Before the talk on Wednesday, very few details had come out about the malware used against Nisman. A local news report from early June, for example, only mentioned that forensic experts confirmed the presence of a "trojan virus" on Nisman's phone.Two weeks later, however, a small Argentinian newspaper called El Tiempo, mentioned the full name of the file that was used to infect Nisman's Android cellphone, a Motorola xt626, in an article about the investigation into Nisman's death.That name, "estrictamente secreto y confidencial.pdf.jar," [strictly secret and confidential.pdf.jar] was enough to provide Marquis-Boire with a lead. He searched for it on Virus Total, an online repository where anyone can upload files to see if they're detected as malicious by different anti-viruses, and found it.
Someone had been spying on his cellphone for six weeks, using surveillance software.
As an example of that, Marquis-Boire mentioned Regin, a sophisticated espionage toolkit linked to the NSA and GCHQ that was revealed only last November, when antivirus companies learned that Marquis-Boire was going to reveal its existence. But in fact, antivirus companies had known about it for years (and still now refuse to clearly say who was behind it). Marquis-Boire jokingly referred to Regin as "the worst-kept secret" in the industry.Perhaps there was a reason nobody wanted to talk about it."We didn't want to interfere with NSA/GCHQ operations," Ronald Prins, the head of the security company that investigated the cyberattack led by the NSA and GCHQ against the Belgian telecom giant Belgacom,using Regin, told me when the malware was revealed.Sometimes the industry also seems to forget about the victims of cyberattacks and espionage campaigns. As a report from the digital watchdog group Citizen Lab concluded last year, some, especially if they are human rights workers, become the forgotten victims of cyberwar."Our industry actually forgets about Cecil," Marquis-Boire said, referring to the well-known lion that was recently killed. "We're more interested in the gun that shot Cecil, how sophisticated the bullet that killed Cecil was."During his talk, Marquis-Boire referred to a few examples from his past investigations, where government hacking activities had real-world consequences.He referred, among others, to Ahmed Mansoor, a pro-democracy activists in the United Arab Emirates who was beaten and imprisoned, after being spied on using malware sold by the controversial Italian surveillance vendor Hacking Team. In that case, the "who did it" was easy to figure out: the malware used against Mansoor communicated directly with the office of the Sheikh of Abu Dhabi.In the case of Nisman, we might never know. But his case provides a painful reminder that cyberespionage tools are routinely being used against not only against criminals or terrorists, but also people that governments around the world might otherwise want to silence.Top photo: In this March 18, 2015 file photo, a demonstrator holds a sign that reads in Spanish "I am Nisman" during an act to demand justice following the death of special prosecutor Alberto Nisman, outside court in Buenos Aires, Argentina.
Even when you have the digital smoking gun, it's hard to know who held it, and who fired the shot.