Guest Contributor: Kim Crawley, Cybersecurity Journalist
On May 15th, Amnesty International released a fascinating report, Human Rights Under Surveillance: Digital Threats Against Human Rights Defenders in Pakistan. The report details how Pakistani activists are being targeted by cyber attacks.
If you are neither Pakistani nor Indian, you might not know a lot about Pakistani-Indian relations. I think a little bit of understanding will help put this new cyber attack phenomenon into context.
A very brief “Coles Notes” on Pakistani-Indian relations
India is the second largest country in the world by population, with about 1.3 billion people according to a 2016 estimate. Pakistan is the fifth largest country in the world by population, with nearly 213 million people according to a 2017 census. Under British colonization, they were both parts of the same country. When the British Raj dissolved in 1947, India and Pakistan were established as separate nations, sovereign from each other. There are ethnic and religious differences between the two countries. India is a very ethnically and linguistically diverse country with 79.8% of Indians identifying with Hinduism according to a 2011 census. Pakistan consists mainly of Punjabis, Pashtuns, and Sindhis and 96.4% of Pakistanis are Muslim according to the 2010 CIA World Factbook. These cultural differences were a factor in India and Pakistan wanting to be separate countries after the harmful British control ceased.
Since at least 1947, relations between the two countries have been rather hostile. Starting in the 1960s and 1970s, both countries have acquired nuclear weapons.
I’m hopeful that there are both Indians and Pakistanis who would like to promote peace and understanding between the two countries.
The Amnesty International report specifically names two individual Pakistani targets, Raza Khan and Diep Saeeda. The research which led to the report is also based on information from other Pakistani activist targets, but only Khan and Saeeda are named.
Khan and Saeeda are linked to each other. From the report:
“On 2 December 2017, Raza Khan left his office in Lahore’s Garden Town neighborhood, in the province of Punjab. He never reached home.
All evening, his friends and family tried to reach him on his mobile phone but found that it had been turned off. Alarmed, his brother went to find him at his apartment in Lahore’s Firdous Market area. There was no sign of Raza. His room was locked, but the lights were on and his computer was gone. Raza, a 40-year-old peace activist who devoted his energies to building links between Indians and Pakistanis, is feared to have been subjected to an enforced disappearance.
When a person is subjected to enforced disappearance, they are wrenched away from their loved ones by state officials or others acting on their behalf. The authorities, to whom the families would normally turn for help, either deny the victim is in their custody or refuse to say where they are.
Without news of the victim’s whereabouts, their family is plunged into a state of anguish. They desperately try to keep the flame of hope alive while fearing the worst. Sometimes, the disappeared person is released within weeks or months. Other times, years pass with no news of their whereabouts or well being…
After Raza Khan disappeared, his friends sought his release through whatever means possible. One of them, Diep Saeeda, a well known activist from Lahore, took the case to the Lahore High Court, with the support of the late Asma Jahangir, a legendary human rights activist whose death in February 2018 was mourned by the UN Secretary General, the UN High Commissioner for Human Rights and other world leaders. Recently, Asma Jahangir was posthumously awarded Pakistan’s highest civilian honor.
But instead of receiving justice for Raza Khan, Diep Saeeda herself became ensnared in the broader attack on civil society, taunted by attackers who used her concern for Raza’s life and well being to lure her in, before subjecting her to the malware attacks that Amnesty International reveals in this report…
Diep Saeeda received the first suspicious messages not long after she began campaigning for the release of activist Raza Khan, a victim of enforced disappearance. The attackers approached Diep, a human rights activist in Pakistan, shortly after Raza ‘disappeared’ on 2 December 2017.
Since then, the attackers have carried out a relentless operation to compromise her computer, mobile phone, and social media accounts, enticing her to download malware in sophisticated and targeted attacks. In the most troubling cases, they have even used Raza’s case in an attempt to lure her in.”
Anatomy of a cyber attack
Amnesty International has evidence of cyber attacks targeting activists in Punjab, Pakistan (not to be confused with Punjab, India) going back to December 2016. That’s when Diep Saeeda received her first suspicious Facebook message from a woman who said her name was Sana Halimi. Over the following days, the individual claiming to be Halimi tried to build rapport with Saeeda over Facebook. Halimi’s fake Facebook page and her communications with Saeeda were clearly part of a phishing and social engineering campaign.
Raza Khan disappeared about a year later, in December 2017. A couple of days after Khan’s disappearance, Saeeda took the case to Lahore High Court. The day after, Sana Halimi returns to Saeeda’s life. She received a suspicious link to a fake Facebook page from Halimi. Saeeda eventually became suspicious enough of Halimi that she stopped communicating with her.
On January 1st, 2018, Saeeda received a link to StealthAgent Android malware through Facebook Messenger. The Trojan which contained StealthAgent presented itself as a New Year’s Eve photo app. The Trojan Android APK was delivered through a fake Google Play Store interface.
The following day, Halimi tried to tempt Saeeda with supposed information about Khan and his disappearance. The document Halimi sent Saeeda contained malware through Facebook Messenger. The filename was “Chat with Raza docs.docx.exe.” Wow, was that ever sloppy in my opinion. If I were the cyber attacker, I would have properly filebinded the malicious EXE to the Microsoft Word document so the file extension would just appear as “.docx.”
“Sana (Halimi) had been trying to develop my trust –talking to me about this and that – so when she sent a document about Raza (Khan), I didn’t want to doubt it. I was so anxious for him and thought maybe this would help trace him. Then I remembered the attacks. Now I don’t trust any attachments, even from my family– what if it is not really them?”
Now enlightened about social engineering and malware, Saeeda stopped responding to the malicious links and malware that Halimi kept on sending her. Halimi didn’t give up easily. She continued to send Saeeda similar spear phishing attacks up until April 2018. Halimi maybe continuing her attacks.
Amnesty International has records of other Pakistani peace activists being targeted by very similar cyber attacks. Saeeda’s ordeal is the tip of the iceberg.
This article was originally posted on Peerlyst.