This story is over 5 years old.

The Hackers Targeting Dissidents Throughout Latin America May Be State Sponsored

An investigation by the University of Toronto's Citizen Lab found the shadowy ring operating in Ecuador, Venezuela, Argentina and Brazil, with researchers saying the evidence suggests it is state sponsored.
December 17, 2015, 4:15pm
Photo by Juan Ignacio Roncoroni/EPA

Popular Ecuadoran satirist Gabriel González — who is better known by his pseudonym Crudo Ecuador or Raw Ecuador — quickly realized there was something suspicious about the emails he began receiving earlier this year.

"There were emails about interviews I didn't know about and also notifications from Gmail that looked like they had got into my account," he told VICE News. "I felt my privacy was violated."


But the questionable emails were no ordinary hacking.

On the recommendation of another journalist, Crudo sent the emails to The University of Toronto's Citizen Lab at the Munk School of Global Affairs. The Lab found that many came from a cyber-espionage ring that was operating not just in Ecuador, but in Venezuela, Brazil, and Argentina as well, with researchers suspecting that it may be sponsored by one or more governments.

Related: This Murder Has Exposed the Dark Side of Mexico's Hacker Community

After months investigating the ring across South America, the Citizen Lab released an extensive report on its research earlier this month.

The investigation uncovered how activists, journalists, and political figures in several countries have been targeted with similar methods for the last seven years. The ring sent out malware and stole passwords through phishing. It also created and maintained websites and social media accounts for questionable news organizations and fake opposition groups that may have been designed to attract critics who could then be spied on.

'The evidence suggested to us that the end recipient of the information Packrat collects is likely a government.'

The researchers at Citizen Lab labelled the secretive organization Packrat.

Researchers at the lab believe that the complexity of Packrat's targeting, and their many fake organizations, make it very difficult to draw simple conclusions about its motivations. But, they say, state sponsorship is the main hypotheses they have so far.


"The evidence suggested to us that the end recipient of the information Packrat collects is likely a government. However guesses about the mechanics of any such relationship would be pure speculation," said senior researcher, John Scott-Railton.

Scott-Railton said that — alongside the type of targets — the hypothesis is backed by the level of resources at the ring's disposal, its willingness to make threats, and its apparent lack of concern about being tracked down.

"Packrat didn't turn off some of their infrastructure after being exposed," he said. "Speculatively, if they were afraid of the government where they were operating, it would be strange for them to keep using the same infrastructure, since it could be used to lead back to them."

The Citizen Lab's investigation began to realize the depth of Packrat's interest in high profile critics of Latin American governments when researchers realized that malware found in Ecuador matched an unsuccessful cyber attack on the late Argentine prosecutor Alberto Nisman.

Nisman was the chief investigator in the worst terrorist attack in Argentina's history; the 1994 car bombing of a Jewish Center in Buenos Aires that killed 85 people. He was found shot in his home in January 2015 — prompting widespread protests (pictured above) — days after accusing then President Cristina Fernández de Kirchner, foreign minister Héctor Timerman and congressman Andrés Larroque of seeking to cover up the involvement of Iranians in the bombing in a secret deal with Iran's government. In an interview with VICE News two days before his death, he said "the evidence is strong."

Morgan Marquis-Boire, a senior researcher at Citizen Lab, analyzed a sample that had been confirmed from someone close to the investigation as being found on Nisman's phone. He discovered that it contained AlienSpy spyware and released those findings at Black Hat, an important cyber security conference.

"Some (Argentine) politicians tried to suggest that this was just common spam, so I kept digging, and I found related malware with political tones and additional attacker infrastructure suggesting that Nisman's targeting was part of a broader campaign," Marquie-Boire told VICE News.


The Lab also found that other important figures, including prominent Argentine journalist Jorge Lanata, received the exact same virus as Nisman. They also began noticing common infrastructure links with the malware and suspicious sites in Ecuador and Venezuela.

With the investigation in full flow in late September, an unnamed member of the Lab's Packrat research team was analyzing a computer infected with malware when a series of pop-ups flashed across the screen in Spanish.

"You keep analyzing processes. We are going to analyze your brain with a bullet," one said.

"You like playing the spy where you shouldn't, you know it has a cost, your life!" said another.

"Nobody enjoys getting threats," said senior researcher Scott-Railton, speaking on behalf of the organization. "That said, if they didn't have our full attention before, they added a renewed sense of purpose to the research."

Citizen Lab discovered most of the Packrat schemes in Ecuador.

"It is a total abuse of power against a common citizen," Crudo, the satirist, said of the attacks on him that took place at a time when he was being stalked and harassed by the government in what looked like a response to discomfort triggered by his critical memes.

Along with Crudo, several other opposition figures and independent journalists in Ecuador were also targeted with phishing schemes and malware. Furthermore, a website titled, geared towards attracting disgruntled Ecuadorian police officers, was also linked through hosting services to the Packrat operations. The website now leads to a page that says "this account has been suspended".


But researchers insist that there is not enough evidence to make claims about the responsibility of any particular country.

Related: President for Life? It Will Be Possible in Ecuador in 2021

The network of servers and domains used by Packrat was traced as far back as 2008 in Brazil. In Venezuela there is a Packrat-linked news website that is still active. Titled it continually updates with questionablly sourced news stories on corruption among the country's socialist regime.

This Citizen Lab report caused quite a stir in the cyber-security and hacking communities, though some experts appeared wary of the hypothesis of state sponsorship.

"Like all hypotheses or conspiracy theory, the facts can be used to try to confirm things that interest whoever is giving their opinion," said Francisco Amanto, CEO of the cyber-security firm Infobyte LLC that organizes Ekoparty, the largest security conference in Latin America. "I believe we need to know more about the national context of each country."

Stuart McClure, president of the US cyber-security firm Cylance was similarly reluctant to point the finger at governments, though he did stress that the question of who was behind the ring was far more interesting than the methods used. "Packrat is not unique in its capabilities, but rather in its motivations and targets," he said.

Related: Hackers Held Data on 5,000 Canadians Hostage and the Government Didn't Tell Anyone

Follow Nathaniel Janowitz on Twitter: @ngjanowitz