The 'Million Dollar Dissident' is a Magnet for Government Spyware
In 2011, Ahmed Mansoor, a dissident blogger and administrator of a popular democracy forum in the United Arab Emirates, was targeted by his own government with a sophisticated piece of spyware designed to siphon off all kinds of data from his computer.
When he received that email, he was part of a group of activists calling for democratic reforms in the autocratic country. That year, during a sweep of pro-democracy uprisings in the Middle East, Mansoor publicly called for a petition and for an election boycott, asking for universal, direct elections in the UAE, becoming a prominent figure among the country’s small pro-democracy movement.
Mansoor, 46, didn’t find out about this attack until 2014, when a malware hunter from San Francisco found the spyware while scanning Mansoor’s email. At the time, the hacking attack on Mansoor was probably one of the first times a government used spyware purchased from a contractor—in this case a British-German company called Gamma Group—to target a dissident and human rights activist, instead of suspected criminals or terrorists.
As Mansoor and the rest of the world would learn, it was just the first of many.
Just a year later, in 2012, Mansoor received another email containing another type of software designed to spy on him, this one made by the Italian company Hacking Team. This time, unfortunately, Mansoor clicked on the attachment in the email and got infected, giving hackers access to his email account.
On Aug. 10, 2016, Mansoor received a text message containing a link promising “secrets” concerning detainees in UAE prisons. There were no secrets though, it was actually a sophisticated phishing attempt using technology made by an Israeli company called NSO Group, marking the third hacking attempt on him that leveraged a spying tool created by a government contractor.
This time, Mansoor knew better.
“I’ve seen almost all kinds of spyware, all types of hacking techniques. [...] It’s very normal for me to doubt even the undoubtful,” Mansoor, who’s also a telecommunications engineer, told me. “I could tell that these were unusual SMSs. And I wouldn’t go and [click on] that.”
”It’s very normal for me to doubt even the undoubtful.”
Instead of clicking on the link sent to his iPhone 6, he ignored the message and sent it straight to Bill Marczak, the malware hunter and senior researcher from Citizen Lab, a digital rights watchdog at the University of Toronto's Munk School of Global Affairs.
On Thursday, just ten days after getting the warning, Apple released a critical security patch fixing the unknown flaws used by the government hackers against Mansoor, making this specific attack impossible to carry out again. In other words, Mansoor’s cautiousness and vigilance helped improve the security of countless iPhone users around the world.
“While updating your software,” Ronald Deibert, the director of Citizen Lab, said on Thursday in a statement. “You should pause for a moment to thank human rights activist, Ahmed Mansoor.”
Since 2011, Deibert’s team at the Citizen Lab has documented a long series of similar attacks on human rights workers, dissidents, journalists, and others who should not be targeted with these tools, which are marketed by the companies selling them as “lawful intercept” tools. The implication behind the euphemism there is: they are only supposed to be used for law enforcement and intelligence investigations against the bad guys.
But Mansoor, by all accounts, isn’t a criminal. He’s another forgotten, or at least overlooked, victim of the rise in the use of hacking tools by governments, especially those that don't respect human rights and civil liberties. Last year, he won the prestigious Martin Ennals Award for Human Rights Defenders, called by some as "the Nobel Prize for human rights." Mansoor couldn’t travel to Geneva, Switzerland, to receive the award, since his government has imposed a travel ban on him.
The travel ban might have been the lightest of Mansoor’s struggles. In 2011, after calling for direct democratic elections, Mansoor was imprisoned for eight months, convicted of “insulting officials.” Following international pressure from human rights advocacy groups, he was released with a presidential pardon that spared him from a full three-year prison sentence. He’s been targeted with sophisticated government hacking tools three times, and also been beaten and robbed by unknown assailants during his time campaigning for civil liberties in the UAE.
“Mansoor is a citizen of the United Arab Emirates, and because he’s a human rights activist in an autocratic country his government views him as a menace. For security researchers at the Citizen Lab, on the other hand, Mansoor’s unfortunate experiences are the gift that won’t stop giving,” Deibert said, highlighting Mansoor’s unique, and unenviable honor of being perhaps the only person on Earth whose gadgets got targeted with Hacking Team, FinFisher, and NSO’s spyware.
The latest spyware he got targeted with leveraged three unknown flaws, or zero-days, in the iPhone operating system, in an attempt to install a powerful and stealthy surveillance software made by NSO, which researchers defined as “one of the most sophisticated pieces of cyberespionage software we’ve ever seen.”
Researchers from the Citizen Lab and mobile security firm Lookout were able to discover the flaws after they opened the link they got from Mansoor and analyzed the malware on a guinea-pig iPhone under their control.
When I spoke to him on Wednesday, Mansoor had no doubts that this latest attack also came from the government of the UAE, but he was eerily calm and collected, almost as if he had become used to being on his government’s bullseye.
“I’m trying to be as careful as I can,” Mansoor told me. “But when you’re facing a country that is trying to spy on you and to enter your gadgets and so on, you’re facing an entity that has lots of financial resources and expertise.”
“Their end goal is to have the ability to spy on every individual voice and text conversation,” Mansoor added. “They are really obsessed with these things. They are totally possessed by the idea of control and they’re getting crazy—really outrageous—in their attempt to monitor individuals.”
”For security researchers [...] Mansoor’s unfortunate experiences are the gift that won’t stop giving.”
Just a few weeks ago, an Italian security researcher denounced the UAE government after it tried to recruit him as part of an effort to create “an elite task force to research and develop new large-scale surveillance solutions,” as he put it. The researcher, who’s called Simone Margaritelli, said he was offered large sums of money—a monthly tax-free salary of as much as $20,000—to join the project.
It seems the UAE is not sparing any expenses in its efforts to expand surveillance in the country. The tool used against Mansoor, according to security experts, could be worth as much as $1 million, given that it leveraged three zero-day flaws against the iPhone, which are extremely hard to find.
Last year, a firm that buys this type of exploit paid someone $1 million for a similar technique to hack iPhones. It’s unclear how much the hacking tool used against Mansoor cost, but it was certainly expensive, either in man-hours needed to develop it within NSO, or to buy it off someone else who had it.
“What the suspected government has done by targeting Mansoor with this very expensive spyware, is in some sense put a price to his moral courage,” John Scott-Railton, a senior researcher at Citizen Lab, told me. “He is the million dollar dissident.”