Computer security research devotes extensive efforts to protecting individuals against indiscriminate, large-scale attacks such as those used by cybercriminals. Recently, the problem of protecting institutions against targeted attacks conducted by nation-states (so-called “Advanced Persistent Threats”) has likewise elicited significant research interest. Where these two problem domains intersect, however---targeted cyber attacks by nation-states against individuals---has received little significant, methodical research attention. This new problem space poses challenges that are both technically complex and of significant real-world importance.

In this thesis, we undertake to characterize the emergent problem space of nation-state Internet attacks against individuals engaged in pro-democracy or opposition movements. We first present several years of research we have conducted into cases from two Middle Eastern countries, in the aftermath of the Arab Spring. Leveraging our connections in Bahrain and the United Arab Emirates, we encouraged potential targets to send us any ``suspicious'' electronic communications they received. Dissidents forward us messages with malicious attachments, links, and other content designed to deanonymize them and break into their computers and phones. Strong circumstantial evidence ties some of these messages to specific nation-state attackers. We frame the nature of these attacks, and the technology and infrastructure used to conduct them, in the context of their impacts on real people. Building on our understanding of attacks targeting dissidents, we engaged with 30 potential targets of Middle Eastern and Horn of Africa-based governments, in order to better understand subjects' perceptions of the risks associated with their online activity. We interviewed subjects, and examined settings and software on their computers and phones. Our data illuminate the ways that dissidents are vulnerable to the types of attacks employed by nation-states.

Informed by our fieldwork, we developed Himaya, a defensive approach that readily integrates with targets' workflow to provide near real-time scanning of email messages to check for threats. Our prototype implementation of Himaya currently protects 36 subjects, and has found a number of attacks both from scans of past message archives and in live activity.





Download Full History