Malware Hunter Finds Spyware Used Against Dead Argentine Prosecutor

On January 18 of this year, Argentinian prosecutor Alberto Nisman was found dead in his apartment under mysterious circumstances. The next day, he had been scheduled to appear before the country's Congress to deliver what was bound to be an incendiary testimony, accusing the current president, Cristina Fernández de Kirchner, of trying to cover up Iran's alleged involvement in the a bloody bombing in Buenos Aires in 1994.

"I might get out of this dead," he said the day before.

As it turns out, Nisman had good reason to be paranoid. In fact, someone had been spying on his cellphone for six weeks, using surveillance software that was capable of listening in on calls, reading messages, and capturing images of his screen, as revealed by Morgan Marquis-Boire, the director of security at First Look Media and a security researcher who has been chasing government-made hacking tools across the globe for years.

At the Black Hat security conference in Las Vegas on Wednesday, Marquis-Boire revealed he had personally analyzed a sample of the malware used to spy on Nisman, in a talk he gave alongside fellow malware hunter Marion Marschalek, who recently helped uncover the French malware Babar.

Before the talk on Wednesday, very few details had come out about the malware used against Nisman. A local news report from early June, for example, only mentioned that forensic experts confirmed the presence of a "trojan virus" on Nisman's phone.

Two weeks later, however, a small Argentinian newspaper called El Tiempo, mentioned the full name of the file that was used to infect Nisman's Android cellphone, a Motorola xt626, in an article about the investigation into Nisman's death.

That name, "estrictamente secreto y confidencial.pdf.jar," [strictly secret and confidential.pdf.jar] was enough to provide Marquis-Boire with a lead. He searched for it on Virus Total, an online repository where anyone can upload files to see if they're detected as malicious by different anti-viruses, and found it.

"This file matches one sample, and one sample only," Marquis-Boire said during the talk.

The file was uploaded at the end of May from Buenos Aires, roughly three months after Nisman's death. It's unclear who uploaded it to Virus Total or why (the site does not show this kind of information), but Marquis-Boire's investigation showed that the malware is a remote access tool (or RAT) known as AlienSpy. Marquis-Boire can't say for sure who was really behind the spyware, but some indicators he found in the sample pointed to Argentina or Uruguay.

"So you know, it could've been anyone," Marquis-Boire said, perhaps with a slight hint of sarcasm.

In the last few years, since it was revealed that China hacked Google in what became known as the "Operation Aurora" cyberattack, the cybersecurity industry that for years had been working mostly against cybercriminals had to cope with a new player—governments.

As the renowned malware researcher Mikko Hypponen confessed last year, also during Black Hat, few people expected governments to get into the malware game; it was like "science fiction." But they have, and hunters like Marquis-Boire, as well as companies such as Symantec or Kaspersky Lab, have investigated countless government espionage campaigns since then.

Nisman's case provides a perfect example of how challenging investigating malware suspected to have been created by a nation state can be. Even when you have the digital smoking gun, it's hard to know who held it, and who fired the shot. And sometimes, the security firms who uncover these malware and espionage operations don't seem very interested in finding the culprits.

As an example of that, Marquis-Boire mentioned Regin, a sophisticated espionage toolkit linked to the NSA and GCHQ that was revealed only last November, when antivirus companies learned that Marquis-Boire was going to reveal its existence. But in fact, antivirus companies had known about it for years (and still now refuse to clearly say who was behind it). Marquis-Boire jokingly referred to Regin as "the worst-kept secret" in the industry.

Perhaps there was a reason nobody wanted to talk about it.

"We didn't want to interfere with NSA/GCHQ operations," Ronald Prins, the head of the security company that investigated the cyberattack led by the NSA and GCHQ against the Belgian telecom giant Belgacom,using Regin, told me when the malware was revealed.

Sometimes the industry also seems to forget about the victims of cyberattacks and espionage campaigns. As a report from the digital watchdog group Citizen Lab concluded last year, some, especially if they are human rights workers, become the forgotten victims of cyberwar.

"Our industry actually forgets about Cecil," Marquis-Boire said, referring to the well-known lion that was recently killed. "We're more interested in the gun that shot Cecil, how sophisticated the bullet that killed Cecil was."

During his talk, Marquis-Boire referred to a few examples from his past investigations, where government hacking activities had real-world consequences.

He referred, among others, to Ahmed Mansoor, a pro-democracy activists in the United Arab Emirates who was beaten and imprisoned, after being spied on using malware sold by the controversial Italian surveillance vendor Hacking Team. In that case, the "who did it" was easy to figure out: the malware used against Mansoor communicated directly with the office of the Sheikh of Abu Dhabi.

In the case of Nisman, we might never know. But his case provides a painful reminder that cyberespionage tools are routinely being used against not only against criminals or terrorists, but also people that governments around the world might otherwise want to silence.

Top photo: In this March 18, 2015 file photo, a demonstrator holds a sign that reads in Spanish "I am Nisman" during an act to demand justice following the death of special prosecutor Alberto Nisman, outside court in Buenos Aires, Argentina.