Pando

Packrat targets journalists, at home and abroad

By Dan Raile , written on December 14, 2015

From The Security Desk

Journalists, political dissidents and government officials across much of Latin America have been targeted by a hacking attack that has continued for eight years and shows no signs of abating.

The operation, dubbed Packrat, was documented last week by the Canadian civil liberties group Citizens Lab.

Packrat is not a technically sophisticated hack – it uses an assortment of common, commercially-available malware with which to infect targets’ devices, for monitoring and credential-stealing purposes. What is unique, fiendishly clever, and most likely very expensive about Packrat is the way the malware is delivered.

According to Citizen Lab, Packrat operators maintain fake news sites – complete with Twitter and Facebook accounts – populated with original content which often touts government leaks and evidence of official fraud and corruption. They create fake activist organizations and political parties, and impersonate prominent groups and figures to send out targeted emails with links to purported scoops. The campaign was detected in Ecuador, Venezuela, Brazil and Argentina, and Citizen Lab notes that these constitute the Bolivian Alliance (ALBA) countries of South America – Ecuador and Venezuela – and their politically allied regimes.

Citizen Lab has been unable to determine attribution for the attacks, but helpfully advises that the perpetrators are either government-affiliated or not. It makes no mention of extraterrestrials though the same surely applies.

Meanwhile political opposition is building up in Brazil as protests calling for the impeachment of Dilma Rousseff continue, an embarassment the government hopes will subside well before this summer's Olympics. Packrat is likely logging some high value keystrokes toward that effort. 

Packrat’s past targets included Alberto Nisman, the Argentine prosecutor who met a fatal bullet in January[Note: that's a Wayback Machine link to an AP article that has inxplicably disappeared from the Washington Post website]. Nisman was due to deliver a report to the country’s congress alleging that the sitting president, Cristina Kirchner, was complicit in covering up high-level Iranian involvement in the 1994 bombing of a Jewish community center in Buenos Aires. 

It's quite likely that there were a number of infected activists and journalists among the hundreds of thousands that gathered for anti-Kirchner protests in the aftermath of Nisman's notional suicide. Citizen Lab notes that Argentine journalist/TV host Jorge Lanata has also been confirmed as a target, and that Cristina Kirchner's son Maximo has claimed to be target but remains unconfirmed. 

Canadian academic intervention has so far proved an ineffective deterrent.

At the time of Nisman’s death, sufficient details of malware discovered on his phone were reported in the Argentine press to compromise the Packrat operation, which nonetheless continued, despite renewed exposure arising when Lanata and Maximo Kirchner stepped forward.

The report also reports that it was contacted by the Packrat operators during the course of its investigation of their methods. The black hat hackers apparently threatened the lives and families of the white. The Canadian organization’s detailed report was issued on December 8, and news services across Latin America have carried the story. Yet the Packrat sites have not been taken down.

Citizen Lab is an interdisciplinary project at the University of Toronto, funded through foundation grants and and the “generous donations of software and services” from, among others, Palantir. Eric Schmidt bestowed a $1 million “New Digital Age” grant on the institution last year. It calls itself a “hothouse” for “research that monitors, analyzes, and impacts the exercise of political power in cyberspace.”

* * * *

I learned about the Citizen Lab report by way of a targeted email. An account executive from an established global PR agency’s San Francisco office, a person I’d never met or heard of, sent me note which described the creative journalist-baiting of the wide-spread hacking campaign. The email contained a number of links and a call to action.

Hi Dan,

I wanted to pass along some new research courtesy of Citizen Lab, an interdisciplinary lab focused on global security, and partner of AlienVault, provider of Open Threat Exchange (OTX), an open threat intelligence community that enables collaborative defense with actionable, community-powered threat data.

Citizen Lab found that a number of journalists, activists, politicians, and public figures in Latin America (Argentina, Ecuador, Brazil and Venezuela) have been targeted by a large-scale hacking campaign since 2008. Researchers have named the malicious actor behind the attacks as “Packrat,” which creates and maintains websites and social media accounts for fake opposition groups and news organizations in order to distribute malware and conduct phishing attacks. The findings have been added as a Pulse to AlienVault OTX to alert others to the threats, their indicators of compromise, and how to defend against them.

Please take a look and let me know if you have any questions on the findings or the OTX community and I’d be happy to help out.

I did not click the links. One can’t be too careful. Still, I took the bait. Here was a story I could relate to, of Dread lurking in the journalist's inbox. 

I replied with an email attempting to catch a malicious phisher out. I looked up the address in San Francisco’s Market Center where the supposed PR guy kept his offices, and built a little facile trap. Market Center consists of a 40 story and 22 story building side-by-side. His office was supposed to be on the 25th floor of the taller one, I suggested it was too bad the other one was blocking his sun.

He replied to my tortured half-dumb query simply “Hehe, are you close by?” and proceeded to offer to introduce me to someone from AlienVault, “partner” of Citizen Lab. Was he just humoring journalists at all costs out of professional duty, or was he unaware of the relative building heights?

I decided I was being too paranoid, and scheduled a phone call with AlienVault VP and Chief Researcher Jaime Blasco. AlienVault maintains the Open Threat Exchange, “an open threat intelligence community that enables collaborative defense with actionable, community-powered threat data.”

Among other things, Blasco told me that operations like Packrat, with its shadowy implication of political or governmental involvement, are remarkably common the world over, but rarely demonstrate Packrat’s level of creative social engineering.

“We’re not sure who is doing it, but if you look at the data it is likely there is some kind of government involvement, they are mainly hitting political people and parties. Cybercrime actors, why would they target these people. But we’re not sure if it is government or hackers for hire,” he said.

He also told me that he himself had been victimized by such a campaign, when someone began spoofing his email to disseminate malware after he’d exposed a campaign targeting Tibetans.

I’ve yet been unable to verify that I actually spoke to Jaime Blasco of AlienVault, though the performance was convincing. I have since become aware, however, that in some respects I was dangerously credulous.

Hours after our interview, the PR agent sent me some relevant links, and also this correction:

“It turns out that Citizen Labs is in fact NOT an official AlienVault partner – I sincerely apologize for passing that misinformation along to you.

So then you might ask what AlienVault had to do with the findings, if anything at all?

Nothing. As an expert on threat intelligence, Jaime Blasco (vice president and chief scientist at AlienVault) was speaking more from a thought leadership standpoint on the seven year malware campaign, considering he advises government on emerging threats, regularly presents at hacking conferences and led the development of Open Threat Exchange (OTX) - so he’s well versed in malware and cybercriminal activity. In addition, it was AlienVault that uploaded Citizen Lab’s findings to its social threat intel sharing platform - OTX - in order to alert the general community of the emerging threat and its indicators of compromise.” 

Touché.

Journalists, beware.