In online ruse, fake journalists tried to hack Saudi critic

By RAPHAEL SATTER, AP Cybersecurity Writer
WASHINGTON (AP) — Hackers impersonating journalists tried to intercept the communications of a prominent Saudi opposition figure in Washington, The Associated Press has found.
One attempt involved the fabrication of a fake BBC secretary and an elaborate television interview request; the other involved the impersonation of slain Washington Post columnist Jamal Khashoggi to deliver a malicious link.
Media rights defenders denounced the hacking effort, which they said would make it harder for genuine reporters to do their jobs.
“It’s incredibly dangerous to employ this kind of tactic,” said Elodie Vialle, who heads the technology desk at Paris-based Reporters Without Borders. “The chilling effect is that people are deterred from speaking to journalists. In the end, it undermines the freedom of information.”
The most involved masquerade took place in February of this year, when someone posing as a BBC journalist called “Tanya Stalin” emailed Washington-based Saudi dissident Ali AlAhmed inviting him to a live broadcast about Saudi Arabia. Stalin engaged with AlAhmed over several days, sending him a list of proposed topics and talking him through the logistics of his purported television appearance.
AlAhmed said he knew from the beginning that something was up.
For starters, Stalin said her position was “Secretary to the Editor In Chief,” a title that didn’t correspond to a job typically done by producers or bookers. Odder still, the message came over Gmail rather than from an official BBC address.
And then there was her eyebrow-raising last name.
“The Stalin business threw me off,” AlAhmed said in a recent interview. “I asked my wife, who is Russian, and she said: ‘No one has this name.'”
AlAhmed was right. The BBC said it wasn’t aware of anyone called “Tanya Stalin” working for the broadcaster and that the title she claimed to hold did not formally exist. An Associated Press analysis of her messages suggests the interview request was a sloppily executed trap, an attempt to get AlAhmed to click a malicious link and break into his inbox.
AlAhmed believes Saudi Arabia is behind Stalin’s emails, as well as dozens of other suspicious messages he has received over the past year. One November 2017 missive purportedly came from Khashoggi, whose killing last month on the grounds of the Saudi Consulate in Istanbul has refocused international attention on the brutality of the Arab kingdom’s leadership.
The Saudi Embassy in Washington did not return written questions from the AP.
Washington Post Executive Editor Marty Baron said the hackers’ theft of Khashoggi’s identity was “contemptible.”
A researcher with internet watchdog Citizen Lab recently reviewed AlAhmed’s emails and confirmed they were malicious — although he stopped short of drawing a link between the different messages or blaming anyone for the hacking campaign.
“This was a targeted operation designed to gain access to his accounts and private communications,” said John Scott-Railton, whose group is based at the University of Toronto’s Munk School of Global Affairs. “This does appear to be closely linked to his political activities.”
Some of the messages — like a prompt to install a “free security update” called “Ninja security” — were generic phishing messages of the type used by criminals and spies the world over. But many of the 40-odd malicious messages recovered from AlAhmed’s inbox were closely attuned to current events in the Gulf.
Most troubling was a May 31 message dressed up to look like it came from an event photography service, complete with pictures of AlAhmed holding a microphone during a question and answer session featuring the Qatari foreign minister at the American Enterprise Institute in Washington.
The photos, which appear to have been pulled off a publicly available video of the event, suggest that the hackers or someone working with them had been tracking AlAhmed’s whereabouts closely.
“That email was really when I felt fear,” said AlAhmed, who says his work is largely self-funded. “They are actually physically here. They’re looking at me.”
Scott-Railton said the persistence of the hackers — and the variety of different tactics they employed to try to pry open AlAhmed’s inbox — pointed to a manpower-intensive effort to compromise the Saudi gadfly.
“Over an extended period of time, humans were tasked with getting into his computer and getting into his head,” Scott-Railton said.
As a critic of Saudi Arabia’s ruling family, AlAhmed has been a regular on Arabic and English-language cable news for more than a decade. He has long served Washington journalists as a source about the kingdom’s problems, especially in relation to extremist propaganda in the country’s school textbooks.
Saudi Arabia is a known practitioner of cyberespionage. The country was exposed as a customer of notorious Italian surveillance firm Hacking Team in 2015 and a mysterious Saudi investor has since taken a minority stake in the company, according to a Motherboard report published this year.
Recent reports by Citizen Lab and human rights group Amnesty International have also documented the use of Israeli-made spy software to break into the smartphones of Saudi human rights activists, including Canada-based Omar Abdulaziz, who was working with Khashoggi on several confidential projects before the columnist was killed.
Whoever is behind the bogus Tanya Stalin persona or the fake Jamal Khashoggi emails, the messages give an idea of how the always-fraught overlap between espionage and journalism has evolved in the internet age, with government-backed hackers routinely impersonating journalists or news organizations to hunt their prey. Even the FBI has impersonated reporters to hack its targets, at one point pretending to be an AP journalist to locate a bomb threat hoaxer’s computer.
Scott-Railton explained that masquerading as a journalist was a perfect way of getting someone to lower their guard and click a link or open an attachment.
“It ticks all kinds of boxes,” he said. “It explains messages out of the blue and as part of communications with journalists you’d expect to receive documents, like questions in advance.”
The attempt to hack AlAhmed under Khashoggi’s name involved a simple link sent by email , but the Tanya Stalin ruse was unusually involved.
The hackers created a fake LinkedIn profile with more than 500 connections to corroborate her identity and pass her off as a graduate of journalism schools at Columbia and Berkeley. The profile’s picture consisted of a headshot of Souad Mekhennet, a real Washington Post journalist who writes about national security and the Middle East and has covered the aftermath of Khashoggi’s death.
It’s not clear why the hackers used Mekhennet’s photo in the sham profile or whether they even tried particularly hard to make the “Tanya Stalin” persona credible. Stalin did not immediately return messages seeking comment. Neither did whoever was behind the fake Khashoggi email.
Baron, the Washington Post’s top editor, said in his statement Wednesday that he condemned the use of Mekhennet’s image and Khashoggi’s name.
“To be clear, neither of these distinguished journalists had any involvement whatsoever in these despicable schemes,” he said.
___
Online:
Raphael Satter can be reached at: http://raphaelsatter.com
___
A selection of the phishing emails sent to Ali AlAhmed: https://www.documentcloud.org/search/projectid:41381-Fake-Journalist-Hackers