Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
John Scott-Railton Profile picture
@jsrailton
Jul 18, 2022 15 tweets 16 min read Read on X
Scrolly
🚨MAJOR INVESTIGATION: uncovering #GeckoSpy.

An espionage operation using #Pegasus spyware against #Thailand's pro-democracy movement.

THREAD on our findings 1/

Our @citizenlab collaborators: @iLawFX & @DigitalReachSEA w/validation by @AmnestyTech
citizenlab.ca/2022/07/geckos… Key Findings We discovered an extensive espionage campaign t
2/ In 2020, #Thailand's government triggered pro-democracy protests by disbanding a popular opposition party.

Protests continued into 2021, and were met with repression & violence.

Key figures were harassed, arrested & jailed.

Now, we know many were hacked, too.
3/ The #GeckoSpy investigation began in Nov 2021... when @Apple notified users likely targeted w/#NSOGroup’s FORCEDENTRY exploit.

Multiple activists in #Thailand received them.

Some got in touch with us @citizenlab & our collaborators including @iLawFX & @DigitalReachSEA
4/ Once notification recipients got in touch, forensic artifacts were consensually collected & analyzed.

The investigation then expanded to associates & other likely #Pegasus targets.

I cannot overstate the importance of @apple's notifications in focusing the initial process.
4/ The #Pegasus hacking came in waves. Some pauses were probably dictated by things outside #Thailand.

Like the #PegasusProject publication, our disclosure of #ForcedEntry & @Apple's patch... and those notifications.

Other sequences of infection have a contextual explanation...
5/ In many cases, #Pegasus infections in #Thailand matched protest & political activities.

Our collaborators @iLawFX & @DigitalReachSEA have a detailed report, including a table juxtaposing infections & protest events.

REPORT: freedom.ilaw.or.th/en/report-para…
6/ Some #Pegasus victims are well known. Like Panusaya Sithijirawattanakul.

She once wore a crop top w/“I have only one father”
written on her skin. Went w/friends the mall for ice cream.

Thai authorities interpreted this as mocking the king, & charged her with lèse-majesté.
7/ High profile activists weren't the only category of #Pegasus victims.

Famous actress @charoenpura & rapper @DechathornHK were also infected.

Both were visible supporters of the pro-democracy movement.
8/ Also infected? Individuals with little public profile, but who played an important support role in protests, or fundraising.

A picture emerges: a #Pegasus operator seeking detailed information about the protest movement... in some cases guided by non public information.
9/ Who is behind the hacking? We @citizenlab aren't making a conclusive attribution.

But it's worth nothing that we've seen #Pegasus operators with a #Thailand nexus since 2014.

And there's a lot of circumstantial evidence...
10/ When you read the @iLawFX & @DigitalReachSEA report, it's clear: the entity responsible for the hacking has a detailed & obsessive focus on voices calling for democracy and reform of the monarchy in #Thailand.
11/ My @citizenlab colleague @billmarczak explains that the #Pegasus hacking in #Thailand relied on zero-click vulnerabilities👇

Translation: *nothing* regular phone users could have done to protect themselves.
12/ This investigation only happened because victims came forward & participated.

#Pegasus can make people feel powerless about digital security, yet they acted to reclaim some agency & are now helping to shed light on the secret mechanics of repression.

It's deeply inspiring.
13/ Special thanks to the team at @AmnestyTech, which independently analyzed a sample of indicators in this case & confirmed Pegasus infections using their distinct tools and methods.
14/ This investigation was a team production, ranging from the incredible work done by our collaborators @iLawFX and @DigitalReachSEA, civil society groups that prefer to remain unnamed, and the @citizenlab team including👇

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with John Scott-Railton

John Scott-Railton Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @jsrailton

John Scott-Railton Profile picture
Oct 18
BREAKING: Musk-backed PAC is micro-targeting muslim areas with ads saying Harris stands with Israel... and targeting jewish areas saying the opposite.

Writing is on the wall: Musk willing to further divide America if he thinks it will help his candidate win.

By @jason_koebler
404media.co/this-is-exactl…Image
Review the @google ads data yourself.

A "PRO-ISRAEL TEAM WE CAN TRUST" designed to look like a #HarrisWalz campaign ad is micro-targeted to areas with a high muslim population around Dearborn, Michigan.

Meanwhile, same Musk-backed PAC has a "WHY PANDER TO PALESTINE?" ad micro-targeted to areas in Pennsylvania.

The ads are getting millions of impressions.

adstransparency.google.com/advertiser/AR0…Image
Image
Image
Image
Voters around Dearborn, #Michigan are shown an ad saying that Harris "STOOD UP TO PROTESTERS" and "FOUGHT RISING ANTISEMITISM"

Meanwhile, specific areas in #Pennsylvania get an ad with the line "WHY SYMPATHIZE WITH ANTISEMITIC PROTESTERS"

The Musk-backed PAC's ads are here: adstransparency.google.com/advertiser/AR0…Image
Image
Image
Image
Read 7 tweets
John Scott-Railton Profile picture
Oct 16
NEW: sprawling AI bot army found attacking #HarrisWalz & dems, supporting Trump and GOP.

Researchers at @ClemsonUniv spotted & mapped the network.

It wasn't hard for them to conclude that an LLM was being used: they found tweets that leaked the prompts.

Which also helps makes the partisan objectives of the campaign crystal clear...

READ: open.clemson.edu/cgi/viewconten…Image
Image
Image
Image
2/ Beyond targeting the national election, specific Senate & House races were also a focus of efforts. As were specific figures like @SenatorBaldwin, who was apparently a perennial target. Image
Image
Image
3/ @DarrenLinvill is absolutely right here.

This campaign exposed by the @ClemsonHub team still gives off early-day vibes.

It is only going to get more sophisticated from here.

He was speaking to @kevincollier for this solid piece on the research: nbcnews.com/tech/internet/…Image
Read 6 tweets
John Scott-Railton Profile picture
Oct 5
CATASTROPHIC: Chinese hackers massively wiretapped 🇺🇸USA by compromising the interception portals mandated under US law.

Remember this the next time a government demands encryption backdoors.

By: @bysarahkrouse @dnvolz @aviswanatha @bobmcmillan h/t @RonDeibert

READ: wsj.com/tech/cybersecu…Image
Image
Image
Image
Manufacturers of networking and phone gear must follow specific standards for 'lawful interception' in different jurisdictions (e.g. CALEA & ETSI's standards)

But as we learn time & time again, the scope of potential access & harm almost never matched by efforts to detect & block malicious use.Image
There's constant pressure from governments to bake-in systems for access.

Failure to comply with those demands is met with big sanctions. Just look at Durov.

Yet I predict that there will be zero meaningful accountability over this breach.

Read 10 tweets
John Scott-Railton Profile picture
Oct 3
BREAKING: @Microsoft & @TheJusticeDept take simultaneous action against 🇷🇺Russian FSB-backed hacking group.

#StarBlizzard/ #ColdRiver has been targeting a wide swath of US officials & civil society.

Sweet moment because civil society played a key role in the lawsuit. Thanks to @NonprofitISAC & our partner @accessnow, voices of victims from our collaborative investigation into the spear phishing operation were included. 1/Image
Image
Image
Image
2/ Back in August we @citizenlab alongside our partners
@accessnow w/@DeptFirst, Arjuna Team & RESIDENT.ngo published a collaborative investigation into Russian gov-backed phishing.👇

The clever attacks were causing harm around the world.
x.com/jsrailton/stat…
3/ The Russian spear phishing that we tracked used techniques honed from years of targeting civil society.

& years of adapting to technical countermeasures.

And it persisted targeting civil society & journalists, despite recent naming & shaming.

Read 7 tweets
John Scott-Railton Profile picture
Sep 16
NEW: fresh 🇺🇸US sanctions dropping on mercenary spyware industry.

Biden administration just fired a 2nd salvo against the #Intellexa consortium, which sells #Predator spyware.

The spyware is linked to human rights abuses around the globe & was used to target US officials. 1/

home.treasury.gov/news/press-rel…Image
Image
Image
Image
2/ Back in March, US first used ‘big gun’ @USTreasury sanctions against #Intellexa.

It was precedent-setting & sent a chill through the spyware industry.

Today’s sanctions against yet-more Intellexa people read as the US saying "can you hear me yet?"
3/ Quick review of some ways that the Biden Harris administration has been tackling the problem of mercenary spyware proliferation:

Targeted Actions against bad companies:
Big headache
✅@CommerceGov Entity Listing
(Now US companies can't sell you products)

Migraine
✅ @StateDept Visa Bans
(You aren't coming to the US)

Cluster Headache
✅@USTreasury Dept Sanctions
(Your assets are blocked, good luck banking anywhere)

Executive Actions
✅ The 2023 Executive Order
(The big US market is closed to spyware companies enabling human rights abuse & natsec harms)

Diplomatic Efforts
✅ 2023 Joint State on Commercial Spyware
(Wide set of norms on stopping misuse, consequences for bad companies & transparency + oversight)
✅ Participation in other countries efforts (e.g. UK/FR-led Pall Mall Process)Image
Image
Image
Image
Read 6 tweets
John Scott-Railton Profile picture
Sep 1
If you collect it, they will come.

Investigators will eventually identify any consumer product that persistently records people's activities.

One day, they'll show up, requesting access.

If the data is consistently helpful, they'll stop asking & start demanding.

Once this happens enough the company will probably create a law enforcement portal to simplify access & save customers the trouble...🧵Image
2/ So many companies build consumer products with inherent pervasive surveillance collection without planning for the inevitable moment when demands begin coming in.

If you collect it, the demands will always come.

When you don't anticipate this moment in how you balance your design decisions, you expose yourself & your consumers to a lot of pressure. And introduce society to new kinds of surveillance.

It's an ethical conundrum in societies with a rule of law and judicial oversight.

And it is entirely more ominous when your product reaches countries that have none of that.
3/ Transparency: reworked the thread since folks flagged that I'm not the only person that likes "if you collect it, they will come" to describe risks from data collection:

Some spots it shows up in, there are surely more I couldn't find with a quick search:

- ISC2 contributor mgorman discussing risks from Google's Sensorvault

-Whitney Merrill(@wbm312) discussing risks from COVID data collection👇

-The Irreal Blog, in an interesting post about search warrants

-Me, quoted in "Cybersecurity and Humanitarian Organizations - On a Collision Course?" (Amaral & Verity, 2018).


community.isc2.org/t5/Tech-Talk/I…
irreal.org/blog/?p=10054
reliefweb.int/report/world/c…
Image
Image
Image
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(