Authors: Bill Marczak, John Scott-Railton
1. Executive Summary
This report describes a campaign of targeted spyware attacks carried out by a sophisticated operator, which we call Stealth Falcon. The attacks have been conducted from 2012 until the present, against Emirati journalists, activists, and dissidents. We discovered this campaign when an individual purporting to be from an apparently fictitious organization called “The Right to Fight” contacted Rori Donaghy. Donaghy, a UK-based journalist and founder of the Emirates Center for Human Rights, received a spyware-laden email in November 2015, purporting to offer him a position on a human rights panel. Donaghy has written critically of the United Arab Emirates (UAE) government in the past,1 and had recently published a series of articles based on leaked emails involving members of the UAE government.2
Circumstantial evidence suggests a link between Stealth Falcon and the UAE government. We traced digital artifacts used in this campaign to links sent from an activist’s Twitter account in December 2012, a period when it appears to have been under government control. We also identified other bait content employed by this threat actor. We found 31 public tweets sent by Stealth Falcon, 30 of which were directly targeted at one of 27 victims. Of the 27 targets, 24 were obviously linked to the UAE, based on their profile information (e.g., photos, “UAE” in account name, location), and at least six targets appeared to be operated by people who were arrested, sought for arrest, or convicted in absentia by the UAE government, in relation to their Twitter activity.
The attack on Donaghy — and the Twitter attacks — involved a malicious URL shortening site. When a user clicks on a URL shortened by Stealth Falcon operators, the site profiles the software on a user’s computer, perhaps for future exploitation, before redirecting the user to a benign website containing bait content. We queried the URL shortener with every possible short URL, and identified 402 instances of bait content which we believe were sent by Stealth Falcon, 73% of which obviously referenced UAE issues. Of these URLs, only the one sent to Donaghy definitively contained spyware. However, we were able to trace the spyware Donaghy received to a network of 67 active command and control (C2) servers, suggesting broader use of the spyware, perhaps by the same or other operators.
Figure 1: Tag cloud of bait content topics used by Stealth Falcon showing a strong emphasis on political topics and narratives critical of the UAE government
2. Background
Rori Donaghy3 is a London-based journalist who currently works for UK news organization Middle East Eye, a website that covers news in the Middle East.4 Middle East Eye has recently published a series of articles about UAE foreign policy, based on leaked emails involving members of the UAE government. Previously, Donaghy led the Emirates Center for Human Rights,5 an organization he founded to “promote the defence of human rights in the United Arab Emirates … through building strong relationships with the media, parliaments and other relevant organisations outside the UAE”.6
2.1. Political and Human Rights Situation in the UAE
In its most recent (2015) Freedom in the World ranking, Freedom House classified the UAE as “not free,” and noted that the UAE continues to “suppress dissent”.7 Human Rights Watch stated in its most recent (2016) country report, that the UAE has “continued … to arbitrarily detain and in some cases forcibly disappear individuals who criticized the authorities”.8 Amnesty International says that UAE courts have “accepted evidence allegedly obtained through torture”.9
Specifically in the online realm, there is evidence that the UAE government has previously conducted malware attacks against civil society. At least three dissidents10 including a journalist, and UAE human rights activist Ahmed Mansoor, were targeted in 2012 with Hacking Team spyware11 by a Hacking Team customer in the UAE, apparently operating under the auspices of the office of Sheikh Tahnoon bin Zayed al-Nahyan,12 a son of the founder of the UAE, and now the UAE Deputy National Security Advisor.13 The UAE client had a license from Hacking Team to concurrently infect and monitor 1100 devices.14
Figure 2: Diagram of Stealth Falcon’s known Targets, Fake Personas, and campaign Artefacts, along with relevant sections of the report. The document paints a picture of a large-scale campaign with a focus on critics of the UAE Government
3. The November 2015 Attack: An “Invitation”
This section describes an email attack against journalist Rori Donaghy. The operators used a Microsoft Word macro that installs a custom backdoor allowing operators to execute arbitrary commands on a compromised machine.
3.1 Initial Attack Email
In November 2015, the journalist Donaghy received the following email message, purportedly offering him a position on a panel of human rights experts:
From: the_right_to_fight@openmailbox.org
Subject: Current Situation of Human Rights in the Middle East
Mr. Donaghy,
We are currently organizing a panel of experts on Human Rights in the Middle East.
We would like to formally invite you to apply to be a member of the panel by responding to this email.
You should include your thoughts and opinions in response to the following article about what more David Cameron can be doing to help aid the Middle East.
http://aax.me/d0dde
Thank you.
We look forward to hearing back from you,
Human Rights: The Right to Fight
Donaghy was suspicious of the email, and forwarded it to us for analysis. We found that the link in the email (http://aax.me/d0dde) loaded a page containing a redirect to the website of Al Jazeera. Before completing the redirect, it invoked JavaScript to profile the target’s computer. We describe the profiling in detail in Section 3.1-3.3 below.
3.2 Communication with the Operator
On our instruction, Donaghy responded to the email, asking for further information. The operators responded with the following message:
From: the_right_to_fight@openmailbox.org
Subject: RE: Current Situation of Human Rights in the Middle East
Mr. Donaghy,
Thank you for getting back to us. We are very interested in you joining our panel.
The information you requested is in the attached document.
In order to protect the content of the attachment we had to add macro enabled security.
Please enable macros in order to read the provided information about our organization.
We hope you will consider joining us.
Thank you.
We look forward to hearing back from you,
Human Rights: The Right to Fight
By chance, the attachment was identified as malicious and blocked by a program running in Donaghy’s email account. We instructed him to follow up and request that the operators forward the attachment via another method. Donaghy received the following reply:
From: the_right_to_fight@openmailbox.org
Subject: RE: Current Situation of Human Rights in the Middle East
Mr. Donaghy,
We apologize for having problems with our attachment.
Please follow this link to download our organizational information.
http://aax.me/a6faa
The link has been password protected. The password is: right2fight
In order to protect the content of the attachment we also had to add macro enabled security.
Please enable macros in order to read the provided information about our organization.
We hope you will consider joining us.
Thank you.
We look forward to hearing back from you,
Human Rights: The Right to Fight
This second link (http://aax.me/a6faa) redirects to the following URL using an HTTP 302 redirect:
https://cloud.openmailbox.org/index.php/s/ujDNWMmg8pdG3AL/authenticate
This is a password-protected link to a file shared on an ownCloud15 instance. We obtained this file, and found it to be a Microsoft Word document.
3.3 The Malicious Document
The document is:
When opened, the target is greeted with the following image, purporting to be a message from “proofpoint,” a legitimate provider of security solutions for Office 365.16 The image claims that “This Document Is Secured” and requests that the user “Please enable macros to continue.”
Figure 3: Fake Proofpoint image in the malicious document sent to Donaghy
If the target enables macros, they are presented with the following document:
Figure 4: Document that Donaghy would have seen, had he enabled macros
The document purports to be from an organization called “The Right To Fight,” and asks the target Donaghy to open the link in the original email he received (the email containing the profiling URL). We believe that “The Right To Fight” is a fictitious organization, as their logo appears to be copied from an exhibition about “African American Experiences in WWII”.17 Further, “The Right to Fight” has no discernable web presence.
Figure 5: Logo from exhibition about African American experiences in WWII.
3.3.1 Profiling
The document attempts to execute code on the recipient’s computer, using a macro. The macro passes a Base64-encoded command to Windows PowerShell, which gathers system information via Windows Management Instrumentation (WMI), and attempts to determine the installed version of .NET by querying the registry (full script available in Appendix A: Stage One PowerShell Command).
3.3.2 Communication & Obtaining a Shell
Gathered information is returned to http://adhostingcache.com/ehhe/eh4g4/adcache.txt, and the server’s response is executed as a PowerShell command. At the time, adhostingcache.com resolved to 95.215.44.37. The domain was apparently deleted on November 30th 2015 (Donaghy received the malicious Word Document on November 24th 2015). A new domain, adhostingcaches.com, was registered on December 3rd, which points to the same IP address. The deletion of adhostingcache.com may reflect operator suspicion that the file received by Donaghy had been sent to security researchers.
The server response is a PowerShell command that decodes and materializes an invocation of a Base64-encoded PowerShell command to disk as IEWebCache.vbs, and creates a scheduled task entitled “IE Web Cache” that executes the file hourly (full script available in Appendix B: Stage Two PowerShell Command).
IEWebCache.vbs runs a Base64-encoded PowerShell command, which periodically POSTs a unique identifier to https://incapsulawebcache.com/cache/cache.nfo (via HTTPS without verifying the server certificate, and with a hardcoded user-agent header matching Internet Explorer 10.6). The script executes server responses as PowerShell commands, responding back to the server with the exit status of, output of, or any exceptions generated by the commands.
This gives the operator control over the victim’s computer, and allows the operator to install additional spyware or perform other activities. All commands and responses are encrypted using RC4 with a hardcoded key, and the encrypted message is prefixed with a hardcoded value.
Despite some similarities in functionality to the Empire backdoor,18 we were unable to identify any shared code, and we suspect that the backdoor is custom-made.
3.4. Technical Analysis: aax.me Browser Profiling
While aax.me has a public interface where anyone may shorten a link, aax.me only conducts browser profiling of individuals who click on links that are specially shortened by Stealth Falcon operators.
In November 2015, when we accessed the link in the second email that Donaghy received, http://aax.me/a6faa, we found that it redirected directly to https://cloud.openmailbox.org/index.php/s/ujDNWMmg8pdG3AL/authenticate via an HTTP 302 redirect. When we accessed the link in the first email that Donaghy received, http://aax.me/d0dde, the server responded with the following page:
The page is apparently designed to redirect to an Al Jazeera op-ed after twenty seconds.19 However, the URL is incorrect: the last character of the filename should be a “1” instead of a “7”. Therefore, an Al Jazeera 404 page is returned instead of the op-ed. It is possible that the use of “7” instead of “1” represents a transcription error on the part of the operators. When we accessed this same aax.me URL in March 2016, it redirected directly to the Al Jazeera URL (with typo) via an HTTP 302 redirect.
The iframe, http://aax.me/redirect.php, reloads itself with a parameter “inFr” in its query string, to indicate whether the page has been opened up inside a frame.
If the page has not been opened up inside a frame (inFr=0), then a blank page is returned. If the page is opened inside a frame (inFr=1), as is the case here, then the following page is returned (we ommitted the PHPSESSID value):
We examined the referenced JavaScript file, http://aax.me/redirect.js. The file is designed to profile a user’s system, perhaps to gather intelligence about potentially exploitable vulnerabilities. The file has apparently not been updated since 7 May 2013,20 rendering some of the probing obsolete. We enclose the file’s full contents in Appendix C: JavaScript Profiling File. The profiling performs the following actions:
For Internet Explorer, it attempts to create several instances of ActiveXObject to get the versions of Flash, Shockwave, Java, RealPlayer, Windows Media Player, and Microsoft Office (classified as either 2003, 2007, or 2010).
For non-Internet Explorer browsers, it attempts to get a list of enabled plugins from navigator.mimeTypes.
For all browsers, it captures the user agent, whether cookies are enabled, the OS, the size of the browser window, and the timezone. It classifies browsers into different versions, denoted by letters, based on the existence and behavior of certain JavaScript methods.
The script attempts to exploit an information leak in older versions of Tor Browser. We explore the technique used in Section 3.5.
For Windows browsers (except Opera, and versions of Internet Explorer before IE9), it sends a series of XMLHttpRequests to 127.0.0.1, which we believe are designed to deduce if the computer is running any one of several specific antivirus programs. The code for this appears to be borrowed from the JS-Recon port scanning tool.21 The creator of JS-Recon presented the tool at BlackHat Abu Dhabi in 2010.22 We explore such techniques in more detail in Section 3.6.
We were unfamiliar with the website aax.me, so we investigated it further. We found that the main page of aax.me purported to be a public URL shortening service, powered by YOURLS,23 an open source PHP framework allowing anyone to set up their own URL shortening service. We are unable to ascertain whether the site actually uses any YOURLS code. We also noted that the homepage contains a typo (“Shortend [sic] URL”).
Figure 6: Homepage of aax.me
We shortened a URL using the homepage, but found that clicking on the shortened URL did not trigger the loading of the intermediate page, http://aax.me/redirect.php. We also did not find the code for redirect.php or redirect.js in the public code repository for YOURLS.24 Thus, we deduced that this code was likely specially written by the operators, and the link sent to Donaghy was likely created by someone with administrator access to aax.me.
3.5. Technical Analysis: aax.me Tor Deanonymization Attempt
The aax.me site appears to attempt to deanonymize users of Tor Browser. While the technique the operators used was out-of-date at the time we observed the attack, the attempted Tor deanonymization speaks to their motivations and potential targets.
The script first detects Tor Browsers by checking whether navigator.buildID is set to zero (all testing was conducted on English, Windows builds of Tor Browser). Versions of Tor Browser before 2.3.25-12 (released on 13 August 2013) had their buildID set to zero. This behavior was originally introduced in TorButton,25 in support of the goal of making Tor users appear homogenous.26 Current Tor Browser versions have navigator.buildID set to a different distinctive value, 20000101000000.
When the script detects a Tor Browser, it attempts to deduce the version of Tor Browser by checking for the existence and behavior of certain JavaScript methods. Once a browser is determined to be older than a certain version of Tor Browser, the script exploits a now-fixed bug to get the disk path of the browser installation.27 The disk path may contain the target’s username, which may include the target’s real name.
The bug in Tor Browser was first disclosed at Defcon 17, which took place in August 2009.28 The bug was first fixed on on 25 May 2012 in Tor Browser release 2.2.35-13.29 The bug was, however, later reintroduced into Tor Browser on 18 December 2013 with the release of Tor Browser 3.5, and subsequently fixed again in Tor Browser 3.6 on 29 April 2014.30 However, unfortunately for the operators, they failed to update their profiling script to reflect Tor Browser’s navigator.buildID change (before the bug was reintroduced). Thus, the profiling script did not detect Tor Browsers with the reintroduced bug as Tor Browsers, so it did not try to exploit them. Even if it had been updated to reflect the navigator.buildID change, the version check in the Tor Browser exploitation code would also have to be updated to select the versions with the reintroduced bug for exploitation.
The version of Tor Browser (as determined by JavaScript checks) is submitted back to the server, along with the value of navigator.oscpu (which reveals the version of the OS on which Tor Browser is running — e.g., the latest version of Tor Browser on OSX El Capitan reveals: “Intel Mac OS X 10.11”), navigator.vendor (which appears blank in the latest Tor Browser), and any data gathered about the installation path.
3.6. Technical Analysis: aax.me Antivirus Profiling
Interestingly, aax.me also attempts to determine the presence of various antivirus products on a target’s machine.
We expand on the probing of antivirus programs which we observed on aax.me, as we were unfamiliar with this technique. The technique appears to work on any modern version of Windows, with the latest versions of Chrome, Firefox, and IE/Edge (though, the profiling script excludes IE versions less than IE9 from the profiling, using the vertical tab test).31 Specifically, the script conducts GET XMLHttpRequests (one at a time) to 127.0.0.1/ on the following ports: 12993, 44080, 24961, 1110, 6646, 6999, 30606. The script stops conducting these requests if it finds one request whose readyState is set to 4 less than 20ms after the request was initiated (200ms for port 6646), and submits the number of this port to the server.
The latest versions of Internet Explorer/Edge, Chrome, and Firefox (except Tor Browser) will all perform these XMLHttpRequests to 127.0.0.1 on behalf of any site. Of course, the result of such a request will most likely not be available to the script, due to the same-origin policy, and likely absence of a CORS32 header in the response. Indeed, the script does not attempt to read the results of its requests. Rather, it leverages the fact that the web browser makes the status of the request sent available, via the readyState parameter of an XMLHttpRequest instance (1 approximately represents TCP SYN sent, and 4 represents HTTP response received or TCP connection terminated). For a closed port, Windows will issue an RST/ACK for each SYN sent. However, it appears that Windows’ TCP stack will not consider an outgoing connection it is initiating to be terminated until it has sent 3 SYNs, and received three corresponding RST/ACKs (or timeouts).
Figure 7: Three RST/ACKs required until Windows considers outgoing TCP connection terminated
When testing with a TCP connection from Windows to a remote host, we can clearly see that Windows transmits the second SYN ~500ms after the first RST/ACK, and the third SYN ~500ms after the second RST/ACK.
Figure 8: Windows sends the next SYN 500ms after the latest RST/ACK
Thus, the readyState value for a request to a closed port on 127.0.0.1 will not be set equal to 4 until approximately 1000ms after the request is issued. In summary, one can use this technique to distinguish between a closed port (readyState set to 4 at around 1000ms), an open port (readyState set to 4 before 1000ms), and a filtered port (readyState set to 4 long after 1000ms).
This script was apparently designed to detect the presence of certain components of Avast, Avira, ESET, Kaspersky, and Trend Micro antivirus products. We were not able to determine which program the probing of port 24961 was designed to detect. We verified that the latest version of Avast can be detected by this script, as it opens TCP port 12993, which is associated with its Mail Shield component for scanning email traffic; port 6999 is opened by Trend Micro’s tmproxy33 which scans web and email traffic; port 1110 is used by Kaspersky34 to scan web and email traffic; it appears that Avira’s Web Protection component for scanning web traffic used to open port 44080,35 though we observed it opening 44081 instead; port 30606 appears to have been used by ESET to scan web and email traffic,36 but we did not observe this port open while testing the latest version of ESET; port 6646 may be used by McAfee, though we did not test this.37
The code for the port scanning appears to be adapted from the JS-Recon port scanning tool.38 JS-Recon is a generic tool that enumerates all open ports on 127.0.0.1 in a range; it does not specifically target anti-virus programs. The scan_xhr and check_ps_xhr functions in the aax.me profiling script are similar to the scan_ports_xhr and check_ps_xhr functions in JS-Recon. The creator of JS-Recon seems to have first presented the tool at BlackHat Abu Dhabi in 2010.39
Figure 9: Image from the author of JS-Recon showing how long WebSocket and XMLHttpRequest (“COR”) connections remain in their initial readyState on Windows.40
Note that this technique can be generalized to any remote content timing side channel (e.g, the onerror event for an Image). Additionally, one can identify the presence of an open port on 127.0.0.1 that speaks HTTP without using timing information, and thus without the Windows TCP behavior assumption (e.g., by handling the onerror and oncomplete events of certain types of link elements).
We are unsure whether the purpose of the antivirus profiling is to identify potentially exploitable antivirus software running on a target’s computer, or for evasion of antivirus products. In December 2015, Google Security discovered a critical vulnerability in Avast’s antivirus product, which involved a webpage sending HTTP requests to a port that Avast opens on 127.0.0.1. Google Security demonstrated that the vulnerability allowed exfiltration of arbitrary files from a victim’s disk.41 In January 2016, Google Security discovered a critical vulnerability in Trend Micro’s antivirus product, which similarly involved a web page sending HTTP requests to a port that Trend Micro opens on 127.0.0.1. Google Security demonstrated that the vulnerability allowed arbitrary command execution.
4. The Case of the Fake Journalist
In the course of our investigation we scanned the e-mail of journalist Donaghy and found evidence that he had been contacted by a fictitious journalist, whom we linked to Stealth Falcon.
We scanned Donaghy’s GMail account for any previous messages featuring links that redirected through aax.me. We identified the following message from December 2013, purporting to be from a UK journalist named Andrew Dwight:
From: andrew.dwight389@outlook.com
Subject: FW: Correspondence Request
Greetings Mr. Donaghy,
I have been trying to reach you for comment and I am hoping that this e-mail reaches the intended recipient. My name is Andrew Dwight and I am currently writing a book about my experiences in the Middle East. My focus is on human factors and rights issues in seemingly non-authoritarian regimes (that are, in reality, anything but). I was hoping that I might correspond with you and reference some of your work, specifically this piece (http://goo.gl/60HAqJ), for the book. I’m quite impressed with the way you articulate this complex issue for the masses, and hope to have a similar impact with my book.
Happy New Year,
Andrew
The link in the email, http://goo.gl/60HAqJ, redirects to http://aax.me/0b152, which, as of December 2015, redirected to a 2013 Huffington Post blog post authored by Donaghy.42 We did not observe any redirect.php behavior with this link; as of December 2015, the aax.me link directly served an HTTP 302 redirect to the Huffington Post (we omitted the date header below). However, it is possible that the link formerly exhibited redirect.php behavior:
We found that Donaghy had responded to this message shortly after receiving it, offering to meet in-person with Andrew in the UK. Andrew responded several weeks later with the following:
From: andrew.dwight389@outlook.com
Subject: RE: Correspondence Request
Hello Rori,
Happy New Year! I apologize for the delay in getting back to you. I was on a ski holiday in upstate New York for the New Year and just returned to my current accommodations in the city. I was due back sooner, but as you may know, the weather has not been agreeable here in the Eastern United States!
I am currently situated in the US. while I complete my book to be closer to my publisher and editor. The book focuses on the various guises used by Middle Eastern countries to demonstrate that they are providing equal and fair treatment with concern to human rights. I am working with several organizations in identifying cases that reveal their true lack of concern for liberty and personal freedoms. I’m using these cases as testimony about this under reported issue. Have you heard of a Swedish organization named Al Karama?
There website: http://en.alkarama.org/index.php?option=com_content&view=article&id=1005&Itemid=74&slid=102
I have spoken to one of their junior editors and I am hoping to obtain input from some of their sources as well.
This issue never gets any smaller does it? I hope that a few loud voices (and a well received book) can make a difference.
Cheers,
Andrew
While attempting to determine whether “Andrew Dwight” was a real person, we we found a Twitter profile, @Dwight389 for the same persona, and that mentions the same address from which Donaghy received the email.
Figure 10: Andrew Dwight’s Twitter profile, @Dwight389, mentioning the email address that corresponded with Donaghy in 2013, andrew.dwight389@outlook.com
We found that this account messaged three UAE dissident accounts via Twitter mentions. While we were unable to establish if @Dwight389 successfully attacked any of these individuals, we profile the targets below.
4.1. Another Target: Obaid Yousef Al-Zaabi
This section describes how the fake journalist persona contacted Obaid Yousef Al-Zaabi, a blogger who was arrested for criticising the UAE.
Figure 11: @Dwight389 contacted @bukhaledobaid on 24 April 2013
Obaid Yousef Al-Zaabi was arrested on 2 July 201343 for Tweeting about the UAE94 detainees (94 defendants prosecuted in a mass trial on charges of attempting to overthrow the government)44 on his @bukhaledobaid account, which displays his real name.45 He was released due to health problems a month later, but was arrested again on 12 December 2013,46 a day after talking to CNN47 about the condition of US citizen Shezanne Cassim, imprisoned for making a parody video48 about “youth culture in Dubai”.49 Al-Zaabi and Cassim were imprisoned in the same cellblock. Al-Zaabi was acquitted on 23 June 2014 of all charges including “slander concerning the rulers of the UAE using phrases that lower their status, and accusing them of oppression” and “disseminating ideas and news meant to mock and damage the reputation of a governmental institution,” but, according to information received from two UAE sources, Al-Zaabi is still imprisoned in the prisoners ward of a hospital. A coalition of 13 human rights organizations including Amnesty International consider Al-Zaabi’s ongoing detention to be arbitrary, and without legal basis.50 Amnesty International reported that “a senior State Security Prosecution official” told Al-Zaabi he would continue to be detained even if acquitted.51
Al-Zaabi’s brother, Dr. Ahmed Al-Zaabi, is one of the UAE94 detainees and is currently serving a 10 year prison sentence. According to a report by the Gulf Center for Human Rights, Ahmed was tortured in prison: his fingernails were pulled out, and he was “beaten to the point he was left swollen, covered in bruises all over his body and with large amounts of blood in his urine”.52
4.2. Another Target:Professor Abdullah Al-Shamsi
This section describes how the fake journalist persona contacted professor Abdullah Al-Shamsi, Vice Chancellor of the British University in Dubai.
Figure 12: @Dwight389 sent a message on 9 May 2013 suggesting he had targeted @shamsiuae58
Professor Abdullah Al-Shamsi (@shamsiuae58) is the Vice Chancellor of the British University in Dubai.53 He (Arabic name: أ.د.عبدالله محمد رحمة الشامسي)54 is signatory #79 (out of 133) to a March 2011 petition to the UAE government55 for direct elections56 (UAE activist Ahmed Mansoor was arrested after signing the same petition).57 Al-Shamsi’s father (محمد بن رحمة العامري الشامسي) was appointed to, and chaired the first sessions of, the Federal National Council (FNC), a legislative advisory council that is now an elected body. He called for more powers to be given to the FNC.58
4.3. Additional Targets: Qatari Citizens Sentenced to Prison
Figure 13: @Dwight389 contacted @northsniper on 7 November 2013
In May 2015, five Qataris were sentenced (one present in the UAE to 10 years in prison, and four in absentia to life in prison), for posting allegedly offensive pictures of the UAE Royal Family on three Twitter accounts and two Instagram accounts,59 including @northsniper.60 At trial, the prosecution accused the five of being agents of Qatar’s State Security, and posting the allegedly offensive pictures as part of a “military mission” to “show that Emiratis had offended their own leaders”.61 The @northsniper account is currently suspended. One Instagram account allegedly used by defendants in this case (@9ip) is still active, and still appears to display unflattering photoshopped images of the President, Crown Prince, and Founder of the UAE.62
5. Stealth Falcon’s Widespread Targeting of UAE Figures
This section describes how we identified additional Stealth Falcon victims and bait content, and traced Stealth Falcon’s spyware to additional C2 servers.
Given Stealh Falcon’s use of public Twitter mentions to contact individuals, we searched Google and Twitter for instances of aax.me links. The links we found indicated that we could easily probe aax.me to get a comprehensive list of all currently active short URLs, and their corresponding long URLs. Our findings point to a UAE-focused operator, whose bait content and targets are linked to the Emirates. Furthermore, we were able to connect this attack to case from December 2012, where an anonymous UAE activist contacted us and claimed to have received a suspicious link from a Twitter account that was purportedly under government control.
5.1. Public Targets and Links to Arrests
This section describes 24 Stealth Falcon Twitter targets we identified on the basis of them receiving an aax.me link in a Twitter mention.
We found aax.me links targeting 24 accounts, each of whom was mentioned in a tweet that also contained an aax.me shortened link. We were unable to get details about 17 of the accounts. Of the accounts we have been able to identify, several individuals were subsequently arrested or convicted in absentia by the UAE Government in relation to their online activities.
The following table outlines these cases, and notes arrests. For completeness, the table includes the cases from Section 4.1-4.3:
Handle
Targeting
Related Arrests / Convictions
Note
@omran83
14 January 201263
16 July 201264
(arrested)
UAE94 prisoner; serving 7 years in prison.65
@weldbudhabi
5 August 2012;66
20 October 201267
14 December 201268
(arrested)
@intihakat
5 August 201269
25 December 201370
(convicted)
Qatari convicted in absentia; sentenced to 5 years in prison.
@bukhaledobaid
(Sec 4.1)
24 April 201371
2 July 2013;72
12 December 201373
(arrested)
Brother of UAE94 prisoner; acquitted of charges; indefinitely detained in prisoners ward of hospital.
@northsniper
(Sec 4.3)
7 November 201374
18 May 201575
(convicted)
Five Qataris convicted; sentences ranged from 10 years to life in prison.
@71UAE
9 January 201276
Last tweeted 1 July 2013, a day before arrest of @bukhaledobaid.
@kh_oz
10 January 201277
Likely son of @bukhaledobaid.78
@shamsiuae58
(Sec 4.2)
9 May 201379
Signed 2011 pro-democracy petition that Ahmed Mansoor was arrested after signing.
@newbedon
9 January 201280
Donaghy describes the account as “ensur[ing that] details of mistreatment [by security forces] are readily available”.81
@bomsabih
9 January 201282
Inactive since 8 October 2014. Owner claimed affiliation with State Security Apparatus.
We list additional details in Appendix D: Public Stealth Falcon Tweets.
5.2. Ennumerating aax.me for Bait Content
This section describes how we probed every conceivable short URL on aax.me, and found 402 pieces of bait content that we believe were sent by Stealth Falcon.
All of the public aax.me links we found, as well as the links sent to Donaghy, matched the regular expression /aax\.me\/[0-9a-f]{5}/. Assuming all links shortened via aax.me<span style="font-weight: 4