‘An Espionage Operation Unfolding in Real Time’

[Editor’s note: ‘Chasing Shadows: Cyber Espionage, Subversion, and the Global Fight for Democracy,’ out now from Simon & Schuster, tells the story of how Toronto-based Citizen Lab shines a light on cyber espionage committed by governments against their own citizens — facilitated by secretive software developed by companies based in liberal western democracies. In this excerpt, author and director of Citizen Lab Ronald Deibert describes how the lab began to turn its focus towards investigating spying in the Middle East.]

Citizen Lab senior researcher Bill Marczak was about to fall asleep when he checked his phone one last time. As soon as he saw the message, he knew it was significant. Ahmed Mansoor, an outspoken human rights defender in the United Arab Emirates, had just received an unsolicited text message on his iPhone. The message contained a link purporting to show evidence of torture in Emirati prisons, something Mansoor might be tempted to explore further. And that was precisely what it was designed to do.

Mansoor was a member of the infamous UAE Five, a group of outspoken critics of the Emirati regime who had been imprisoned for insults to the royal family — their “insults” being mere calls for greater accountability. As a human rights defender in a state with many sophisticated tools of repression, he had been a target of phishing attacks many times before. He was always vigilant, cautious about anything that came over the internet or the cellular network. When the notification arrived on the morning of Aug. 10, 2016, Mansoor’s instincts immediately kicked in. Instead of clicking on the link, he forwarded it to Marczak.

Citizen Lab’s research brings us into regular contact with dissidents, journalists, activists and others worldwide who are targets of real-time espionage. These interactions can be exhilarating, with an adrenalin rush that comes from an unexpected hot tip. Sometimes it feels like defusing a bomb before the timer runs out. Hunting down powerful, self-entitled, despotic bullies is invigorating and even addictive. These are the moments when the team is most energized, dropping everything and entering overdrive mode.

Marczak knew anything coming from Mansoor was likely a strong lead. He was a target who got harassed and hacked so often that he served as a feeder for the latest spyware samples.

This new development was no exception: a shortened link to a website domain contained in that text message immediately caught Marczak’s eye. It was like a calling card for what, up until that moment, had been a mysterious, highly secretive, mercenary spyware firm. NSO Group was truly a “ghost,” as its founders then bragged, its spyware advertised as being “untraceable.”

A few hours later, with Marczak now hunched over his laptop in the middle of the night, Mansoor received a second message from the same group of attackers, and he promptly forwarded it along too. It had the same shortened link.

Once again we found ourselves in the midst of an espionage operation unfolding in real time.

Like many victims of cyber espionage, Mansoor knew he was being watched and understood the enormous risk of communicating with a group like ours. The safe thing would have been to delete the messages and carry on, but he chose to fight back, and his courage paid off. His decision had a profound impact on the practical security of billions of people worldwide. His actions would alter his world, our world and the world of mercenary spyware forever.

The influence of the Arab Spring

The Arab Spring reshaped the geopolitical landscape of the Middle East and Gulf region, and it also reshaped the Citizen Lab. Before 2011, our cyber-espionage research was mostly focused on China, thanks primarily to our trusted relationships with exiled Tibetans who were the frequent targets of that country’s voluminous spying operations and China’s notoriously sloppy handiwork. Although we continued to track China-based espionage for years to come, after the Arab Spring we pivoted to examine offensive operations in other parts of the world and to zero in on the opaque commercial market for surveillance technology — a much more challenging prey.

In part, this shift was due to changes in personnel among the Citizen Lab’s researchers. Some key contributors to our research during the Lab’s first decade moved on, and a new group arrived. Marczak and John Scott-Railton brought with them special experiences in the Middle East and Gulf region. Marczak, who was pursuing a graduate degree in computer science at the University of California, Berkeley, had spent part of his youth in Bahrain and aligned himself with pro-democracy activists after leaving the country. He was looking for a way to put his computer science and engineering skills to use on political issues he cared about, and he had heard reports in the activist community of strange things happening on computers, of eavesdropping and spying.

For his part, Scott-Railton was pursuing graduate studies in a discipline unrelated to digital rights and security issues, with fieldwork in West Africa, when the Arab Spring broke out. Always resourceful and driven by a powerful commitment to justice and rights, he organized one of the most widely used and publicized means of getting messages out in spite of internet blackouts throughout the Middle East: the #Jan25 and #Feb17 Voices projects. Situated squarely at the fulcrum of civil society, activist and journalist networks, he was well positioned to field reports about targeted espionage attacks. Before long, Marczak and Scott-Railton found each other, and reached out to me and the Citizen Lab.

The team was rounded out by several other dedicated researchers with a variety of complementary skills: Masashi Crete-Nishihata, a methodological polymath who developed a bond with victim groups and NGOs, especially the perennially targeted Tibetans; Jakub Dalek, whose previous training in system administration made him an expert in navigating the deep recesses of the internet’s plumbing; Irene Poetranto, an Indonesian by background and an expert in Southeast Asian culture and politics, who helped manage a growing team of collaborators based in the Global South; Adam Senft, a meticulous researcher and operations manager — the “chief mate” of the Citizen Lab ship; Jeffrey Knockel, a brilliant computer scientist who earned his PhD studying censorship and surveillance on popular China-based apps; Sarah McKune and then later Siena Anstis, both exceptionally well-trained lawyers with a passion for ethics and an intolerance for corruption and despotism of any kind; Christopher Parsons, a policy analyst with an encyclopedic understanding of signals intelligence and telecommunications networks; and Bahr Abdul Razzak and Noura Aljizawi, Syrians by birth who fled the country for their safety in the midst of the civil war after experiencing detentions and torture. Others with their own special skills would soon follow.

A digital fire brigade was taking shape at Citizen Lab.

Little did pro-democracy activists know at the time, but by using cellphones and the internet to organize and mobilize, they were inadvertently creating conditions for their own undoing.

Simultaneously, rulers in that part of the world had actively been acquiring spy tools to counter potential threats to their regimes. Even before the eruption of the Arab Spring, tensions were escalating, prompting security services not only in the Middle East but also in other regions to eagerly seek advanced surveillance technology capable of monitoring protest organizers and potential dissenters.

“Best practices,” tradecraft and technology were quietly being shared, particularly among security agencies and police forces in closed-door regional security venues, with assistance from European and North American law enforcement and intelligence, all under the conveniently broad umbrella of “counter-terrorism.” To sweeten it all, everyone made oodles of money in the exchanges.

Waves of digital securitization started to sweep over Central Asia, South and Southeast Asia, the Middle East, the Gulf, Africa and Latin America, almost entirely outside public scrutiny and without legal restraints. A movement was slowly consolidating, using the inherent insecurities of the internet, cellphone networks and social media to track, disrupt and neutralize challenges to regime stability.

A significant breakthrough in shedding light on this industry occurred in March 2011, when Egyptian activists occupied Egypt’s state security offices and rifled through cabinets and files. Within the pilfered documents were what appeared to be proposals for work between Egypt’s intelligence agencies and a little-known Europe-based company called Gamma Group, the manufacturer of a spyware tool called FinFisher.

The documents showed product names for spy tools with an invoice adding up to €333,607, but it was unclear whether the contracts were finalized and the equipment ever installed. (Gamma Group later denied it.)

What the Egyptian activists unearthed was the first concrete evidence of something that would dominate the sector for years: there is a market for sophisticated hacking tools developed by companies based in technologically advanced industrialized regions, and these companies have no qualms about pitching their gear to authoritarian regimes where there’s a high likelihood they’ll be used for repression.

Shortly afterward, WikiLeaks published a Gamma Group sales brochure and promotional video boasting about its technology that were distributed at trade shows where such wares are marketed. But the spyware itself remained elusive.

Finnish threat intelligence researcher Mikko Hyppönen said, “We know it exists, but we’ve never seen it,” even as Martin Muench, the German entrepreneur behind Gamma Group, was pitching his surveillance technology to potential government clients at closed-door military and intelligence trade fairs. The spyware itself appeared to be so closely guarded that it seemed unlikely that anyone outside the intelligence world would get their hands on it.

Before long, however, the mystery around Gamma Group’s spyware was punctured by a hot tip that came our way. Marczak, who had not yet formally joined the Citizen Lab, was alerted around this time to several suspicious emails received by Bahraini activists based in London, Washington, D.C., and Manama, the capital of Bahrain. After some preliminary analysis, he passed them on to Bloomberg News journalist Vernon Silver, who in turn shared them with Morgan Marquis-Boire, then a threat intelligence analyst at Google and later a Citizen Lab fellow for a few years.

Once Marczak and Marquis-Boire began sleuthing, they soon busted Gamma Group. Contained in the code of a computer infected with the malware were multiple references to “FinSpy” — a mobile variant of Gamma’s FinFisher product. Marczak followed the network traffic and discovered demonstration versions of the spyware that connected to two websites with “ff-demo” and “gamma-international” in the names of each one — an obvious lead.

The FinSpy/Bahrain report we published subsequently, in July 2012, was the first time anyone had been able to forensically dissect a live spyware attack and attribute it to a particular firm.

It had all the elements of what we’d be consumed with over the next decade: an authoritarian regime misusing a lawful intercept tool to target democratic activists both at home and abroad; a window into a highly invasive exploit that is designed to surreptitiously commandeer a target’s device and scoop up all the private information, read emails, intercept text messages, turn on the camera and capture audio from the device’s microphone; a glimpse into an unaccountable sector featuring irresponsible entrepreneurs who enrich themselves by empowering autocrats and dictators to carry out their dirty deeds.

---

Excerpted from ‘Chasing Shadows: Cyber Espionage, Subversion, and the Global Fight for Democracy’ by Ronald J. Deibert. Copyright © 2025 Ronald J. Deibert. Published by Simon & Schuster Canada. Reproduced by arrangement with the publisher. All rights reserved.