Case Studies

Iranian-backed hacking group, Charming Kitten, targets journalists via WhatsApp messages

Read the following case study and discuss the questions listed below:

Hackers linked to the Iranian government targeted journalists and others working on issues related to the Middle East, with a sophisticated and ongoing social engineering campaign using WhatsApp messages.

Those targeted received a message via WhatsApp claiming to be from a think-tank based in Lebanon inviting them to attend a conference. The message was designed in the style of previous messages sent from this think tank and used the identity of a former employee.

The message contained a link which, once clicked, directed them to a login page that looked like the login page for an email account. In the case of one US-based journalist, hackers gained access to the journalist’s email after they filled out their email details on the fake page.

Attackers gained access to targets’ email, cloud storage drives, calendars, and contacts. On one account, hackers also performed a Google Takeout, an action that involves exporting all details of the account’s activity, including web searches and location data.

Those who had been targeted did not realize that their accounts had been compromised as Google does not display security warnings in the user’s inbox or send push notifications to the email app.

Source: Human Rights Watch, 2022

Questions

Discuss the following questions

What steps would the attacker have taken to obtain information on the people they were targeting?

What steps could the journalist take to verify the identity of the sender?

How could the journalist access information on the conference without clicking on the link?

What other steps could the journalist have taken to protect themselves?

Further discussion

Have you seen this type of targeted phishing attack before?

What other governments use sophisticated phishing attacks? Is this something that you have seen in your own country?

For the trainer

This case study is designed to get participants talking about mobile phone security. It can be used to consolidate knowledge learned during the module.

Talking points to consider include:

  • Planning for and mitigating risk around phone security
  • Managing content on devices
  • Preparing phones before attending government events
  • Using a different phone to attend events where your device is likely to be confiscated

Trainers looking to learn more about the case can read this report by Human Rights Watch and on the US technology site TechCrunch.

Reporters phone confiscated on Pentagon trip to Europe

Read the following case study and discuss the questions below.

A new and previously unknown U.S government policy led to a reporter’s phone being confiscated while on a flight with the U.S Department of Defense. The new law prohibited the use of electronic devices by non U.S citizens travelling with government officials who had “top secret” security clearance.

Idrees Ali, an accredited Reuters foreign correspondent, was not allowed to use any electronic devices, including his laptop and phone, after boarding a plane to Oslo, Norway, on May 22, because he is not a U.S. citizen.

The journalist, who had covered the Pentagon since 2015, had travelled with government officials in the past to secure locations, including to Iraq and Afghanistan.

Ali later Tweeted about the event and shared a photo, taken by a colleague and U.S citizen, of his phone being placed in a pouch by government officials.

His phone was returned to him by officials upon the plane’s arrival to Oslo.

After outcry from the media and press freedom organisations, the U.S Air Force rescinded its policy.

Source: U.S Press Freedom Tracker, 2022

Questions

Discuss the following questions

Are you surprised by what happened? Do you know of any similar cases?

What would you have done in this situation?

What security issues would the journalist now face as a result of his phone being taken? Think about what content could be on the phone and the face that his device was removed from his sight.

What could the journalist have done before the trip in order to better protect his phone? What steps should he have taken to protect his phone and data once it was returned to him?

Does the fact that the policy has been rescinded mean it is now safe to carry electronic devices on flights with U.S government officials? Why? Why not?

What steps, if any, do you normally take to protect your devices before attending government events?

What steps will you take in the future to ensure that your devices and the content on them is safer?

For the trainer

This case study is designed to get participants talking about mobile phone security. It can be used to consolidate knowledge learned during the module.

Talking points to consider include:

  • Planning for and mitigating risk around phone security
  • Managing content on devices
  • Preparing phones before attending government events
  • Using a different phone to attend events where your device is likely to be confiscated

Trainers looking to learn more about the case can read about it on the U.S Press Freedom Tracker and in the US news site Politico.

Activists put at risk after documentary film maker’s devices seized by Syrian security agents

Read the following case study and discuss the questions below.

Documentary filmmaker, Sean McAllister, was detained for five days by Syrian security officers in Syria while shooting a documentary for the UK broadcaster Channel 4 in 2012. While in detention, he was interrogated and his phone, laptop, camera and footage were confiscated and not returned putting at risk the activists he had been in contact with for his film.

McAllister, an experienced journalist who had previously made award-winning documentaries in Yemen and Iraq, had entered the country undercover at a time when the Syrian government had clamped down on visits from foreign journalists.

Prior to his detention, McAllister had been in touch with a 25-year old Syrian dissident and computer expert, named Kardokh, who had agreed to help put him in touch with other activists. “Any journalist who was making the effort to show the world what was happening, that was a very important thing to us,” he told the Columbian Journalist Review.

He agreed to be interviewed on camera showing his face as long as McAlllister blurred out his face before publishing. However, he soon became concerned about the lack of digital safety practices carried out by the journalist. He stated that he felt McAllister didn’t understand how aggressive the regime’s surveillance practices were. And while he and other activists took great steps to mask their identities using encryption, the activist saw that McAllister was not. “I started to feel that Sean was careless,” he said. He urged McAllister to take more care with his communications and to encrypt his footage. “He was using his mobile and SMS without taking any precautions,” he said.

After McAllister was arrested, the Syrian activist community panicked. Kardokh immediately turned off his phone and fled, eventually arriving in Lebanon. Others who had spoken to McAllister also left the country and several of those who didn’t were arrested. “I was happy I didn’t put him in contact with more people,” Kardokh stated.

Rami Jarah, a Syrian activist, now based in Cairo, told the Columbia Journalism Review how he tried to help get another well-known activist, Omar al-Baroudi, leave the country. “He was terrified,” Jarah said. “His face was in those videos. He said that his number was on Sean’s phone.” The next day Baroudi disappeared and he has not been seen since.

Officials for Channel 4 told the Columbia Journalism Review that since McAllister’s arrest they have taken steps to help his sources.

Source: Columbia Journalism Review, 2012

Questions

Discuss the following questions

What are your thoughts on this case study? Please discuss.

What could the journalist have done before entering the country to ensure he was digitally more secure?

What steps could he have taken while in the country to ensure that his materials and sources were more secure?

This incident happened a number of years ago, do you think journalists are using more secure practices nowadays? Why? Why not?

After reading this case study, can you think of any areas where you need to increase your digital safety knowledge?

For the trainer

This case study is designed to get participants talking about source security and materials. It can be used to consolidate knowledge learned during the module.

Talking points to consider include:

  • Preparing a risk assessment before travel
  • Understanding the digital security situation on the ground
  • The importance of preparing devices before travel
  • Steps for protecting the contact details of sources
  • Ways to protect materials, such as film footage, while on a reporting trip and the complications that can arise from that.
  • Working in areas with poor internet connectivity and electricity blackouts

Trainers looking to learn more about the case can read about it in the Columbia Journalism Review.

How a third-party SMS service was used to take over Signal accounts

Read the following case study and discuss the questions below.

In 2022, hackers broke into the systems of a company called Twilio. Twilio is a company that provides other companies and organisations on the internet with the technology to send text messages to their users. By hacking into the systems of Twilio, the attackers were able to read people’s text messages, and concerningly, had the ability to try and access people’s accounts if they had set up two-factor authentication using SMS.

One of the organisations impacted by the hack was the secure messaging app, Signal, with 1,900 users of the app being targeted. Signal uses SMS for its app in the following way: upon downloading Signal, a user is sent an SMS message with a code that is used to register the account. This meant that the hackers may have been able to register the user’s Signal account on their own devices by requesting and receiving the code, effectively being able to impersonate the user.

Out of the 1,900 accounts, the hackers were only interested in three accounts, one of those was a journalist working for Vice Motherboard, a cybersecurity-focused US news outlet. The hackers attempted to re-register his account on another device and took over his number for 13 hours.

The attackers were able to gain access to his account because the journalist had not enabled a security feature of Signal called Registration Lock. Once Registration Lock is set up it will ask you to set up a PIN number. This number will be required for all future registrations of an account on new devices.

Source: Vice Motherboard, 2022

Questions

Discuss the following questions

What are your thoughts on this case study? Please discuss.

Have you heard of any similar types of attacks against messaging apps?

What steps are you currently taking to protect your messaging apps?

After reading this case study, can you think of any areas where you need to increase your knowledge of using messaging apps securely?

For the trainer

This case study is designed to get participants talking about source security and materials. It can be used to consolidate knowledge learned during the module. Readers will need to be made familiar with what two-factor authentication is before starting the activity. Trainers looking for more information on account security can look at chapter two of this guide.

Talking points to consider include:

  • What two-factor authentication (2FA) is and how SMS is one form of 2FA.
  • The importance of staying up-to-date with the latest technology news. Encourage journalists to sign up to newsletters from the tech section of outlets in the region.
  • What steps can they take to increase their security when it comes to using messaging apps?

Trainers looking to learn more about the case can read about it in the article published by Vice Motherboard.

Kyrgyz journalists on the online ‘fake farms’ that threaten to kill them

Read the following case study and discuss the questions below.

Journalists and media outlets that are outwardly critical of Kyrgyzstan’s politicians, power holders and businessmen are experiencing increased online harassment and orchestrated attacks by, what appear to be, a domestic industry of trolls and fake social media accounts, run by governments and government supporters, according to a report by the Committee to Protect Journalists (CPJ).

Journalists are targeted by so-called fakes, social network accounts created under false names using stock or stolen photographs. These accounts routinely appear in the comments sections of critical and investigative publications to discredit and abuse journalists, including sending them death threats, and their associated media agencies.

Two main types of fake accounts exist, according to Bolot Temirov, who founded the journalistic project Temirov.Live, accounts created by people hired on a temporary basis, and those who are permanently “attached” to a politician and are ready to “immediately attack journalists for criticism or revelation of some facts,” he told CPJ.

A joint investigation by the Kyrgyz independent news outlet, Kloop, Radio Free Europe (RFE), and the Organised Crime and Corruption Reporting Project (OCCRP), was targeted this way after the published a report into a large-scale corruption scheme involving high-level customs officials. “Armies” of fakes started “aggressively commenting on anything published regarding that investigation,” according to Aleksandra Titova, a video-producer at Kloop. Many shared support for the person investigated and tried to discredit the journalists who published it – even the project’s illustrator – while some posted “threats of murder and violence,” she told CPJ.

In response to the attack, Kloop spent months investigating these fake accounts, tracing 800 of them, including a number that were harassing journalists, to five groups on the internet which they called “fake farms.”

Dealing with these fake accounts is complicated. Kloop spends time monitoring their social media accounts looking for fake accounts and contacting people whose photos have been stolen and are being used as the face of a fake account. “If I saw a profile that used, for example, a photo of a Mongolian model, I would find that model and say, “Your photo was stolen by a fake [profile] employed by corrupt Kyrgyz officials. Could you log in from your account and complain?” This way we managed to block several accounts,” Kloop news editor Aidai Irgebayeva told CPJ. The response of targeted journalists to online harassment is mixed: some have reduced their online activity whilst others have learned to evaluate the risks and are continuing to do their work.

Source: the Committee to Protect Journalists, 2021

Questions

Discuss the following questions

How common are these types of attacks in your country?

What other attacks do you see and are they linked to the government or government supporters? If not, who is leading the attacks?

What threat do these types of attacks pose for democracy and press freedom?

What can the journalists do to better protect against these types of attacks?

How feasible would it be for you to monitor your news outlet’s social media account to identify fake accounts? Please detail why or why not.

For the trainer

This case study is designed to get participants talking about online abuse. It can be used to consolidate knowledge learned during the module.

Talking points to consider include:

  • How are these attacks being used to stifle freedom of expression
  • What steps could journalists take to protect their personal data?
  • What steps could the media outlets take to limit the damage done by these accounts?
  • What other forms of attack could possibly happen? For example account hacking and phishing

Trainers looking to learn more about the case can read the article written by the Committee to Protect Journalists here.