State Actors Are Increasingly Targeting Journalists With Surveillance Malware

Columbia Journalism Review is reporting it has witnessed more malware attacks targeting journalists. An article by Financial Times cyber security head Ahana Datta details attempts to compromise a Middle East correspondent's phone via WhatsApp.

The correspondent, who I will not name for reasons that will soon become clear, mentioned that in recent weeks they had been receiving mysterious WhatsApp calls. The numbers were unrecognized. Afterward, their phone battery had drained quickly. And they were sometimes unable to end other calls, because the screen seemed to freeze.

They had been working on an investigation into surveillance on journalists and human rights activists in a particular Middle Eastern nation, and had been in contact with sources the government was hostile to. We decided the reporter was safer with a separate device for this story.

This unnamed reporter wasn't the only one targeted. Datta asked other journalists if they'd experienced similar issues. Four reporters also had noticed unusual performance issues and reported they had received fake SMS authentication codes for secure messaging apps -- codes that were sent unprompted. A few had been duped into downloading unknown software. Others reported their phones behaving strangely after their devices had been in the hands of others, like personnel at border checkpoints.

Touring other Financial Times branches, Datta found more of the same, even if the deployment methods varied a bit.

In parts of Eastern Europe, the flavor seems to be plausible deniability: threats commonly manifest in the form of creative phishing attacks, such as imposters trying to connect on LinkedIn or impersonating emails from known contacts.

[...]

In Asia, journalists are more often targeted by people on the ground. State agents often inexplicably show up where correspondents and their sources are scheduled to meet. Some countries have a centralized database of residents' IDs, including facial recognition, so the federal police and regional police are largely in sync. In some areas, messaging apps can be disabled based on where you're located.

In one Asian office, state officials called to question wording in articles that had yet to be published, indicating journalists' devices had been compromised by state actors.

Unfortunately, this isn't news in the normal sense of the word. It's mainly just the continuation of distressing developments around the world. Governments are increasingly targeting journalists, especially those they might want to deter from publishing unflattering reports about government activities. Equally as unfortunate is these tools are being sold to them by a number of companies that insist they're in the national security/law enforcement business but are more than willing to sell malware to countries known for their stifling of dissent, targeting of journalists, and long histories of human rights violations.

Israeli tech company NSO Group is one of the worst offenders. It has sold malware and spyware to blacklisted countries and seems unconcerned that it's providing nearby enemies with the tools to target the residents of its home country.

Making matters worse are law enforcement agencies in countries where human rights are considered to be respected. Many have already expressed their displeasure that Facebook is adding end-to-end encryption to Messenger. But they're also upset Facebook is warning WhatsApp users when it detects abnormal activity that could indicate they've been targeted by state actors or malicious hackers. These agencies would apparently rather see journalists and activists harmed than watch a single suspected criminal avoid being compromised by law enforcement-deployed malware.

So, what can journalists do to protect themselves? Datta suggests the same things that have worked for years. Use encrypted communications methods. Turn on two-factor authentication. Encrypt devices and their content. Toss devices in a Faraday bag if traveling in high-risk locations.

Most importantly, though, is that journalists never give up. If a state-sponsored hacker wants to compromise a device, there's a good chance it will eventually be compromised. But that's no reason for journalists to sit back and allow it to happen. Why make it easy on them? Be a frustrating target -- one that makes it as difficult as possible for those seeking to do harm to journalists and their sources.