Operation Kingphish: Uncovering a Campaign of Cyber Attacks against Civil Society in Qatar and Nepal
| By Nex
Over the course of 2016 — and particularly intensifying towards the end of the year — several individuals known to Amnesty International were approached via email and through social media by “Safeena Malik”, seemingly an enthusiastic activist with a strong interest in human rights.
What lied beneath this facade was a well-engineered campaign of phishing attacks designed to steal credentials and spy on the activity of dozens of journalists, human rights defenders, trade unions and labour rights activists, many of whom are seemingly involved in the issue of migrants’ rights in Qatar and Nepal.
Our investigation of the attacks didn’t yield any evidence that would indicate the conclusive responsibility of a particular government, although we suspect these attacks might have been orchestrated by a state-affiliated actor. We refer to this campaign and the associated actor as Operation Kingphish (“Malik”, in one of its written forms in Arabic, translates to “King”).
It is worth noting that in December 2016, Amnesty International published an investigation into another social engineering campaign perpetrated by a seemingly fake human rights organization known as Voiceless Victims, which targeted international human rights and labour rights organizations campaigning on migrant workers’ rights in Qatar. While there is a clear alignment of interests, we have found no evidence to suggest these two campaigns are directly connected.