Fausta's Blog

American and Latin American Politics, Society, and Culture

By

Latin America: Packrat malware targeted #Nisman

Huge, years-long, malware attack on the political opposition and the independent press in the ALBA countries,

Revealed: Mystery 7-year cyberspy campaign in Latin America. Bogus propaganda websites punt malware to likely marks (emphasis added)

Security researchers have uncovered a seven year-long malware campaign against Latin America.

Citizen Lab found that journalists, activists, politicians, and public figures in Argentina, Ecuador, Brazil and Venezuela have been targeted by a large-scale hacking campaign since 2008.

The campaign, dubbed Packrat, uses bogus websites and social media accounts for fake opposition groups and news organisations in order to distribute malware and conduct phishing attacks.

The attackers, whom we have named Packrat, have shown a keen and systematic interest in the political opposition and the independent press in so-called ALBA countries (Bolivarian Alternative for the Americas), and their recently allied regimes. These countries are linked by a trade agreement as well as a cooperation on a range of non-financial matters.

Security tools firm AlienVault uploaded Citizen Lab’s findings on Packrat to its threat-sharing platform OTX in order to warm the general community of the emerging threat and its indicators of compromise. Citizen Lab is an interdisciplinary lab focused on global security.

Not only Nisman was hacked, but also Lanata,

The security researchers caught the scent of the Packrat attackers in Ecuador this year before tracing their nefarious activities back to attempts to compromise the devices of Alberto Nisman, an Argentine prosecutor known for doggedly probing a 1994 Buenos Aires bombing, and investigative journalist Jorge Lanata in Argentina last year. Further work revealed a pattern of systematic electronic spying dating back to 2007.

Hacked has more,

A Sophisticated Hacker Operation
John Scott-Railton, the lead Citizen Lab researcher at the University of Toronto’s Munk School for Global Affairs, said the operation is highly targeted. He said Packrat carefully chooses and relentlessly pursues its targets.hacker

The hackers used the same Internet domains for years even though there was some exposure in doing this, a technical convenience. Cybercriminals normally do not do this for fear of being caught by law enforcement.

The researchers found 35 types of booby-trapped files and used domains hosted by companies in the U.S., Uruguay, Sweden, Spain, France, Brazil and Argentina.

About two dozen “seeding” sites resided on servers owned by GoDaddy.com LLC, a U.S.-based web hosting company, for much of the past two years. GoDaddy-hosted domain names included login-office365.com, mgoogle.us, update-outlook.com and soporte-yahoo.com.

Researchers alerted most of the providers Friday and asked that they shutter Packrat’s known infrastructure. Nick Fuller, a GoDaddy spokesperson, said GoDaddy acts immediately after identifying a problem website.

Packrat Targeted Nisman
The researchers started the investigation after determining that Packrat had targeted Nisman, who died mysteriously of a gunshot wound in January while attempting to bring charges against Argentina’s president.

Researchers said Packrat sent Jorge Lanata, an Argentine journalist, the same virus Nisman received a month prior to his death.

The virus was designed to communicate with the same Internet domains used to spy on Ecuadorean opposition figures who found Packrat malware in their emails using search scripts the researchers wrote.

Not that it’ll make any difference on the Nisman murder investigation – that’s not going anywhere.

Share