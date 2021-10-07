Amnesty International’s computer security researchers have traced the trail back to the Donot Team group, already known for cyber attacks in Southeast Asia. QUENTIN HUGON / “THE WORLD”

December 2019: A human rights activist residing in Togo receives a series of strange messages on the WhatsApp application. His correspondent, who writes to him in English from an Indian number, tries to pass himself off as an acquaintance and asks him to install another messaging application to continue the conversation.

Suspicious, the activist contacted Amnesty International and passed the installation file on to the organization’s IT experts. After analysis, the “messaging” in question mainly conceals the spyware StealJob, capable of sucking up, without the knowledge of its user, a great deal of information, such as geolocation or SMS, of capturing WhatsApp messages in real time and to record calls made by the telephone.





Less than a month later, another suspicious message reaches the same activist, this time to his inbox. A little more subtle, and this time written in French, the email prompts him to download an attachment, which also contains spyware, for Windows this time, YTY. Both YTY and StealJob are relatively uncommon software, already linked in the past to a group called Donot Team, suspected of operating mainly from and to Southeast Asia.

Trapped links and corrupted files

Amnesty International computer security researchers were able to trace the trail left by hackers who targeted this human rights activist in Togo. They discovered an infrastructure, partially poorly concealed and used to send trick links and corrupted files to hundreds of recipients. The Internet Protocol (IP) addresses of a machine on the network) of these targets were overwhelmingly located in Pakistan, Kashmir and, to a lesser extent, India and Bangladesh. A distribution that matches the Donot Team targets already observed in the past.

The servers identified by Amnesty International researchers are used by a private company, Innefu Labs, located in India. On its site, the latter is presented as a “Cybersecurity research and development start-up” and lists among its clients the Indian Army and the Border Security Force (BSF), the powerful police force responsible for the surveillance and defense of the country’s borders with Pakistan and Bangladesh. The CVs and LinkedIn profiles of several company employees seem to indicate that designing or improving spyware is part of their job.

