Hackers Threaten Security Researchers: 'We'll Analyze Your Brain with a Bullet'

Researchers from Citizen Lab received the threats while investigating state-sponsored hacking in South America.

Dec 9 2015, 1:45pm

The attacker speaks. Screenshot: Citizen Lab

Typically, security researchers can do their job in relative comfort. Analysing malware or tracing the servers of hackers can be done from pretty much anywhere, remotely over the internet.

But sometimes that work can get much more personal.

On Wednesday, researchers from Citizen Lab at the University of Toronto published an extensive report into an actor they have labeled "Packrat," a suspected group of state-sponsored hackers that has been targeting political opponents, journalists, and government officials throughout South America for at least seven years.

During that investigation, one researcher was reportedly bombarded with a series of vulgar messages, including death threats to themselves and their family, while examining one of the hacked computers.

"A Packrat operator began to communicate to one of the Citizen Lab researchers in Spanish and English on an infected machine," the Citizen Lab report reads.

The threats, according to the report, popped up on Internet Explorer, and included:

"You think you're living, we have your IP!"

"You like playing the spy where you shouldn't, you know it has a cost, you life!"

"We are going to analyze your brain with a bullet and your family too."

The attackers even used the Windows text-to-speech function, to have some of the Spanish language threats read out to the researcher, and also remotely shut down the infected device being analysed.

Screenshot: Citizen Lab

Despite this, Claudio Guarnieri, an activist, security researcher, and one of the authors credited in the Citizen Lab report, told Motherboard in an encrypted chat that the messages were "nothing scary."

"They were just sending us threats on a box with messageboxes and text2speech," he wrote.

Guarnieri said that Citizen Lab did not specify the researcher who saw the messages "for operational reasons," but added that no one felt genuinely threatened by them.

"I received more serious death threats [at the] beginning of the year," he wrote. "It is pretty 'normal' at some point."

Those earlier threats involved a Twitter account sending messages that said Guarnieri "was going to get kidnapped and tortured at some public event or something," he said.

"We don't plan to go to some countries anytime soon tho," Guarnieri added.

Packrat, according to Citizen Lab, has been active in Ecuador, Argentina, Venezuela, and Brazil. Its attacks have involved the distribution of malware, phishing emails, and disinformation campaigns throughout the region, and the group showed "a keen and systematic interest in the political opposition and the independent press in so-called ALBA countries (Bolivarian Alternative for the Americas), and their recently allied regimes."

The researchers linked a spate of recent attacks in Ecuador to another 2014 campaign in Argentina. As part of the latter, hackers attempted to compromise the devices of Albreto Nisman, an Argentine prosecutor, who was later found dead in mysterious circumstances, as well as those of a journalist.

Citizen Lab then traced Packrat all the way back to 2008. The researchers did not attribute Packrat's actions to a particular nation, however, but did say that the group is likely a state-sponsored actor.

This sort of exchange between security researchers and the people on the other end of their work is rare, but the Citizen Lab report does point to another case from 2012.

Regardless, it's a stark reminder that there are plenty of people who don't appreciate the work of security and malware researchers, and apparently some who will also take their disdain one step further.