Diep Saeeda received the first suspicious messages not long after she began campaigning for the release of activist Raza Khan, a victim of enforced disappearance.
The attackers approached Diep, a human rights activist in Pakistan, shortly after Raza “disappeared” on 2 December 2017.
Since then, the attackers have carried out a relentless operation to compromise her computer, mobile phone and social media accounts, enticing her to download malware in sophisticated and targeted attacks. In the most troubling cases, they have even used Raza’s case in an attempt to lure her in.
Since January 2018, Amnesty International has investigated the source of these attacks as well as similar attacks against activists in Pakistan. Pakistani activists shared with Amnesty International the suspicious emails and private messages they have received in the past two years.
These emails and messages, at times extremely personalized and well crafted, included links or attachments that, when opened, would attempt to infect the victims’ computers or mobile devices with malware. In other cases, the link would connect to fake Google or Facebook login pages designed to steal the passwords of the targets.
These emails and messages are tailored to the activists’ professional interests in order to appear credible as well as to lure targets to engage with the attackers. The messages included links or attachments that, when opened, would either attempt to infect their devices with malware, or direct them to fake Google or Facebook login pages designed to steal their passwords. Through the emails and messages received by activists and subsequently shared with Amnesty International, we have been able to undertake a thorough investigation involving comprehensive echnical research, which exposed a sustained and sophisticated campaign of digital targeting of human rights defenders that often coincided with particular events.
Amnesty International’s use of digital forensic techniques and malware analysis enabled us to track the infrastructure through which attackers delivered their malicious code.
This report outlines Amnesty International’s findings on the digital threats and attacks faced by human rights defenders and civil society in Pakistan. During this research, Amnesty International has uncovered extensive networks of fake social media profiles used to infiltrate civil society networks and befriend human rights defenders for the purpose of gaining social capital within activist communities and ultimately convincing specific targets to download malicious surveillance technologies and malwares.
Evidence of these threats and attacks is deeply concerning in the already perilous situation for civil society in Pakistan – a country where activists working on a myriad of issues are harassed, attacked and even subjected to enforced disappearance on a regular basis.
This report highlights four different, though interconnected, kinds of digital threats and attacks against human rights defenders in Pakistan.
A network of fake social media profiles, which use social engineering to access human rights defenders and deliver malicious surveillance technologies to them;
Targeted phishing attacks attempting to steal Google and Facebook credentials in order to gain access to the human rights defenders’ personal and professional information;
Attacks using a malware commonly known as Crimson, a software Amnesty International believes is custom-built for the attacker. If implanted successfully on a target’s computer, Crimson constitutes a significant threat to human rights defenders as they can be subjected to extensive and long-term digital surveillance;
Lastly, Amnesty International has uncovered a custom-built Android spyware known as StealthAgent. StealthAgent – which has connections to the commercial off-the-shelf spyware known as TheOneSpy – can intercept phone calls and messages, steal pictures, and track victims’ locations once installed on a victim’s Android phone.
Crimson is believed to be a custom malware developed and operated by a single group. Existing literature from the private sector refers to this particular attacker variously as ProjectM, Operation Transparent Tribe, or Operation C-Major.