass. Learn more about Lockdown Mode here.

While BlastDoor provides a flexible solution through sandbox analysis, Lockdown Mode imposes limitations on iMessage functionality. Nonetheless, the vulnerabilities associated with ImageIO may prompt users to consider disabling iMessage permanently. Another major problem is that there are no mechanisms to examine an infected iOS device directly. Researchers have three options:

Put the device in a safe and wait until an exploit is developed that can extract the full file system dump
Analyze the device’s network traffic (with certain limitations as not all viruses can transmit data via Wi-Fi)
Explore a backup copy of an iOS device, despite data extraction limitations

The backup copy must be taken only with encryption (password protection) as data sets in encrypted and unencrypted copies differ. Here, our analysts focus on the third approach, as it is a pragmatic way to safely examine potential infections without directly interacting with the compromised device. This approach allows researchers to analyze the device’s data in a controlled environment, avoiding any risk of further compromising the device and losing valuable evidence that forms the ground for crucial investigation and analysis.

To conduct research effectively, the users will need either a Mac or Linux device. Linux virtual machines can also be used, but it is recommended that users avoid using Windows Subsystem for Linux as it has issues with forwarding USB ports.

In the analysis performed by Group-IB experts, we use an open-source tool called Mobile Verification Toolkit (MVT), which is supported by a methodology report.

Let’s start with installing dependencies:

sudo apt install python3 python3-pip libusb-1.0-0 sqlite3

Next, install a set of tools for creating and working with iTunes backups:

sudo apt install libimobiledevice-utils

Lastly, install MVT:

git clone https://github.com/mvt-project/mvt.git
cd mvt
pip3 install

Now, let’s begin with the analysis. To create a backup, perform the following:

Connect the iOS device and verify the pairing process by entering your passcode.
Enter the following command:

ideviceinfo

Users will receive a substantial output with information about the connected device, such as the iOS version and model type:

ProductName: iPhone OS
ProductType: iPhone12.5
ProductVersion: 17.2.1

After that, users can set a password for the device backup:

idevicebackup2 -i encryption on

Enter the password for the backup copy and confirm it by entering your phone’s passcode.

As mentioned, the above step is crucial to ensure the integrity of the data extracted from the device.

Create the encrypted copy:

idevicebackup2 backup –full /path/to/backup/

This process may take a while depending on the amount of space available on your device. Users will also need to enter the passcode again.

Once the backup is complete (as indicated by the Backup Successful message), the users will need to decrypt it.

To do so, use MVT:

mvt-ios decrypt-backup -p [password] -d /path/to/decrypted /path/to/backup

After being through with the process, users may have successfully decrypted the backup.

Now, let’s check for known indicators. Download the most recent IoCs (Indicators of Compromise):

mvt-ios download-iocs

We can also track IoCs relating to other spyware attacks from several sources, such as:

“NSO Group Pegasus Indicators of Compromise”
“Predator Spyware Indicators of Compromise”
“RCS Lab Spyware Indicators of Compromise”
“Stalkerware Indicators of Compromise”
“Surveillance Campaign linked to mercenary spyware company”
“Quadream KingSpawn Indicators of Compromise”
“Operation Triangulation Indicators of Compromise”
“WyrmSpy and DragonEgg Indicators of Compromise”

The next step is to launch the scanning:

mvt-ios check-backup –output /path/to/output/ /path/to/decrypted/

The users will obtain the following set of JSON files for analysis.

If any infections are detected, the users will receive a *_detected.json file with detections.

Image 1: Result of MVT IOCs scan with four detections

Image 2: The detected results are saved in separate files with “_detected” ending

If there are suspicions of spyware or malware without IOCs, but there are no detections, and a full file system dump isn’t feasible, users will need to work with the resources at hand. The most valuable files in the backup include:

Safari_history.json – check for any suspicious redirects and websites.

“id”: 5,
“url”: “http://yahoo.fr/”,
“visit_id”: 7,
“timestamp”: 726652004.790012,
“isodate”: “2024-01-11 07:46:44.790012”,
“redirect_source”: null,
“redirect_destination”: 8,
“safari_history_db”: “1a/1a0e7afc19d307da602ccdcece51af33afe92c53”

Datausage.json – check for suspicious processes.

“first_isodate”: “2023-11-21 15:39:34.001225”,
“isodate”: “2023-12-14 03:05:02.321592”,
“proc_name”: “mDNSResponder/com.apple.datausage.maps”,
“bundle_id”: “com.apple.datausage.maps”,
“proc_id”: 69,
“wifi_in”: 0.0,
“wifi_out”: 0.0,
“wwan_in”: 3381.0,
“wwan_out”: 8224.0,
“live_id”: 130,
“live_proc_id”: 69,
“live_isodate”: “2023-12-14 02:45:10.343919”

Os_analytics_ad_daily.json – check for suspicious processes.

“package”: “storekitd”,
“ts”: “2023-07-11 05:24:31.981691”,
“wifi_in”: 400771.0,
“wifi_out”: 52607.0,
“wwan_in”: 0.0,
“wwan_out”: 0.0

Keeping a backup copy of a control device is required to maintain a record of the current names of legitimate processes within a specific iOS version. This control device can be completely reset and reconfigured with the same iOS version. Although annual releases often introduce significant changes, new legitimate processes may still be added, even within a year, through major system updates.

Sms.json – check for links, the content of these links, and domain information.

        "ROWID": 97,
        "guid": "9CCE3479-D446-65BF-6D00-00FC30F105F1",
        "text": "",
        "replace": 0,
        "service_center": null,
        "handle_id": 1,
        "subject": null,
        "country": null,
        "attributedBody": "",
        "version": 10,
        "type": 0,
        "service": "SMS",
        "account": "P:+66********",
        "account_guid": "54EB51F8-A905-42D5-832E-D98E86E4F919",
        "error": 0,
        "date": 718245997147878016,
        "date_read": 720004865472528896,
        "date_delivered": 0,
        "is_delivered": 1,
        "is_finished": 1,
        "is_emote": 0,
        "is_from_me": 0,
        "is_empty": 0,
        "is_delayed": 0,
        "is_auto_reply": 0,
        "is_prepared": 0,
        "is_read": 1,
        "is_system_message": 0,
        "is_sent": 0,
        "has_dd_results": 1,
        "is_service_message": 0,
        "is_forward": 0,
        "was_downgraded": 0,
        "is_archive": 0,
        "cache_has_attachments": 0,
        "cache_roomnames": null,
        "was_data_detected": 1,
        "was_deduplicated": 0,
        "is_audio_message": 0,
        "is_played": 0,
        "date_played": 0,
        "item_type": 0,
        "other_handle": 0,
        "group_title": null,
        "group_action_type": 0,
        "share_status": 0,
        "share_direction": 0,
        "is_expirable": 0,
        "expire_state": 0,
        "message_action_type": 0,
        "message_source": 0,
        "associated_message_guid": null,
        "associated_message_type": 0,
        "balloon_bundle_id": null,
        "payload_data": null,
        "expressive_send_style_id": null,
        "associated_message_range_location": 0,
        "associated_message_range_length": 0,
        "time_expressive_send_played": 0,
        "message_summary_info": null,
        "ck_sync_state": 0,
        "ck_record_id": null,
        "ck_record_change_tag": null,
        "destination_caller_id": "+66926477437",
        "is_corrupt": 0,
        "reply_to_guid": "814A603F-4FEC-7442-0CBF-970C14217E1B",
        "sort_id": 0,
        "is_spam": 0,
        "has_unseen_mention": 0,
        "thread_originator_guid": null,
        "thread_originator_part": null,
        "syndication_ranges": null,
        "synced_syndication_ranges": null,
        "was_delivered_quietly": 0,
        "did_notify_recipient": 0,
        "date_retracted": 0,
        "date_edited": 0,
        "was_detonated": 0,
        "part_count": 1,
        "is_stewie": 0,
        "is_kt_verified": 0,
        "is_sos": 0,
        "is_critical": 0,
        "bia_reference_id": null,
        "fallback_hash": "s:mailto:ais|(null)(4)<7AD4E8732BAF100ABBAF4FAE21CBC3AE05487253AC4F373B7D1470FDED6CFE91>",
        "phone_number": "AIS",
        "isodate": "2023-10-06 00:46:37.000000",
        "isodate_read": "2023-10-26 09:21:05.000000",
        "direction": "received",
        "links": [
            "https://m.ais.co.th/J1Hpm91ix"
        ]
    },

Sms_attachments.json – check for suspicious attachments.

        "attachment_id": 4,
        "ROWID": 4,
        "guid": "97883E8C-99FA-40ED-8E78-36DAC89B2939",
        "created_date": 726724286,
        "start_date": "",
        "filename": "~/Library/SMS/Attachments/b8/08/97883E8C-99FA-40ED-8E78-36DAC89B2939/IMG_0005.HEIC",
        "uti": "public.heic",
        "mime_type": "image/heic",
        "transfer_state": 5,
        "is_outgoing": 1,
        "user_info": ",
        "transfer_name": "IMG_0005.HEIC",
        "total_bytes": 1614577,
        "is_sticker": 0,
        "sticker_user_info": null,
        "attribution_info": null,
        "hide_attachment": 0,
        "ck_sync_state": 0,
        "ck_server_change_token_blob": null,
        "ck_record_id": null,
        "original_guid": "97883E8C-99FA-40ED-8E78-36DAC89B2939",
        "is_commsafety_sensitive": 0,
        "service": "iMessage",
        "phone_number": "*",
        "isodate": "2024-01-12 03:51:26.000000",
        "direction": "sent",
        "has_user_info": true
    }

Webkit_session_resource_log.json and webkit_resource_load_statistics.json – check for suspicious domains.

{
        "domain_id": 22,
        "registrable_domain": "sitecdn.com",
        "last_seen": 1704959295.0,
        "had_user_interaction": false,
        "last_seen_isodate": "2024-01-11 07:48:15.000000",
        "domain": "AppDomain-com.apple.mobilesafari",
        "path": "Library/WebKit/WebsiteData/ResourceLoadStatistics/observations.db"
    }

Tcc.json – check which applications have been granted which permissions.

        "service": "kTCCServiceMotion",
        "client": "com.apple.Health",
        "client_type": "bundle_id",
        "auth_value": "allowed",
        "auth_reason_desc": "system_set",
        "last_modified": "2023-07-11 06:25:15.000000"

To collect data about processes, users can use XCode Instruments.

Note: Developer mode must be enabled on the iOS device.

Image 3: Showcasing XCode instruments profile selection

Process data collection:

Screenshot

Image 4: Process list from iPhone

Overcoming the iOS interception challenge

For the common public

iOS security architecture typically prevents normal apps from performing unauthorized surveillance. However, a jailbroken device can bypass these security measures. Pegasus and other mobile malware may exploit remote jailbreak exploits to steer clear of detection by security mechanisms. This enables operators to install new software, extract data, and monitor and collect information from targeted devices.

Warning signs of an infection on the device include:

Slower device performance
Spontaneous reboots or shutdowns
Rapid battery drain
Appearance of previously uninstalled applications
Unexpected redirects to unfamiliar websites

This reinstates the critical importance of maintaining up-to-date devices and prioritizing mobile security. Recommendations for end-users include:

Avoid clicking on suspicious links
Review app permissions regularly
Enable Lockdown mode for protection against spyware attacks
Consider disabling iMessage and FaceTime for added security
Always install the updated version of the iOS

For businesses: Protect against Pegasus and other APT mobile malware

Securing mobile devices, applications, and APIs is crucial, particularly when they handle financial transactions and store sensitive data. Organizations operating in critical sectors, government, and other industries are prime targets for cyberattacks such as espionage and more, especially high-level employees.

Researching iOS devices presents challenges due to the closed nature of the system. Group-IB Threat Intelligence, however, helps organizations worldwide identify cyber threats in different environments, including iOS, with our recent discovery being GoldPickaxe.iOS – the first iOS Trojan harvesting facial scans and using them to potentially gain unauthorized access to bank accounts. Group-IB Threat Intelligence provides a constant feed on new and previously conducted cyber attacks, the tactics, techniques, and behaviors of threat actors, and susceptibility of attacks based on your organization’s risk profile— giving a clear picture of how your devices can be exploited by vectors, to initiate timely and effective defense mechanisms.

If you suspect your iOS or Android device has been compromised by Pegasus or similar spyware, turn to our experts for immediate support. To perform device analysis or set up additional security measures, organizations can also get in touch with Group-IB’s Digital Forensics team for assistance. source

HOW TO DEFEND YOURSELF AGAINST THE POWERFUL NEW NSO SPYWARE ATTACKS DISCOVERED AROUND THE WORLD

Even iPhones were vulnerable to the surveillance software, which appears to have been used against activists, journalists, and others.

AN INTERNATIONAL GROUP of journalists this month detailed extensive new evidence that spyware made by Israeli company NSO Group was used against activists, business executives, journalists, and lawyers around the world. Even Apple’s iPhone, frequently lauded for its tight security, was found to be “no match” for the surveillance software, leading Johns Hopkins cryptographer Matthew Green to fret that the NSO revelations had led some hacking experts to descend into a posture of “security nihilism.”

Security nihilism is the idea that digital attacks have grown so sophisticated that there’s nothing to be done to prevent them from happening or to blunt their impact. That sort of conclusion would be a mistake. For one thing, it plays into the hands of malicious hackers, who would love nothing more than for targets to stop trying to defend themselves. It’s also mistaken factually: You can defend yourself against NSO’s spyware — for example, by following operational security techniques like not clicking unknown links, practicing device compartmentalization (such as using separate devices for separate apps), and having a virtual private network, or VPN, on mobile devices. Such techniques are effective against any number of digital attacks and thus useful even if NSO Group turns out to be correct in its claim that the purported evidence against the company is not valid.

There may be no such thing as perfect security, as one classic adage in the field states, but that’s no excuse for passivity. Here, then, are practical steps you can take to reduce your “attack surface” and protect yourself against spyware like NSO’s.

Pegasus Offers “Unlimited Access to Target’s Mobile Devices”

The recent revelations concern a specific NSO spyware product known as Pegasus. They follow extensive prior studies of the company’s software from entities like the Citizen Lab, Amnesty International, Article 19, R3D, and SocialTIC. Here’s what we know about Pegasus specifically.

The software’s capabilities were outlined in what appears to be a promotional brochure from NSO Group dating to 2014 or earlier and made available when WikiLeaks published a trove of emails related to a different spyware firm, Italy’s Hacking Team. The brochure’s authenticity cannot be confirmed, and NSO has said it is not commenting further on Pegasus. But the document markets Pegasus aggressively, saying it provides “unlimited access to target’s mobile devices” and allows clients to “remotely and covertly collect information about your target’s relationships, location, phone calls, plans and activities — whenever and wherever they are.” The brochure also states the Pegasus can:

Monitor voice and VoIP calls in real-time.
Siphon contacts, passwords, files, and encrypted content from the phone.
Operate as an “environmental wiretap,” listening through the microphone.
Monitor communications through apps like WhatsApp, Facebook, Skype, Blackberry Messenger, and Viber.
Track the phone’s location via GPS.

For all the hype, Pegasus is, however, just a glorified version of an old type of malware known as a Remote Access Trojan, or RAT: a program that allows an unauthorized party full access over a target device. In other words, while Pegasus may be potent, the security community knows well how to defend against this type of threat.

Let’s look at the different ways Pegasus can potentially infect phones — its various “agent installation vectors,” in the brochure’s own vernacular — and how to defend against each one.

Dodging Social Engineering Clickbait

There are numerous examples in reports of Pegasus attacks of journalists and human rights defenders receiving SMS and WhatsApp bait messages enjoining them to click malicious links. The links download spyware that lodges into devices through security holes in browsers and operating systems. This attack vector is called an Enhanced Social Engineer Message, or ESEM, in the leaked brochure. It states that “the chances that the target will click the link are totally dependent on the level of content credibility. The Pegasus solution provides a wide range of tools to compose a tailored and innocent message to lure the target to open the message.”

“The chances that the target will click the link are totally dependent on the level of content credibility.”

As the Committee to Protect Journalists has detailed, ESEM bait messages linked to Pegasus fall into various categories. Some claim to be from established organizations like banks, embassies, news agencies, or parcel delivery services. Others relate to personal matters, like work or alleged evidence of infidelity, or claim that the targeted person is facing some immediate security risk.

Future ESEM attacks may use different types of bait messages, which is why it’s important to treat any correspondence that tries to convince you to perform a digital action with caution. Here are some examples of what that means in practice:

If you receive a message with a link, particularly if it includes a sense of urgency (stating a package is about to arrive or that your credit card is going to be charged), avoid the impulse to immediately click on it.
If you trust the linked site, type out the link’s web address manually.
If going to a website you frequently visit, save that website in a bookmark folder and only access the site from the link in your folder.
If you decide you’re going to click a link rather than typing it out or visiting the site via bookmark, at least scrutinize the link to confirm that it is pointing to a website you are familiar with. And remember that it’s possible you will still be fooled: Some phishing links use similar-looking letters from a non-English character set, in what is known as a homograph attack. For example, a Cyrillic “О” might be used to mimic the usual Latin “O” we see in English.
If the link appears to be a shortened URL, use a URL expander service such as URL Expander or ExpandURL to reveal the actual, long link it points to before clicking.
Before you click a link apparently sent by someone you know, confirm that the person really did send it; their account may have been hacked or their phone number spoofed. Confirm with them using a different communication channel from the one on which you received the message. For instance, if the link came via a text or email message, give the sender a call. This is known as out-of-band verification or authentication.
Practice device compartmentalization, using a secondary device without any sensitive information on it to open untrusted links. Keep in mind that if the secondary device is infected, it may still be used to monitor you via the microphone or camera, so keep it in a Faraday bag when not in use — or at least away from where you have sensitive conversations (a good idea even if it’s in a Faraday bag).
Use nondefault browsers. According to a section titled “Installation Failure” in the leaked Pegasus brochure, installation may fail if the target is running an unsupported browser and in particular a browser other than “the default browser of the device.” But the document is now several years old, and it is possible that Pegasus today supports all kinds of browsers.
If there is ever any doubt about a given link, the safest operational security measure is to avoid opening the link.

Thwarting Network Injection Attacks

Another way Pegasus infected devices in multiple cases was by intercepting a phone’s network traffic using what’s known as a man-in-the-middle, or MITM, attack, in which Pegasus intercepted unencrypted network traffic, like HTTP web requests, and redirected it toward malicious payloads. Pulling this off entailed either tricking the phone into connecting to a rogue portable device which pretends to be a cell tower nearby or gaining access to the target’s cellular carrier (plausible if the target is in a repressive regime where the government provides telecommunication services). This attack worked even if the phone was in mobile data-only mode, and not connected to Wi-Fi.

When Maati Monjib, the co-founder of the Freedom Now NGO and the Moroccan Association for Investigative Journalism, opened the iPhone Safari browser and typed yahoo.fr, Safari first tried going to http://yahoo.fr. Normally this would have redirected to https://fr.yahoo.com, an encrypted connection. But since Monjib’s connection was being intercepted, it instead redirected to a malicious third-party site which ultimately hacked his phone.

Typing just the website domain into a browser opens you to attacks, because your browser will attempt an unencrypted connection to the site.

Typing just the website domain (such as yahoo.fr) into a browser address bar without specifying a protocol (such as https://) opens the possibility for MITM attacks, because your browser by default will attempt an unencrypted HTTP connection to the site. Usually, you reach the genuine site, which immediately redirects you to a safe HTTPS connection. But if someone is tracking to hack your device, that first HTTP connection is enough of an opening to hijack your connection.

Some websites protect against this using a complicated security feature known as HTTP Strict Transport Security, which prevents your browser from ever making an unencrypted request to them, but you can’t always count on this, even for some websites that implement it correctly.

Here are some things you can do to prevent these kinds of attacks:

Always type out https:// when going to websites.
Bookmark secure (HTTPS) URLs for your favorite sites, and use those instead of typing the domain name directly.
Alternately, use a VPN on both your desktop and mobile devices. A VPN tunnels all connections securely to the VPN server, which then accesses websites on your behalf and relays them back to you. This means that an attacker monitoring your network will likely not be able to perform a successful MITM attack as your connection is encrypted to the VPN — even if you type a domain directly into your browser without the “https://” part.

If you use a VPN, keep in mind that your VPN provider has the ability to spy on your internet traffic, so it’s important to pick a trustworthy one. Wirecutter publishes a regularly updated, thorough comparison of VPN providers based on their history of third-party security audits, their privacy and terms of use policies, the security of the VPN technology used, and other factors.

Zero-Click Exploits

Unlike infection attempts which require that the target perform some action like clicking a link or opening an attachment, zero-click exploits are so called because they require no interaction from the target. All that is required is for the targeted person to have a particular vulnerable app or operating system installed. Amnesty International’s forensic report on the recently revealed Pegasus evidence states that some infections were transmitted through zero-click attacks leveraging the Apple Music and iMessage apps.

Your device should have the bare minimum of apps that you need.

This is not the first time NSO Group’s tools have been linked to zero-click attacks. A 2017 complaint against Panama’s former President Ricardo Martinelli states that journalists, political figures, union activists, and civic association leaders were targeted with Pegasus and rogue push notifications delivered to their devices, while in 2019 WhatsApp and Facebook filed a complaint claiming NSO Group developed malware capable of exploiting a zero-click vulnerability in WhatsApp.

As zero-click vulnerabilities by definition do not require any user interaction, they are the hardest to defend against. But users can reduce their chances of succumbing to these exploits by reducing what is known as their “attack surface” and by practicing device compartmentalization. Reducing your attack surface simply means minimizing the possible ways that your device may be infected. Device compartmentalization means spreading your data and apps across multiple devices.

Specifically, users can:

Reduce the number of apps on your phone. The fewer unlocked doors your home has, the fewer opportunities a burglar has to enter; similarly, fewer apps means fewer virtual doors on your phone for an adversary to exploit. Your device should have the bare minimum apps that you need to perform day-to-day function. There are some apps you cannot remove, such as iMessage; in those cases you can often disable them, though doing so will also make text messages no longer work on your iPhone.
Regularly audit your installed apps (and their permissions), and remove any that you no longer need. It is safer to remove a seldom-used app and download it again when you actually need it than to let it remain on your phone.
Regularly update both your phone’s operating system and individual apps, since updates close vulnerabilities, sometimes even unintentionally.
Compartmentalize your remaining apps. If a phone only has WhatsApp installed and is compromised, the hacker will get WhatsApp data, but not other sensitive information like email, calendar, photos, or Signal messages.
Even a compartmentalized phone can still be used as a wiretap and a tracking device, so keep devices physically compartmentalized — that is, leave them in another room, ideally in a tamper bag.

Physical Access

A final way an attacker can infect your phone is by physically interacting with it. According to the brochure, “when physical access to the device is an option, the Pegasus agent can be manually injected and installed in less than five minutes” — though it is unclear if the phone needs to be unlocked or if attackers are able to infect even a PIN-protected phone.

There seem to be no known cases of physically launched Pegasus attacks, though such exploits may be difficult to spot and distinguish from online attacks. Here’s how you can mitigate them:

Always maintain a line of sight to your devices. Losing sight of your devices opens the possibility of physical compromise. Obviously there is a difference between a customs agent taking your phone at the airport versus you leaving your laptop behind in a room in your residence when you go to the bathroom, but all involve some risk, and you will have to calibrate your own risk tolerance.
Put your device in a tamper bag when it needs to be left unattended, particularly in riskier locations like hotel rooms. This will not prevent the device from being manipulated but will at the least provide a ready alert that the device has been taken out of the bag and might have been tampered with, at which point the device should no longer be used.
Use burner phones and other compartmented devices when entering potentially hostile environments such as government buildings, including embassies and consulates, or when going through border checkpoints.

Generally:

Use Amnesty International’s Mobile Verification Toolkit if you suspect your phone is infected with Pegasus.
Regularly back up important files.
And finally, there’s no harm in regularly resetting your phone.

Although Pegasus is a sophisticated piece of spyware, there are tangible steps you can take to minimize the chance that your devices will be infected. There’s no foolproof method to eliminate your risk entirely, but there are definitely things you can do to lower that risk, and there’s certainly no need to resort to the defeatist view that we’re “no match” for Pegasus. source

How to Check if Your Cellphone Is Infected With Pegasus Spyware

NSO Group’s Pegasus spyware can turn any infected smartphone into a remote microphone and camera, spying on its own owner while also offering the hacker – usually in the form of a state intelligence or law enforcement agency – full access to files, messages and, of course, the user’s location.

Pegasus is one of a number of proprietary tools sold as part of the hacker-for-hire industry – and one found at the very high-end of that dark market. Other companies offer less expensive services – for example, only providing geolocation services for its clients. So how can you protect yourself? And how can you check to see if your phone has been targeted in the past or is infected now?

Haaretz offers a simple, nontechnical explanation on how to check and stay safe…

The weakest link

Most cellphone spyware operates in a similar fashion: a message is sent to a phone with a nefarious message. The message usually contains a link that will either download the malware onto your device directly, or refer it to a website that will prompt a download – all unbeknown to the phone’s owner.

There are other ways to get your phone to download something that don’t involve a message. However, from the moment of infection, most spyware tools follow a similar protocol: once installed, the spyware contacts what is called a “command-and-control” server, which provides it with instructions remotely.

“Let’s say the Israel Police are the ones who installed Pegasus on your smartphone and they want to know where you – or, more precisely, your phone – has been in the previous 24 hours. To get that information, instructions to obtain that data are sent to a C&C server connected to the phone,” explains Dr. Gil David, a researcher and cybersecurity consultant.

The best way to stay safe, any cybersecurity expert will tell you, is to never – ever! – open any link sent to you, unless it’s a link you are expecting from someone you know and trust.

The reason is that, once infected, “the C&C server communicates between the hacker and the spyware installed on your phone. Without it, the hacker has no way of relaying instructions to Pegasus, and Pegasus has no way to get information from the victim’s phone back to the hacker,” David writes in Haaretz Hebrew.

Many times, the links sent to you will appear innocent. It may look like a message from the Post Office or Amazon. But don’t be fooled: Through some simple social engineering and a process called “DNS spoofing,” even an official-looking URL may be a trap.

Double zero

Sadly, staying safe is not always possible.

What makes Pegasus so expensive is its ability to not just potentially infect any smartphone selected for targeting remotely, but to do so with a “zero click” infection. This means your phone can be infected without you even having to click on a link – for example, with the code instructing your phone to reach out to the server secretly encoded into a WhatsApp message or even in a file like a photo texted to you via iMessage.

These “zero click” attacks make use of what is called “zero-day” exploits: unknown loopholes in your phone’s defenses that allow these hidden bits of code to kick into action without the victim doing anything.

So, another good practice is to make sure your phone’s operating system is as updated as possible: As new exploits are discovered, they are quickly “patched” by the likes of Apple and Google.

According to digital forensics experts Amnesty International and Citizen Lab, Pegasus’ zero click infections have only been found on iPhones. “Most recently, a successful ‘zero-click’ attack has been observed exploiting multiple zero-days to attack a fully patched iPhone 12 running iOS 14.6 in July 2021,” Amnesty notes in its instructive report “How to Catch NSO Group’s Pegasus.”

It seems Pegasus’ ability to infect iPhones was based on a previously unknown loophole in the iMessage service, and this too has subsequently been patched. However, other Israel firms, for instance QuadDream, reportedly have such abilities as well.

“From 2019, an increasing amount of vulnerabilities in iOS, especially iMessage and FaceTime, started getting patched thanks to their discoveries by vulnerability researchers, or to cybersecurity vendors reporting exploits discovered in-the-wild,” Amnesty writes – so make sure your phone is updated.

Indicators of compromise

Groups like Amnesty and Citizen Lab find NSO’s spyware on phones using two different methods. Both involve searching for what is termed “indicators of compromise,” or IOCs.

Amnesty maintains a database of nefarious domains used by NSO’s clients. The list is constantly updating as more bogus URLs are found. Citizen Lab, meanwhile, also maintains a database of so-called vectors: messages sent to victims containing nefarious code or URLS. The two groups each maintain updated lists of Pegasus’ related processes that together permit attribution.

The only thing that has changed with Pegasus over the years is the way your phone is referred to the server, and the way the so-called payload is delivered.

“While SMS messages carrying malicious links were the tactic of choice for NSO Group’s customers between 2016 and 2018, in more recent years they appear to have become increasingly rare,” Amnesty wrote in its July 2021 report.

The newer trend, discovered in the case of Moroccan journalist Omar Radi, who was infected with Pegasus in 2020, is what is known as “packet injection.” This means that the download order is delivered not through a message but instead through your network, in the form of a hidden command “injected” into the phone through what Amnesty describes as “tactical devices, such as rogue cell towers, or through dedicated equipment placed at the mobile operator.

“The discovery of network injection attacks in Morocco signaled that the attackers’ tactics were indeed changing. Network injection is an effective and cost-efficient attack vector for domestic use especially in countries with leverage over mobile operators,” it explained.

As NSO’s clients are state agencies, they can easily make use of the mobile infrastructure to infect phones.

Therefore, and though such injection infections can also be forced upon you, other good practices include never using free Wi-Fi; never connecting to wireless networks you do not absolutely know are secure – as these networks can easily be hacked so they infect your phone and refer it to the snooping server. Not using so-called VPNs is also advisable for the same reason.

Chances are you have not been infected with Pegasus. However, if you have cause for concern and are scared you are or were infected, there are a few options: Amnesty offers a useful, free and open source tool called the Mobile Verification Toolkit that can check a backup of your device or its logs for any IOC. The MVT will scan your iPhone’s logs for Pegasus-related processes or search your Android’s messages for nefarious links. The tool can be downloaded here. The bad news is that it requires some technical know-how and is currently devoid of a simple-to-use interface. To get it to work, you first need to make a specific type of backup of your phone, and then you need to download the program and run the code on your computer so it can scan the file you created. Running the program requires you to download Python. Luckily, the tool comes with very clear instructions, and even those unskilled in code can make use of it with a bit of effort. Furthermore, it also allows you to conduct the test yourself. A similar product is iMazing, a phone-backup platform that runs on your desktop and provides a MVT-like analysis of your device. It does not prevent infections but can check your phone for IOCs. If the best offense is defense, there’s also a growing cellphone security market. Cyberdefense firms like ZecOps offer organizations like the BBC and Fortune 2000 companies a platform that inspects phones for current infections or traces of historic attacks. ZecOps also provides this service pro bono for journalists involved in the Pegasus Project. Private users can also buy such services. For example, the Israeli-Indian security firm SafeHouse Technologies offers an app called “BodyGuard” that provides defenses for your phone, for a small price. It already has more than a million users, mostly in India. If you can’t get the Mobile Verification Toolkit to work and are reluctant to use an app, and you genuinely fear you have been targeted, you can also drop us a tip here and we at Haaretz will get you checked. source

HOW TO DETECT PEGASUS SPYWARE

As one of the leading commercial spyware programs, Pegasus has been used by a host of companies, governments, and other entities to collect sensitive data from individuals’ smartphones. If Pegasus is deployed on your smartphone, your sensitive data could be at risk.

Read on to learn how to detect Pegasus spyware on your smartphone.

How to Detect Pegasus Spyware on Your Smartphone

The data privacy demands of today’s IT landscape call for robust mobile security, as more individuals rely on smartphone applications for essential day-to-day tasks.

Safeguarding your smartphone data from threats like Pegasus starts with knowing how to:

Scan for and detect Pegasus spyware on your smartphone
Identify Pegasus spyware installed on your smartphone
Remove Pegasus spyware from your Android or iPhone
Prevent Pegasus spyware from compromising your smartphone data

Dealing with advanced mobile security risks like Pegasus spyware is much easier with the help of a managed security services provider (MSSP), who can advise on how to detect pegasus spyware on iPhone or Android.

What is Pegasus Spyware?

Developed by the NSO group in Israel, Pegasus is signature spyware that has been implicated in the secret surveillance of individuals worldwide. Pegasus spyware is considered dangerous because it allows an attacker to control a victim’s smartphone.

Using Pegasus spyware, a perpetrator can:

Wiretap and listen to conversations
Access photos and videos
Control applications on a smartphone

It is difficult and often impossible for antivirus solutions to detect Pegasus spyware because it exploits zero-day vulnerabilities, which are unknown to the developers of these solutions.

How to Detect Pegasus Spyware

Over years of extensive research, Amnesty International has developed a methodology to detect Pegasus spyware on smartphones, providing it to the public as a resource on Github.

Using Amnesty International’s methodology, you can find a list of:

Domain names of Pegasus infrastructure
Email addresses identified in previous attacks
Process names associated with Pegasus

Beyond the indicators of Pegasus compromise methodology, Amnesty International also released a Mobile Verification Toolkit (MVT) to help support users interested in detecting Pegasus spyware on their smartphones. With the help of Amnesty International’s spyware detection tools, you can learn how to detect pegasus spyware on Android or iPhone.

How to Detect Pegasus Spyware on iOS

Here’s how to check for pegasus spyware on iOS devices such as iPhones:

Create a backup of encrypted data on a device other than your smartphone
Once your smartphone is securely backed up, download the MVT tool onto your iPhone and follow Amnesty International’s instructions for detecting Pegasus.

Whereas other apps can detect Pegasus on iOS, it’s best to follow Amnesty International’s instructions or work with a qualified MSSP to avoid running into any issues while detecting the spyware.

How to Detect Pegasus Spyware on Android

Although the MVT mostly caters to iOS devices, it can still detect Pegasus on Android.

If you are wondering how to detect Pegasus spyware on Android with the MVT, the first places to start looking are potentially malicious text messages and APKs on your smartphone.

How Pegasus Works

For most Pegasus infections, the spyware is installed remotely on victims’ smartphones. However, Pegasus can be installed physically, and, in some cases, it can use the victim’s smartphone for data storage prior to transmitting data to a remote server.

Pegasus Remote Installation

Pegasus spyware can be remotely installed on a smartphone via:

Zero-click attacks – Zero-click exploits typically leverage applications such as Apple Music or iMessage to send requests to the victim’s smartphone. Here, the victim does not interact with the spyware and is clueless about the download of Pegasus spyware.
Malicious text messages – A victim receives a text message containing an exploit link for a Pegasus spyware download. Clicking the link deploys spyware on the victim’s smartphone.
Network injection attack – While browsing the Internet, a victim is redirected from a clear-text HTTP website to a decoy of a legitimate business. Unknowingly, a victim may then provide access credentials or other sensitive information.

In most cases, remote installation of Pegasus spyware on victims’ phones via zero-click attacks leverages zero-day vulnerabilities, of which the smartphone manufacturer may not be aware.

This makes Pegasus spyware very dangerous to its victims, who may not realize their sensitive data is being surveilled until it is too late.

Pegasus Physical Installation

While it is uncommon, Pegasus can be installed by connecting a victim’s smartphone to another device such as a computer to deploy the spyware. However, this would involve the difficult task of accessing a victim’s smartphone without their knowledge.

Pegasus Data Management

According to NSO, the spyware will transmit data from a victim’s smartphone to a server where the attacker can access the data. However, if Pegasus is unable to send data to a server, it will transmit the data to a “hidden and encrypted buffer” within the phone’s storage.

What Data Can Pegasus Access?

Once deployed on a smartphone, Pegasus spyware can access a range of data, including:

Text messages
Emails
Photos and videos
Personal contacts
Location
Audio messages and recordings

Detecting Pegasus spyware on your smartphone is critical to minimizing the risks of your sensitive data being exposed by perpetrators.

Can Pegasus be Removed?

You can remove Pegasus from your smartphone by attempting the following actions:

Restarting your smartphone, to put a temporary stop to Pegasus
Resetting your smartphone to its factory settings, which may remove Pegasus
Updating your smartphone’s system software and apps to current versions
Removing any unknown device connections to social media platforms

When removing Pegasus from your smartphone, it is always best to work with the MVT resource provided by Amnesty International. If Pegasus spyware removal becomes difficult, consider consulting an MSSP for help.

What to Do if You Have Pegasus

According to Reporters Without Borders (RSF), here’s what to do if you have Pegasus:

Buy a new smartphone and stop using the one infected with Pegasus, ensuring the compromised smartphone is not close to you or your work environment.
Change passwords for all accounts on the new smartphone and remember to sign out of the accounts on the compromised one.

If you have Pegasus, it is best to contact an experienced MSSP, who will point you to Pegasus spyware removal tools that will help remove Pegasus and keep your data safe.

Other Spyware like Pegasus

Besides Pegasus, other types of spyware include:

Trojans, which can steal a victim’s funds or credentials to make fraudulent purchases.
Stealware, which can intercept traffic from online shopping sites like those offering credits or rewards for purchases.

With everyone using smartphones or tablets to store sensitive information like account passwords, securing these devices from spyware and other forms of malware is paramount.

In an organizational setting, it is critical for leadership to emphasize the importance of mobile security in defending sensitive data stored on smartphones from various types of spyware.

How to Protect From Pegasus and Other Spyware

Protecting your organization from Pegasus and other spyware revolves around implementing mobile device security best practices such as:

Encrypting any communication of sensitive data with industry-standard algorithms
Keeping up-to-date with the latest phishing and malware attempts
Updating your smartphone or mobile device with the latest security patches
Using strong passwords and multi-factor authentication on all mobile devices
Conducting routine penetration testing on mobile devices that contain sensitive data

If you are wondering how to block Pegasus spyware, some of the mobile security best practices above can help. However, it’s best to implement them with the guidance of a leading MSSP. source

Journalists, lawyers and activists hacked with Pegasus spyware in Jordan, forensic probe finds

de Pegasus spyware was used in Jordan to hack the cellphones of at least 30 people, including journalists, lawyers, human rights and political activists, the digital rights group Access Now said Thursday.

The hacking with spyware made by Israel’s NSO Group occurred from 2019 until last September, Access Now said in its report. It did not accuse Jordan’s government of the hacking.

One of the targets was Human Rights Watch’s deputy director for the region, Adam Coogle, who said in an interview that it was difficult to imagine who other than Jordan’s government would be interested in hacking those who were targeted.

The Jordanian government had no immediate comment on Thursday’s report.

In a 2022 report detailing a much smaller group of Pegasus victims in Jordan, digital sleuths at the University of Toronto’s Citizen Lab identified two operators of the spyware it said may have been agents of the Jordanian government. A year earlier, Axios reported on negotiations between Jordan’s government and NSO Group.

“We believe this is just the tip of the iceberg when it comes to the use of Pegasus spyware in Jordan, and that the true number of victims is likely much higher,” Access Now said. Its Middle East and North Africa director, Marwa Fatafta, said at least 30 of 35 known targeted individuals were successfully hacked.

Citizen Lab confirmed all but five of the infections, with 21 victims asking to remain anonymous, citing the risk of reprisal. The rest were identified by Human Rights Watch, Amnesty International’s Security Lab, and the Organized Crime and Corruption Reporting Project.

NSO Group says it only sells to vetted intelligence and law enforcement agencies — and only for use against terrorists and serious criminals. But cybersecurity researchers who have tracked the spyware’s use in 45 countries have documented dozens of cases of politically motivated abuse of the spyware — from Mexico and Thailand to Poland and Saudi Arabia.

An NSO Group spokesperson said the company would not confirm or deny its clients’ identities. NSO Group says it vets customers and investigates any report its spyware has been abused.

The U.S. government was unpersuaded and blacklisted the NSO Group in November 2021, when iPhone maker Apple Inc. sued it, calling its employees “amoral 21st century mercenaries who have created highly sophisticated cyber-surveillance machinery that invites routine and flagrant abuse.”

Those targeted in Jordan include Human Rights Watch’s senior researcher for Jordan and Syria, Hiba Zayadin. Both she and Coogle had received threat notifications from Apple on Aug. 29 that state-sponsored attackers had attempted to compromise their iPhones.

Coogle’s local, personal iPhone was successfully hacked in October 2022, he said, just two weeks after the human rights group published a report documenting the persecution and harassment of citizens organizing peaceful political dissent.

After that, Coogle activated “Lockdown Mode,” on the iPhone, which Apple recommends for users at high risk.

Human Rights Watch said in a statement Thursday that it had contacted NSO Group about the attacks and specifically asked it to investigate the hack of Coogle’s device “but has received no substantive response to these inquiries.”

Jordanian human rights lawyer Hala Ahed — known for defending women’s and workers rights and prisoners of conscience — was also targeted at least twice by Pegasus, successfully in March 2021 then unsuccessfully in February 2023, Access Now said.

About half of those found to have been targeted by Pegasus in Jordan — 16 in all — were journalists or media workers, the report said.

One veteran Palestinian-American journalist and columnist, Dauod Kuttab, was hacked with Pegasus three times between February 2022 and September 2023.

Along the way, he said, he’s learned important lessons about not clicking on links in messages purporting to be from legitimate contacts, which is how one of the Pegasus hacks snared him.

Kuttab refused to speculate about who might have targeted him.

“I always assume that somebody is listening to my conversations,” he said, as getting surveilled “comes with the territory” when you are journalist in the Middle East.

But Kuttab does worry about his sources being compromised by hacks — and the violation of his privacy.

“Regardless of who did it, it’s not right to intervene into my personal, family privacy and my professional privacy.” source

The NSO File: A Complete (Updating) List of Individuals Targeted With Pegasus Spyware

The Israeli-made Pegasus spyware is suspected of infecting over 450 phones targeted by clients of NSO, who range from Saudi Arabia to Mexican drug lords. Here’s a list of the confirmed Pegasus victims.

The Israeli-made Pegasus spyware, sold by the cyberoffense firm NSO to state intelligence agencies around the world, has become infamous in recent years. Exploiting unknown loopholes in WhatsApp, iMessage and Android has allowed the group’s clients to potentially infect any smartphone and gain full access to it – in some cases without the owner even clicking or opening a file.

Digital forensics groups such as Amnesty International and the University of Toronto’s Citizen Lab have revealed numerous potential targets with traces of the spyware on their phones. Last summer, Project Pegasus – led by Paris-based NGO Forbidden Stories with the help of Amnesty’s Security Lab – organized an international consortium of journalists, including Haaretz and its sister publication TheMarker, to investigate thousands of additional potential targets selected for possible surveillance by NSO Group clients worldwide.

So far, targets have been found across the world: from India and Uganda to Mexico and the West Bank, with high-profile victims including U.S. officials and a New York Times journalist.

Now, for the first time, Haaretz has assembled a list of confirmed cases involving Pegasus spyware.

Though there have been over 450 suspected hacking cases, this list, which was put together with the help of Amnesty’s Security Lab, includes only the cases in which infections were confirmed either by Amnesty or another digital forensics group like Citizen Lab (which also helped construct this list). It also includes a few instances where official bodies such as French intelligence agencies or private firms like Apple or WhatsApp have publicly confirmed attacks.

The list does not include those suspected of being targeted – for example, Amazon’s Jeff Bezos, who was reportedly sent the spyware via a WhatsApp message from no less than Saudi Crown Prince Mohammed bin Salman. Rather, it is those who have actually been found with Pegasus on their phones.

The NSO Group, which refuses to confirm the identity of its clients and claims it has no knowledge of their targets, has denied most of these cases and says digital forensic analysis cannot fully identify its software.

The gap between the massive list of potential targets and those who were actually infected highlights how hard it is to confirm the presence of Pegasus spyware on phones. For instance, a private investigation commissioned by Bezos himself found that his phone had received a strange message from Crown Prince Mohammed, after which the tycoon’s device began sending out a lot of data. However, Bezos was reluctant to hand his phone over to anyone other than the handpicked investigators he had hired; they said it was very likely his phone had been infected.

Here is the list of most, if not all, known and confirmed Pegasus cases. They are sorted by the nationality of the victims or their country of residence when they were targeted.

The list of confirmed cases is followed by an additional list of names of those who have been confirmed to have been targeted but whose actual infection has not been verified.

The NSO Group logo on one of its Israeli offices.Credit: AMIR COHEN/REUTERS

AZERBAIJAN

Khadija Ismayilova
The Azerbaijani investigative journalist based in Baku was targeted repeatedly for over three years as part of government persecution as a result of her work, the Project Pegasus investigation revealed.

Sevinc Vaqifqizi
Freelance Azerbaijanii journalist Vaqifqizi was found by Amnesty and Forbidden Stories to have had their phone infected with Pegasus in 2019 and 2020.

BAHRAIN

Moosa Abd-Ali
Moosa Abd-Ali is a Bahraini activist living in exile in London who was found to have been targeted in the past, with the Bahraini government hacking his personal computer in 2011. According to Citizen Lab, Abd-Ali’s iPhone 8 appears to have been hacked with Pegasus at some point prior to September 2020.

Yusuf al-Jamri
A Bahraini blogger who says he was tortured by his government, Yusuf al-Jamri was granted asylum in the U.K. in 2018. According to Citizen Lab, Jamri’s iPhone 7 appears to have been hacked with Pegasus at some point prior to September 2019.

Seven rights activists
At least three members of the Bahrain Centre for Human Rights, another three from the nonprofit Waad and one from the group Al Wefaq were also infected, Citizen Lab found. At least another seven members of BCHR and the other groups were actually targeted, but their infection was not confirmed by Citizen Lab.

EL SALVADOR

Carlos Martínez
A reporter for El Faro, he was one of over 35 journalists and members of civil society groups infected by the Pegasus spyware between July 2020 and November 2021.

Daniel Lizárraga
A Mexican journalist and the editor of El Faro, who was expelled from El Salvador. Citizen Lab found that his phne had been infected.

Nine El Faro journalists
The following journalists with El Faro were all found by Citizen Lab to have been infected by the Pegasus spyware: Gabriela Cáceres, Carlos Dada, Carlos Ernesto Martínez D’aubuisson, Julia Gavarrete (who had two phones hacked), Valeria Guzmán, Ana Beatriz Lazo, Rebeca Monge, Víctor Peña, Nelson Rauda.

El Salvadorian journalists
Citizen Lab discovered that the following journalists were also infected with Pegasus: Efren Lemus, Gabriel Labrador, José Luis Sanz, María Luz Nóchez, Mauricio Ernesto Sandoval Soriano, Óscar Martínez, Roman Gressier, Roxana Lazo, Sergio Arauz, Beatriz Benitez, Ezequiel Barrera, Xenia Oliva, an unnamed journalist from Diario El Mundo, and Daniel Reyes.

Noah Bullock
The head of Cristosal, a human rights organization based in El Salvador, who was also found by Citizen Lab to have been infected.

Ricardo Avelar
A journalist with El Diario de Hoy, Citizen Lab confirmed that his device had been infected.

Jose Marinero
An official with the activism group Fundación DTJ in El Salvador whose phone was found by Citizen Lab to have been infected.

Xenia Hernandez
Another official with the activism group Fundación DTJ in El Salvador whose phone was found by Citizen Lab to have been infected.

Oscar Luna
An activist with the digital rights group Revista Digital Disruptiva. Citizen Lab found that their phone had been infected.

Mariana Belloso
An independent journalist whose phone was found by Citizen Lab to have been infected by the Pegasus spyware.

Carmen Tatiana Marroquín
An economist and columnist whose phone was found by Citizen Lab to have been infected by the Pegasus spyware.

FINLAND

Finnish diplomats
An unknown number of Finnish diplomats stationed abroad were found to have been infected, the Finnish Foreign Ministry confirmed. Their identity was not disclosed, nor was the suspected operator.

FRANCE

Bruno Delport
The phone of the director of Parisian radio station TSF Jazz was found by Citizen Lab to have been infected in 2019, just as he was applying for the presidency of Radio France.

Lénaïg Bredoux
The investigative journalist and general editor of Mediapart was confirmed to have been infected by Pegasus. The confirmation was made by France’s computer security agency following Project Pegasus. Bredoux was involved in a story about the head of Morocco’s intelligence agency, a known NSO client.

Edwy Plenel
The investigative journalist with Mediapart was confirmed to have been infected by Pegasus. The confirmation was made by France’s computer security agency following Project Pegasus.

Unnamed France 24 journalist
A senior journalist with France 24 was confirmed to have been infected by Pegasus in May 2019, September 2020 and January 2021. That was confirmed by France’s computer security agency after Project Pegasus.

Claude Mangin
French national whose husband, Naama Asfari, is jailed in Morocco for advocating for Western Saharan independence. As part of Project Pegasus, it was found that at least two of her phones were infected.

Arnaud Montebourg
A former minister in the government of Manuel Valls, Montebourg was targeted in 2019, most likely by Morocco, an analysis by Amnesty found. Montebourg has given testimony to ANSSI and its investigation into NSO in France.
Suspected operator: Morocco

HUNGARY

Dániel Németh
A Hungarian photojournalist involved in covering President Viktor Orbán and the country’s elites, two of his phones were infected in 2021. Direkt36, working with Citizen Lab and Amnesty’s Security Lab, confirmed the infections.

Zoltán Páva
The former Hungarian politician, now the publisher of an opposition news website, was also infected by Pegasus in March and May 2021.

Adrien Beauduin
A gender studies student at Central European University in Hungary, Beauduin was confirmed to have had his phone infected after being arrested in a protest against Orbán’s policies.

Szabolcs Panyi
The journalist with Direkt36, which was a partner in the Pegasus Project, was infected a number of times in 2019. The confirmation was made by Amnesty as part of the global investigation.

András Szabó
An investigative journalist with Direkt36, Szabó’s phone was infected a number of times in 2019. The confirmation was made by Amnesty as part of the global investigation.

Brigitta Csikász
A Hungarian journalist covering crime stories, Csikász’s phone was infected in 2019 – which was confirmed by Direkt36 and Amnesty.

INDIA

Jagdeep Singh Randhawa
Human rights lawyer and activist from Punjab had his phone hacked in July and August 2019.

Mangalam Kesavan Venu
Founding editor of The Wire – a nonprofit Indian investigative journalism outlet that was part of the Project Pegasus investigation – was found to have been infected with the spyware.

Paranjoy Guha Thakurta
Investigative journalist who was looking into how the Modi government used Facebook to spread disinformation; Amnesty confirmed his phone had been infected by NSO’s spyware as part of the Project Pegasus investigation.

Prashant Kishor
Political pollster working with a number of opposition parties in India, his phone was infected in 2018, Amnesty confirmed, months before an election – in what critics say was an attempt by Modi’s party to use the spyware to collect political information.

Rona Wilson
An activist focused on minorities and prisoners’ rights, digital forensics firm Arsenal Consulting found that his phone had been infected in July 2017 and April 2018. His phone number appeared in the Project Pegasus leaks.

Syed Abdul Rahman Geelani
Geelani (also known as SAR Geelani), a Delhi University professor serving time in India for ties to an outlawed Maoist group and prisoners’ rights activist, was found by Amnesty to have been infected between 2017 and 2019.

Sushant Singh
A journalist who covered defense issues for The Indian Express, and was investigating a massive deal between India and France, was found by Amnesty to have been infected as part of Project Pegasus.

S.N.M. Abdi
Journalist for India’s Outlook had his phone infected by Pegasus in April 2019, May 2019, July 2019, October 2019 and December 2019, Amnesty found as part of Project Pegasus.

Bela Bhatia
An Indian human rights lawyer whose phone was found to have been infected in 2019, and is one of five victims who are part of WhatsApp suit against NSO.

Siddharth Varadarajan
An Indian investigative journalist who is the former editor of The Hindu and founding editor of The Wire, a Pegasus Project partner. He had his phone targeted with NSO-made spyware in April 2018. Forbidden Stories and Amnesty International’s Security Lab’s forensic analysis revealed he was successfully infected.

Unnamed legal officer
The legal officer was also confirmed to have been hacked with spyware following the Project Pegasus investigation.

Ankit Grewal
The lawyer and so-called anti-caste activist was found to have been targeted in 2019 – one of a large group of victims named by WhatsApp in its suit against NSO.

Read our full story on Pegasus in India

ISRAEL

Shai Babad
A former director general of the Finance Ministry who was also a politician and also served in a senior position in Israel’s public broadcaster. Israeli business daily Calcalist said his phone had been infected with Pegasus by the Israel Police. All of the Israeli cases listed below are based on Calcalist reporting that has yet to be confirmed or reviewed by Haaretz or international bodies.

Avi Berger
The former director general of the Communications Ministry and a witness in the ongoing Case 4000 trial against former Prime Minister Benjamin Netanyahu. Calcalist reported that Berger’s phone had been infected with Pegasus by the Israel Police.

Aviram Elad
The former editor of Walla, which allegedly provided Netanyahu with better coverage in a quid pro quo involving its parent company, the telecom giant Bezeq, in Case 4000. Calcalist said his phone was infected by the Israel Police.

Iris Elovitch
The wife of Bezeq owner Shaul Elovitch; both are defendants in Case 4000. Her phone was infected with Pegasus by the Israel Police, Calcalist reported.

Iris Elovitch looking at her iPhone in court with husband Shaul Elovitch last year. Credit: Reuben Castro

Keren Terner-Eyal
A former director general of the transportation and finance ministries, Terner-Eyal assumed the latter position after Babad left the role. Calcalist said her phone was infected with Pegasus by the Israel Police.

Shlomo Filber
A former director general of the Communications Ministry, who was appointed by Netanyahu in 2015 and now serves as a key state’s witness in the Bezeq quid pro quo case. Filber was the first Israeli whose name was published by Calcalist as having been infected with Pegasus by the Israel Police.

Miriam Feirberg
The mayor of Netanya, who was suspected of corruption and investigated by the police until her case was closed in 2019. Calcalist said her phone had been infected with Pegasus by the Israel Police.

Stella Handler
The former CEO of Bezeq, was said by Calcalist to have been infected with Pegasus by the Israel Police. Handler is part of Case 4000.

Yair Katz
The chairman of the workers union at Israel Aerospace Industries and son of former Likud lawmaker Haim Katz was said by Calcalist to have been infected with Pegasus by the Israel Police.

Rami Levy
A prominent Israeli businessman famous for his low-cost supermarket chain who also owns a small telecom firm. Calcalist reported that his phone was infected with Pegasus by the Israel Police. He was investigated by the police in the past.

Topaz Luk
A former adviser to Netanyahu who is considered close to his son, Yair Netanyahu, and served a number of roles in past campaigns. He is also credited with key aspects of the then-prime minister’s media strategy. Calcalist said Luk’s phone had been infected with Pegasus by the Israel Police.

Dudu Mizrahi
The CEO of Bezeq, who took over the telecom company after Handler. Calcalist said his device was infected with Pegasus by the Israel Police.

Avner Netanyahu
The youngest son of former Prime Minister Benjamin Netanyahu. Calcalist reported that Avner Netanyahu’s phone had been infected with Pegasus by the Israel Police.

Emi Palmor
A jurist and former director general of the Justice Ministry who currently serves on Facebook’s Advisory Board. Calcalist reported that his phone had been infected with Pegasus by the Israel Police.

Yaakov Peretz
The mayor of Kiryat Ata, who was suspected of corruption in 2019 and investigated by the police until the case was closed in 2020. Calcalist reported that his phone had been infected with Pegasus by the Israel Police.

Moti Sasson
The six-term mayor of the Tel Aviv suburb of Holon was another mayor whose phone was infected with Pegasus by the Israel Police, according to Calcalist.

Ilan Yeshua
The CEO of the news website Walla, which allegedly provided Netanyahu with better coverage in a quid pro quo involving its parent company Bezeq. Yeshua is also part of Case 4000 and was infected with Pegasus by the Israel Police. Calcalist reported.

Jonatan Urich
A former adviser to Benjamin Netanyahu and considered close to his son, Yair. He served a number of roles in various electoral campaigns and is credited with key aspects in Netanyahu’s media strategy. Urich, whose phone was hacked by Israeli police as part of an investigation, was also said by Calcalist to have been infected with Pegasus by the Israel Police.

Walla journalists
As part of Case 4000, a number of journalists with the news site were said by Calcalist to have been infected with Pegasus by the Israel Police.

Protest leaders
The leaders of three protest movements were said by Calcalist to have been infected with Pegasus by the Israel Police. The protest movements targeted were: Israelis with disabilities; Israelis of Ethiopian descent; and heads of the anti-Netanyahu protests. The first were fighting for better rights, the second demonstrated against police violence and the third sought to oust Netanyahu.

Extreme settlers
A number of extreme settlers were said by Calcalist to have been infected with Pegasus by the Israel Police ahead of the evacuations of illegal outposts.

Read our full story on Pegasus in Israel

JORDAN

Hala Ahed Deeb
Jordanian human rights lawyer, unionizer and feminist activist was found by Front Line Defenders to have been infected with Pegasus since March 2021.

Ahmed al-Neimat
A rights activist focused on workers rights and combating corruption. He works with a reform group called Hirak and has been targeted in the past, facing arrest for “insulting the king” and even a travel ban. Front Line Defenders and Citizen Lab found his phone was hacked at the end of January 2021, likely through the FORCEDENTRY exploit, making him the earliest victim of that particular method. His phone was likely hacked using the exploit’s zero-click capabilities.

Suhair Jaradat
A rights activist and journalist focused on women’s rights in Jordan and the Arab world who serves on the executive committee of the International Federation for Journalists. She was hacked six times between February and December 2021, through the FORCEDENTRY exploit in iPhones. The last hack took place after Apple had patched the breach, informed potential victims across the world and sued NSO. Jaradat did not update her phone and was thus still exposed.

Malik Abu Orabi
A rights lawyer who works with prominent Jordanian unions and was previously arrested by the state for his efforts. He was hacked at least 21 times between August 2019 and July 2021.

Anonymous journalist
A female journalist was also hacked, Front Line Defenders and Citizen Lab found. She requested to remain anonymous.

Read our full story on Pegasus in Jordan

KAZAKHSTAN

Aizat Abilseit, Dimash Alzhanov and Tamina Ospanova
Three members of the opposition group Wake Up, Kazakhstan whose phones were found by Amnesty’s Security Lab to have been infected by Pegasus in June 2021. Apple also warned them about the hack, which it attributed to a “state-sponsored attacker.”

Darkhan Sharipov
The Kazakh activist’s phone was also found by Amnesty to have been infected by Pegasus in June 2021.
Suspected operator: Kazakhstan

Read our full story on Pegasus in Kazakhstan

LEBANON

Lama Fakih
Human Rights Watch’s crisis and conflict director also heads the group’s Beirut office. She was targeted with Pegasus spyware at least five times between April and August 2021, HRW and Amnesty International’s Security Lab found.
Suspected operator: Unknown

Read our full story

MOROCCO

Hicham Mansouri
Freelance investigative journalist and co-founder of the Moroccan Association of Investigative Journalists had his iPhone infected with Pegasus more than 20 times between February and April 2021, the Project Pegasus investigation revealed. Mansouri fled Morocco in 2016 and is now based in Paris.

Mahjoub Mleiha
Human rights activist from Western Sahara who is active in the Collective of Sahrawi Human Rights Defenders, now lives in Belgium, where he is also a citizen. Amnesty found that his phone had been infected.

Joseph Breham
A French lawyer who is involved in a lawsuit against Saudi Crown Prince Mohammed over claims of torture and inhumane treatment in Yemen. Amnesty confirmed that his phone had been infected with Pegasus using the same type of messages other alleged victims in Morocco also received.

Oubi Buchraya Bachir
Sahrawi diplomat who has served as its representative in a number of African countries. Amnesty confirmed as part of Project Pegasus that his phone was infected.

Maati Monjib
Founder of the Moroccan Association for Investigative Journalism and the NGO Freedom Now (dedicated to protecting the rights of journalists and writers), Amnesty found that his phone had been infected in 2019.

Shawan Jabarin, director of the al-Haq human rights group. One of the Palestinian NGO’s workers’ phones was infected by Pegasus.Credit: Majdi Mohammed/AP

Omar Radi
An independent, award-winning Moroccan journalist whose phone was found by Amnesty to have been infected in 2019.

Aboubakr Jamaï
Jamaï is a journalist who has long inspired the ire of Morocco’s royal family. Citizen Lab together with Access Now found his phone had been infected with Pegasus after materials on it were leaked online in an attempt to tarnish Jamaï and his associates.

Fouad Abdelmoumni
A Moroccan human rights and democracy activist who works with Human Rights Watch and Transparency International Morocco, Abdelmoumni’s phone was found to have been infected, most likely by the Moroccan intelligence services. Citizen Lab investigated the hacking after being commissioned by WhatsApp.
Suspected operator: Morocco

PALESTINIAN TERRITORIES (WEST BANK)

Ghassan Halaika
Human rights activist working for Al-Haq, a Palestinian NGO blacklisted by Israel, whose phone was infected in July 2020. The confirmation was made by human rights organization Front Line Defenders.

Ubai Aboudi
The phone of the director of the Bisan Center for Research and Development, a Palestinian NGO blacklisted by Israel, was infected in 2020 and confirmed by Front Line Defenders.

Salah Hammouri
Lawyer and researcher with the Addameer Prisoner Support and Human Rights Association, a Palestinian NGO blacklisted by Israel, whose phone was infected in 2020, according to Front Line Defenders.

Three unnamed activists
Phones of three activists working with Palestinian NGOs blacklisted by Israel were infected in 2020, and confirmed by Front Line Defenders.

Suspected operator in all six cases: Israel

Polish prosecutor Ewa Wrzosek holding her phone outside her Warsaw office last month.Credit: Czarek Sokolowski/AP

Read our full story on Pegasus in the West Bank

POLAND

Krzysztof Brejza
Polish senator and member of the opposition party Civic Platform whose phone was confirmed to have been infected over 30 times in 2019. The confirmation was made by Citizen Lab and reported by AP.

Roman Giertych
A lawyer who has represented leaders of Brejza’s Civic Platform party in sensitive cases, and was confirmed to have been infected over 10 times in 2019. The confirmation was made by Citizen Lab.

Ewa Wrzosek
The phone of the prosecutor and critic of the ruling Law and Justice party’s attempt to undermine Poland’s judiciary was confirmed to have been infected a number of times in 2019. The confirmation was made by Citizen Lab after she received a notification from Apple warning that her phone had been hacked.

Michal Kolodziejczak
The agrarian social movement leader was hacked several times in May 2019 ahead of a fall election in which Kolodziejczak was hoping to have his group, AGROunia, become a formal political party. Courts have so far blocked his efforts to form a political party.

Tomasz Szwejgiert
An author and collaborator with Polish secret services who found himself at odds with powerful figures was hacked while co-authoring a book about the head of Poland’s secret services, Mariusz Kaminski. He was hacked 21 times with Pegasus from late March to June 2019.

Suspected operator in all cases: Poland

Read our full story on Pegasus in Poland

RWANDA

Carine Kanimba
A U.S.-Belgian citizen, Kanimba is the daughter of Rwandan activist Paul Rusesabagina, who was arrested and forcibly returned to the country. Her father’s plight inspired the 2004 movie “Hotel Rwanda” and she was confirmed by Amnesty to have been hacked at the start of 2021.

Hatice Cengiz, fiancee of the murdered Saudi journalist Jamal Khashoggi, talking to the media last year.Credit: MURAD SEZER/REUTERS

Peter Verlinden
The Belgian journalist stationed in Africa has worked for the national Flemish broadcaster VTR. Belgian intelligence services and Amnesty found that his phone had been infected in September, October and November 2020.

Marie Bamutese
The phone of Peter Verlinden’s wife was also found to have been hacked. This was confirmed by Belgium’s General Intelligence and Security Service.

Placide Kayumba
A Rwandan activist and member of the opposition in exile, Kayumba was found to have been targeted as part of an investigation by Citizen Lab commissioned by WhatsApp into hacking of its clients.
Suspected operator: Rwanda

SAUDI ARABIA

Hatice Cengiz
The Turkish national was the fiancée of the late Washington Post columnist Jamal Khashoggi, and her phone was infected a few days after her partner was murdered at the Saudi Embassy in Istanbul in October 2018 – as revealed by Amnesty as part of Pegasus Project.

Omar Abdulaziz
A close friend of Khashoggi’s, Abdulaziz’s phone was infected with Pegasus in the months before the Saudi dissident’s murder in 2018, CItizen Lab found. Based in Canada, he has filed a lawsuit against NSO in Israel.

Wadah Khanfar
Al Jazeera’s former director general and another close friend of Khashoggi, Amnesty found that his phone was infected as recently as July 2021.

Ragip Soylu
A Turkish journalist who heads Middle East Eye’s bureau in Ankara. Amnesty confirmed that his phone was infected several times between February and July 2021.

Ben Hubbard
The phone of the New York Times journalist was confirmed by Citizen Lab to have been infected between June 2018 to June 2021 while he was based in Lebanon, reporting on Saudi Arabia and writing a book about Crown Prince Mohammed.

Suspected operator in all cases: Saudi Arabia

Read our full story on Pegasus in Saudi Arabia

TOGO

Egyptian dissident Ayman Nour speaking in Istanbul in 2019. Credit: Burhan Ozbilici/AP

Father Pierre Marie-Chanel Affognon
A Catholic priest from Togo who is an anti-corruption activist fighting for constitutional and electoral reform in the West African country. An investigation by Citizen Lab commissioned by WhatsApp into the hacking of its clients found his phone was infected.

UNITED ARAB EMIRATES

Alaa al-Siddiq
Executive director of ALQST, a nonprofit advocating for human rights in the UAE and the Gulf region. Her phone was found to have been infected a number of times from 2015, when she was living in Qatar (where she had moved to flee persecution), and up until 2019, when she had relocated to Britain. She died in a car crash in 2021. Citizen Lab made the hacking confirmation.

Abdulaziz Alkhamis
The former editor of Al Arab, Alkhamis was hacked as part of a showcase NSO organized for the UAE. According to a lawsuit filed on behalf of Alkhamis, the UAE, which were already NSO clients from 2014, were offered an expensive upgrade of the Pegasus spyware. To show the new product’s value, NSO emailed two audio recordings of Alkhamis to Emerati officials, the New York Times reported in 2018.

Ayman Nour
Egyptian dissident, 2005 Egyptian presidential candidate and opposition activist. Citizen Lab found his phone had been infected by Pegasus, as well as an additional spyware called Predator – which was developed by NSO competitor Cytrox.
Suspected operator: UAE

Rania Dridi
A journalist with Alaraby TV, she had her phone infected at least six times during 2020, as confirmed by Citizen Lab.

Tamer Almisshal
Investigative journalist for Al Jazeera in Arabic who has covered the Gulf region extensively, including the Khashoggi killing. His phone was infected in 2020, Citizen Lab confirmed.

Ebtisam al-Saegh
Bahraini human rights activist focused on women’s rights. Front Line Defenders found that her phone was hacked at least eight times between August and November 2019. Saegh had been arrested in Bahrain for her activism in the past and has faced persecution for her work.

34 Al Jazeera staffers
The phones of 34 other journalists, producers, anchors and executives at Al Jazeera were confirmed to have been infected in 2020, Citizen Lab reported.
Suspected operator: Saudi Arabia, Bahrain and/or the UAE

Mexican President Andres Manuel Lopez Obrador speaking last July about being targeted by the previous administration of President Enrique Pena Nieto after it purchased Pegasus spyware from NSO.Credit: MEXICO’S PRESIDENCY / REUTERS

UNITED KINGDOM

David Haigh
The human rights lawyer and LGBTQ activist who represented Princess Latifa of Dubai was the first British target confirmed to have been infected by Pegasus. He supplied Amnesty with his phone in the wake of Project Pegasus.

Anas Altikriti
Muslim anti-war activist based in the U.K. whose phone was confirmed to have been infected with Pegasus. His interfaith thinktank, the Cordoba Foundation, has been accused of maintaining ties with the Muslim Brotherhood and Hamas. Suspected operator: UAE

UNITED STATES

11 unnamed U.S. officials
Eleven officials with the U.S. State Department in Uganda were confirmed to have been hacked with Pegasus. The revelation led to a U.S. Department of Commerce decision last November to blacklist NSO.
Suspected operator: Uganda or Rwanda

LIST OF THOSE WHO HAVE ALSO BEEN TARGETED BY PEGASUS:

Ahmed Mansoor (Emirati human rights activist)

Rafael Cabrera (Mexican journalist)

Dr. Simon Barquera (Mexican researcher)

Alejandro Calvillo (Mexican whistleblower)

Luis Encarnación (Mexican activist)

Karla Micheel Salas (Mexican human rights lawyer)

David Peña (Mexican human rights lawyer)

Carmen Aristegui (Mexican journalist)

Emilio Aristegui (son of Carmen Aristegui)

Sebastián Barragán (Mexican journalist)

Carlos Loret de Mola (Mexican journalist)

Salvador Camarena (Mexican journalist)

Daniel Lizárraga (Mexican journalist)

Mario E. Patrón (Mexican human rights activist)

Stephanie Brewer (U.S. human rights activist working in Mexico)

Santiago Aguirre (Mexican human rights activist)

Juan Pardinas (Mexican anti-corruption activist)

Juan Pardinas’s wife

Alexandra Zapata (Mexican journalist)

Azam Ahmed (Former New York Times bureau chief for Mexico)

Family members and supporters of 43 missing college students from Guerrero state. Mexico, carrying pictures of the disappeared, during an event in April 2016.Credit: AP Photo/Rebecca Blackwell

Ricardo Anaya Cortés (Mexican lawyer/politician)

Sen. Roberto Gil Zuarth (Mexican senator)

Fernando Rodríguez Doval (Mexican politician)

Claudio X. González (Mexican anti-corruption activist)

GIEI investigation (Mexican probe into mass disappearances)

Ghanem Almasarir (Saudi dissident)

Yahya Assiri (Saudi activist)

Unnamed Amnesty International employee

Abdessadak El Bouchattaoui (Moroccan journalist)

Griselda Triana (Mexican journalist)

Nihalsing Rathod (Indian human rights lawyer)

Priyanka Gandhi Vadra (General secretary, Indian National Congress)

Santosh Bhartiya (Indian journalist)

Shubhranshu Choudhary (Indian peace activist)

Unnamed U.K. lawyer

Shalini Gera (Indian lawyer)

Degree Prasad Chauhan (Indian human rights activist)

Anand Teltumbde (Indian activist)

Ashish Gupta (Indian activist)

Seema Azad (Indian activist)

Vivek Sundara (Indian activist)

Saroj Giri (Indian activist)

Sidhant Sibal (Indian journalist)

Rajeev Sharma (Indian journalist)

Rupali Jadhav (Indian activist)

Jagdish Meshram (Indian lawyer)

Alok Shukla (Indian activist)

Ajmal Khan (Indian research scholar)

Balla Ravindranath (Indian lawyer/activist)

Mandeep Singh (Indian activist)

P. Pavana (Indian, daughter of activist P. Varavara Rao)

Arunank (Indian law graduate)

Smita Sharma (Indian journalist)

Hanan Elatr (wife of Jamal Khashoggi)

Jorge Carrasco (Mexican journalist)

Álvaro Delgado Gómez (Mexican journalist)

Princess Latifa al Maktoum (daughter of the prime minister of the UAE)

Princess Haya bint Hussein (estranged wife of the prime minister of the UAE)

Juan Mayer (aerial photographer who recorded Princess Latifa’s skydives)

Lynda Bouchikhi (Princess Latifa’s officially sanctioned chaperone)

Sioned Taylor (friend of Princess Latifa)

Martin Smith (head of U.K. private security firm hired by Princess Haya)

Shimon Cohen (British PR expert)

Ross Smith (head of investigations at U.K. private security firm hired by Princess Haya)

John Gosden (British horse trainer, friend of Princess Haya)

Aisha bint Hussein (half sister of Princess Haya)

Stuart Page (British private investigator)

K.K. Sharma (former Indian Border Security Force chief)

Jagdish Maithani (Indian Border Security Force officer)

Jitendra Kumar Ojha (former Indian espionage officer)

Jitendra Kumar Ojha’s wife

Col. Mukul Dev (former Indian army officer)

Rupesh Kumar Singh (Indian journalist)

Rupesh Kumar Singh’s wife

Devirupa Mitra (Indian diplomatic correspondent)

Vijaita Singh (Indian journalist)

Bishop Benoit Alowonou (Togolese clergyman)

Elliott Ohin (Togolese opposition figure)

Raymond Houndjo (Togolese opposition figure)

Roger Torrent (Catalan parliamentary speaker)

A Complete (Updating) List of Individuals Targeted With Pegasus Spyware Plus 1,400 other potential targets who WhatsApp believes were hacked.

source

NSA sets 2035 deadline for adoption of post-quantum cryptography across national security systems

The Truth News — Sun, 02 Jun 2024 07:44:09 +0000

NSA sets 2035 deadline for adoption of post-quantum cryptography across national security systems

The intelligence agency expects traditional networking equipment to comply with the new standards by 2030.

(Scoop News Group photo)

The National Security Agency in new guidance Wednesday said it expects the owners and operators of national security systems to start using post-quantum algorithms by 2035.

In an advisory note, the intelligence agency recommended that vendors start preparing for the new technology requirements but acknowledged that some quantum-resistant algorithms have yet to be approved for use.

Prior to full adoption within the intelligence community and U.S. military, the new algorithmic standards will be approved by the National Institute of Standards and Technology and the National Information Assurance Partnership.

The memorandum includes Commercial National Security Algorithm Suite 2.0 — a new set of cryptographic standards from the agency — and comes amid rising concern about the potential for foreign adversaries to use advanced computing technology to break the public-key cryptography that for years has secured most federal systems.

Alongside the overall 2035 deadline, NSA said it expected the timeframe for the adoption of post-quantum algorithms to vary between technologies, and issued a range of additional milestones it expects the intelligence community and its vendors to hit.

According to the advisory, NSA expects that software and firmware signing for national security systems will exclusively use Commercial National Security Algorithm Suite 2.0 by 2030.

The agency expects also that traditional networking equipment such as virtual private networks and routers adopt the new standards by 2030, and that web browsers, servers and cloud services exclusively use the new algorithms by 2033.

NSA’s new guidance comes after the National Institute of Standards and Technology in July chose four quantum-resistant cryptographic algorithms it will standardize to protect sensitive data from quantum computers.

At the time, NIST selected the CRYSTALS-Kyber algorithm for general encryption of data exchanged across public networks and the CRYSTALS-Dilithium, FALCON and SPHINCS+ algorithms for digital signatures used to verify identities often during transactions.

The standards agency continues to consider four alternative algorithms with different approaches for general encryption, should others prove vulnerable to quantum computers in the long run.

Commenting on the new guidance, NSA Director of Cybersecurity Rob Joyce said: “This transition to quantum-resistant technology in our most critical systems will require collaboration between government, National Security System owners and operators, and industry.”

He added: “Our hope is that sharing these requirements now will help efficiently operationalize these requirements when the time comes. We want people to take note of these requirements to plan and budget for the expected transition, but we don’t want to get ahead of the standards process.” source

US Navy Autoated Weaopons Systems Targets a Civilian 737

The Truth News — Thu, 23 Nov 2023 09:15:29 +0000

A U.S. Navy Phalanx Gun Targeted a Civilian 737 This Week

In a video that went viral yesterday, you can see a Mk 15 Phalanx Close-In Weapon System (CIWS) begin to target what appears to be a civilian 737.

In an example of our collective dark sense of humor in the military, you can hear a sailor scolding the automated Phalanx as if it were a naughty toddler about to touch a hot stove.

It’s worth noting that this probably happens all the time. Ever flown into Reagan Washington National Airport (DCA)? Your plane was likely lit up like a Christmas tree.

The CIWS (often spoken as “sea-wiz”) in the video appears to be mounted on a U.S. Whidbey Island-class amphibious dock landing ship, although it could also be a Harpers Ferry-class.

According to the U.S. Navy, the CIWS is a fast-reaction, detect-through-engage, radar-guided, 20-millimeter gun weapon system. It’s used primarily as an inner layer of protection against anti-ship missiles (ASM), aircraft, and small boats that have penetrated other fleet defenses.

The weapon system has various modes, from fully manual, to semi-automated (where it needs approval to fire), to fully automated mode. In fully automated, the CIWS can engage targets as it sees fit, under certain conditions.

Over the years, the CIWS has undergone a number of upgrades to both its gun and its radar. Since 2015, the Navy has upgraded all Phalanx systems to the Block 1B variant.

Block 1B incorporates an automatic acquisition video tracker, optimized gun barrels (OGB), and Enhanced Lethality Cartridges (ELC) for additional capabilities against asymmetric threats such as small maneuvering surface craft, slow-flying planes and helicopters, and drones.

The CIWS has downed friendly aircraft before: In 1996, the Phalanx onboard the Asagiri-class Japanese destroyer JDS Yūgiri accidentally shot down a U.S. A-6 Intruder from the aircraft carrier USS Independence. The Intruder was towing a radar target during gunnery exercises about 1,500 mi (2,400 km) west of Oahu.

Both the pilot and navigator ejected safely.

In 2005, the U.S. Army started deploying a land-based version of the Phalanx, called the Centurion C-RAM, (for Counter-Rocket, Artillery, Mortar) to Iraq to protect U.S. bases from mortar attack. Unlike the naval variant, which fires tungsten armor-piercing rounds, the land variant fires 20–mm HEIT-SD (High-Explosive Incendiary Tracer, Self-Destruct) ammunition which greatly reduces collateral damage.

Still, there’s just something creepy about watching a Phalanx target a civilian airliner.

I don’t know about you, but the video seems to add to the general feeling of dread that we feel with each new AI announcement. While the CIWS is not technically AI-controlled, its fully automated functions do give it a real Terminator vibe.

The Ticonderoga-class guided-missile cruiser USS Chancellorsville (CG 62) fires its Phalanx close-in weapons system (CIWS) as a part of a live fire exercise while underway, Jan. 15 in the Philippine Sea. Public domain. source

Sailors Talk To Phalanx CIWS As It Targets A 737 Like A Dog About To Bite The Mailman

The Mk 15 Phalanx has experienced its share of personification, but telling it no like a dog is a hilarious and welcome new installment.

https://youtu.be/3_qSLR7a5qI?si=x1MRmOFytYQLoyqr

n what has to be one of the funniest and also creepiest military videos in some time, a Mk 15 Phalanx Close-In Weapon System (CIWS) is seen drawing a bead on a 737 passing over what appears to be a Harpers Ferry or Whidbey Island class amphibious dock landing ship. Sailors nearby laugh as they tell the sinister-looking Phalanx “No… No… NO!” as if it’s a dog about to do something it shouldn’t before it drops its barrel and forgets about the juicy target passing overhead.

Check out the viral video here:

The Mk 15 Phalanx is no stranger to personification. There have been endless jokes about its appearance and twitchy personality. From R2D2 to Frosty to an aroused Minion, Phalanx and its land-based cousin, Centurion, have brought some smiles.

As for any danger to the 737, which could have been a Navy P-8 Poseidon, although the markings don’t look that way, we just don’t know for sure. Regardless, there shouldn’t have been any real risk at all. The system has various modes, from fully manual, to semi-automatic where it needs approval to fire, to fully automatic mode. The latter of which allows it to engage targets as it sees fit in very specific combat situations.

🎖️🪖Military Tech🤖 Archives - Good Shepherd News - Fastest Growing Religious, Free Speech & Political Content

PATRIOT Act Author The NSA Is Actively Violating The Law

PATRIOT Act Author: The NSA Is Actively Violating The Law

Detecting IMSI Catchers: Tools, Apps and Methods You Should Know

Detecting IMSI Catchers: Tools, Apps and Methods You Should Know

IMSI catchers: a security threat

Top Techniques and Resources to Detect IMSI Catchers

1. Use Mobile Apps and Tools

2. Look for Unusual Network Activity

3. Observe Battery and Signal Behaviour

4. Monitoring Tools for Experts

5. Network Data Monitoring

6. Physical Indicators

7. Use Encrypted Communication

With $20 of Gear from Amazon, Nearly Anyone Can Make This IMSI-Catcher in 30 Minutes

Oros42/IMSI-catcher DOWNLOAD HERE iMSI CATHER SOFTWARE AND BUILD YOUR OWN! TO OF COURSE SOLVE SECURITY FLAWS IN YOUR OWN SYSTEM ONLY

CellularPrivacy/Android-IMSI-Catcher-Detector DOWNLOAD HERE IMSI CATHER SOFTWARE AND BUILD YOUR OWN! TO OF COURSE SOLVE SECURITY FLAWS IN YOUR OWN SYSTEM ONLY

Gotta Catch ‘Em All: Understanding How IMSI-Catchers Exploit Cell Networks

Section 1: Introduction

Section 2: Necessary background info

Section 3: Overview of attacks

Section 3.1: Basic IMSI-catcher

Section 3.2: Communication interception

Section 3.2.1: Spoofing authentication

Section 3.2.2: Dealing with encryption

Section 3.2.3: Why aren’t users alerted that encryption is off?

Section 3.2.4: Service downgrading

Section 3.3: LTE CSS connection techniques

Section 3.4: Location tracking attacks

Section 3.4.1: Presence Testing in LTE

Section 3.4.2: Active location tracking and exact GPS coordinates

Section 3.5: Denial of Service and Downgrading

Section 3.5.1: Protocol downgrade attacks

Section 3.5.2: Denial of Service (DoS)

Section 4: Detection methods & apps

Section 4.1: Detection methods

Section 4.2: Detection apps

Section 4.3: Defending against CSSs

Conclusion: the past & future of cell network security

References

Notes

Downloads

Understanding and Detecting IMSI Catchers around the World

How to Catch an IMSI Catcher

Civil Society Needs Help Catching IMSI Catchers

Equipping Civil Society with Resources to Expose Surveillance

Some of the Findings

Cell-site simulators/ imsi catchers aka Stingray phone tracker

Cell-site simulators/ imsi catchers aka Stingray phone tracker

Cell-site simulators/ imsi catchers

DOWNLOAD IMSI CATHER SOFTWARE AND BUILD YOUR OWN! TO OF COURSE SOLVE SECURITY FLAWS IN YOUR OWN SYSTEM ONLY

How Cell-Site Simulators Work

Standard Communication

What Kinds of Data Cell-Site Simulators Collect

How Law Enforcement Uses Cell-Site Simulators

Who Sells Cell-site Simulators

Threats Posed by Cell-Site Simulators

EFF’s Work on Cell-Site Simulators

Litigation

Legislation

Further Research

EFF Cases

Suggested Additional Reading

IMSI Catcher System

Passive GSM Interception System

Features

Semi-Active GSM Interception System

Features

Hybrid GSM Interception System

Features

Detecting IMSI-Catchers by Characterizing Identity Exposing Messages in Cellular Traffic

DHS: Salt Typhoon hackers breached Army National Guard, exposing admin credentials and network diagrams

DHS: Salt Typhoon hackers breached Army National Guard, exposing admin credentials and network diagrams

DHS: Salt Typhoon hackers breached Army National Guard, exposing admin credentials and network diagrams

Major US telecom hack prompts security push after Salt Typhoon attack

Setting Up A Police Scanner With An RTL-SDR

Setting Up A Police Scanner With An RTL-SDR

shopping

basic setup

specific setup

FBI’s Encrypted Phone Platform ANØM Infiltrated Hundreds of Criminal Syndicates; Result is Massive Worldwide Takedown