Alberto Nisman, the Argentine prosecutor known for doggedly investigating a 1994 Buenos Aires bombing, was targeted by invasive spy software downloaded onto his cellular phone shortly before his mysterious death. The software masqueraded as a confidential document and was intended to infect a Windows computer.
An investigation by The Intercept indicates that this targeting was likely not an isolated event. The person or persons behind the attempted monitoring appear to have run other surveillance operations involving various locations throughout South America, at least one apparently targeting a rabble-rousing Argentine journalist. In the process, they created at least four distinct spyware bundles, all communicating with the same server set to receive Nisman’s data. They also left traces showing that their operations were active as recently as March, raising the possibility that the online spying continues today.
Nisman (pictured above) made powerful enemies inside and outside of Argentina. In his decade-long investigation into the suicide bombing of a Jewish organization and community center, Asociación Mutual Israelita Argentina, he indicted a top Hezbollah operative and several Iranian officials, including a former president, former intelligence minister, and a former foreign minister. Four days before his death, he accused the president of Argentina, Cristina Fernández de Kirchner, and her foreign minister, Héctor Timerman, of being involved in a criminal conspiracy to let Iranian officials off the hook for the attack. He was called to testify before Congress.
But the night before he was slated to deliver that testimony, Nisman was found in his apartment dead from a bullet wound to the head. An autopsy ruled his death a suicide. But as details of the police investigation emerged, so did more and more questions into the manner of his demise. There was no suicide note, nor was any gunpowder residue found on Nisman’s hands. A document requesting the arrest of Kirchner and Timerman was found in Nisman’s trash. And it seemed much of the evidence had been gathered in a disorganized and erratic manner.
Protesters take part in a silent march to honor Nisman in Buenos Aires, February 18, 2015, one month after his death.
Photo: Enrique Marcarian/Reuters /Landov
While it seemed like a shot in the dark, I searched VirusTotal for the document. VirusTotal is an online anti-virus website run by Google and a popular tool for sharing and analyzing malicious software. People upload files that they think may be suspicious and then these files are run through 56 different anti-virus products, including those made by Symantec, Kasperksy, Sophos, and McAfee. This is exactly what happened with the malicious spyware sent to Nisman. It was uploaded to VirusTotal, where I discovered one file that matched the file name name reported in InfoNews. This file, VirusTotal informed me, had been uploaded into the service from Argentina on May 29, 2015. A source close to the investigation confirmed that this was the file that had been found on Nisman’s cellular phone.
The file “estrictamente secreto y confidencial.pdf.jar” would, under the default settings in Microsoft Windows, show up without the file extension, displaying it to an unsuspecting user as “estrictamente secreto y confidencial.pdf” in an attempt to fool the user into believing that the spyware was simply a document in the common PDF format. This file, sent to Nisman, is in fact a piece of spying software that’s been bundled together with a PDF. This “bundling” is a common technique for delivering spyware. The would-be spies have a program that allows them to select a “bait document,” combine it with the spying software, and then, typically, this build of the spyware would be delivered to a target by way of an explanatory email informing the recipient that they should open the attachment, as it contains interesting information.
At the Black Hat USA 2015 security conference in Las Vegas, in a talk with Marion Marschalek, a senior malware researcher at the cybersecurity firm Cyphort, I released details of the analysis of this attempt on Nisman, revealing that the software clandestinely packaged together with the tantalizingly named document “estrictamente secreto y confidencial.pdf” is an off-the-shelf commercial digital spying tool or “remote access toolkit” (RAT) known as AlienSpy. This particular build of the spyware appears to have been created on December 1, 2014, approximately six weeks prior to Nisman’s death. AlienSpy boasts an array of intrusive surveillance features, such as recording the victim’s keystrokes, eavesdropping via a digital device’s built-in microphone, remote viewing of the desktop, and the ability to turn on a victim’s webcam “without user notification.” AlienSpy was born as the free “Frutas” RAT and was detected in a campaign in Mexico. It was redeveloped for sale as a “Premium RAT” known as “Adwind.” Prices ranged from $75 for a single license to $250 for multiple licenses (for more details see Appendix: Technical Investigation Details at the bottom of the document).
While this spyware platform supports the Windows, OS X, Linux, and Android operating systems, the particular package that targeted Nisman was tailored for Windows. He may have caught a lucky break by trying to open it on his phone, as it would not have been able to run on his Android device. Had Nisman opened the document on his laptop or desktop — and it’s not established whether he did or did not do so — he would have been disappointed. Despite the enticing name, the file would have shown nothing but a single blank page. While he pondered this, spying software would have been installed on his machine.
After Black Hat, a summary of my presentation appeared in VICE and I was interviewed by Argentine dailies Clarín and La Nación. Subsequently, a well-known Argentine investigative journalist, Jorge Lanata, revealed that on December 3, around the time Nisman appears to have been targeted, he was also sent spyware, which appeared to be the same as Nisman’s. Lanata posted the email and attachment he received online. I downloaded both and verified that the spyware was indeed the same.
The spyware that both Lanata and Nisman received spoke to the same “command and control” domain, an Internet address that points to a remote machine used by spies to control the software they have implanted on a victim’s machine. This is where data stolen from a target is received and from which new commands to the spyware are issued. In the case of Nisman and Lanata, their spyware was the same, and it communicated with the same remote domain, “deyrep24.ddns.net,” and thus can be presumed to be controlled by the same people.
Lanata is one of the most prominent critics of government corruption. The email he received containing spyware purported to be from Claudio Bonadio, and was labeled with the subject “Expediente BONADIO.” Bonadio is a well-known Argentine judge who probed the Kirchner family’s hotel company, Hotesur, amid allegations of money laundering stoked by a 2014 report on “Periodismo Para Todos,” the TV news show Lanata hosts. The email from Bonadio to Lanata seems likely to have been specifically forged by whomever was targeting Lanata to make it more probable that the journalist would trust and open the correspondence. While, at this stage, it is unclear why Lanata was targeted, the use of identical spyware indicates that the attempted hack attack against Nisman was likely not an isolated incident.
The president’s son, Máximo Kirchner, has also claimed to have received the same malware, although we were unable to verify this. Anibal Fernandez, a Kirchner ally and politician in the same political party, has characterized the malware as common and inconsequential. His amateur opinion is incorrect on both counts. This type of malicious code is not similar to the ransomeware and banking crimeware that average computer users commonly receive. It’s used to view the remote activities of a targeted individual and is highly invasive. Additionally, while AlienSpy is relatively easy to obtain, the specific actors behind the attacks on Nisman and Lanata have not been indiscriminate.
During The Intercept’s investigation, we discovered, in VirusTotal, three additional spyware bundles, beyond the one sent to Nisman and Lanata, which communicated with the same command and control domain, “deyrep24.ddns.net.” Chronologically, the earliest of these spyware samples,”3 MAR PROYECTO GRIPEN.docx.jar,” was packaged on November 20, 2014. This is a build of AlienSpy that was uploaded from an Internet address in Ecuador on November 22, 2014. The bait document that the spyware was combined with can be seen below:
As seen in the malware sample, the “Proyecto Gripen” document purports to be a communication between Mario Guerrero Murgueytio, the Ecuadorian ambassador in Sweden, and the president of Ecuador, Rafael Correa Delgado. The subject is alleged negotiations for the Ecuadorian purchase of the multi-role fighter, “Gripen,” produced by the Swedish aeronautics company Saab. Neighboring Brazil had previously placed an order for 36 such aircraft. Argentina was looking into purchasing 24 of the Gripen fighters, however, it seemed that the deal was unlikely to be completed due to a lurking veto from the United Kingdom related to the disputed Falkland Islands. The alleged information contained in the document is particularly intriguing because Ecuador is harboring, in its London embassy, WikiLeaks cofounder Julian Assange, who Sweden has requested be extradited on sexual offense allegations. That said, it is common for spies to bundle spyware with interesting bait, real and forged. At this stage, we have been unable to establish whether the document, or any information contained within it, is authentic. (Ecuador’s U.S. embassy did not respond to a request for comment.)
The second additional spyware bundle we found also uses the same command and control domain as the software used to target Nisman but is not the same type of program. “Documentos.pdf.jar” was built on December 23, 2014, and uploaded to VirusTotal from an Internet address in Argentina on June 4, 2015. Instead of AlienSpy, the remote access toolkit that this spyware bundle uses is software called “Adzok – Invisible Remote Administrator.” Similar to AlienSpy in functionality, the website shows that Adzok is based in Bolivia. The premium version costs $990, but the spies elected to use the “free” version (see the appendix for more details). When opened, the target would see a file with a single blank page.
The third additional spyware we found is also controlled via “deyrep24.ddns.net” and is called “Reporte Confidencial.pdf.jar.” It appears to have been built on January 9, 2015. It was uploaded to VirusTotal from an Internet address in Ecuador on January 10, 2015. It contains a document with a single blank page.
In addition, we discovered that the spies in March created a new command control domain, “daynews.sytes.net,” that we could tie back to the command and control server used in the attack on Nisman and Lenata and link to the other spyware samples. The two servers were hosted at the same Internet protocol, or “IP,” address at the same time, and even moved together to a new IP address at a new hosting company. (For more information, see the appendix.) It is common practice to move the servers behind a command and control domain in order to frustrate tracking of the origins of a spying campaign. This related infrastructure was created weeks after Nisman’s death.
Activities of the person(s) that were trying to spy on Alberto Nisman.
Conclusively attributing of this type of activity is a tricky problem. It is difficult to reliably place blame on a specific country, agency, or group based on analysis of suspicious software alone. What we can say about the spy or spies who targeted Nisman is that their efforts spanned at least several months, are linked to various locations in South America and involve low-end commercial tools and multiple high-profile targets, two of whom were Argentine troublemakers.
Appendix: Technical Investigation Details
This spy tool used to target Nisman began life as a free Remote Access Toolkit known as “Frutas” and was detected in a campaign in Mexico. It was later redeveloped for sale as a “Premium RAT” known as “Adwind.” Prices ranged from $75 for a single license to $250 for multiple licenses. In November 2013, AdWind was rebranded to UNRECOM (UNiversal REmote COntrol Multi-platform), which was spotted in targeted attacks in the Middle East. The latest version, called “AlienSpy,” has been found by security researchers in targeted spying operations. This report details the current features of AlienSpy.
Screenshot of UNRECOM
Each of the AlienSpy samples identified as related to the Nisman attack is built in roughly the same way. There’s an outer .jar file containing a folder named META-INF and two files: Favicon.ico and Principal.class. Upon execution, Principal.class unzips the contents of “Favicon.ico” (which is not actually an icon file, but a zip archive), and looks for a filename containing “.jar”. When found, it drops it to a randomly-named temp file starting with a constant string and invokes java to run it. Inside the .jar file from “Favicon.ico,” “Main.class” is obfuscated using “Allatori,” a Russian-origin JVM obfuscator used by Adwind / AlienSpy. This reads part of an RC4 key from the file “ID.” To this it appends a constant string, and then uses the full RC4 key to decrypt the contents of MANIFEST.MF giving the actual Adwind implant JAR file. You can read more about how Allatori works and how to deobfuscate it, here and here.
Screen shot of Allatori Obfuscator 5.1 DEMO
There is no encryption on the Adzok sample, you can unzip “Documentos.pdf.jar,” then unzip “Favico.ico,” then you just unzip the file “0Java.jar” and can see the implant’s files including configuration.
Nisman and Lanata sample:
Name: estrictamente secreto y confidencial.pdf.jar
file hash: aa9aa05af8df2cc99eb936e2d17623a68abdbb60606bb097379457c4a3760116
Submission: AR
First seen: 2015-05-29 18:48:24
From timestamps inside the malware, this appears to have been built on the December 1, 2014.
contents of Favicon.ico:
-rw-r--r-- 55381 Dec 1 2014 0doc.jar
-rw-r--r-- 8134 Dec 1 2014 1Estrictamente Secreto y Confidencial.pdf
Related samples:
The following samples speak to the same command and control domain as the piece of malware which targeted Nisman.
Name: 3 MAR PROYECTO GRIPEN.docx.jar
file hash: ca5481e56de4b78348c008c36803fc044baea9ea5a5ea8534b3e88ce35f0958a
Submission: EC
First seen: 2014-11-22 13:52:31
contents of Favicon.ico:
-rw-r--r-- 49019 Nov 20 2014 0cliente.jar
-rw-r--r-- 223819 Nov 20 2014 13 MAR PROYECTO GRIPEN.docx
Name: Documentos.pdf.jar
file hash: 0776cc9d22730006c5a818afe78f78e578107eccc5322424f49e2d4fff3efec4
Submission: AR
First Seen: 2015-06-04 17:24:33 UTC
contents of Favico.ico:
-rw-r--r-- Dec 23 2014 0Java.jar
-rw-r--r-- Dec 23 2014 1Informe Reservado.pdf
Name: Reporte Confidencial.pdf.jar
file hash: c0664ca05a351388c903d7e989257fe244b25098bf74394a9325f4b0a7c5472b
Submission: EC
First Seen: 2015-01-10 02:00:33 UTC
contents of Favico.ico:
-rw-r--r-- 8132 Jan 9 2015 0Documento.pdf
-rw-r--r-- 56200 Jan 9 2015 1server2.jar
Command and Control
The command and control server for the malware that targeted Nisman was: deyrep24. ddns.net and appears to have been created on 2014-11-07. Using a domain tracking and threat research platform called “PassiveTotal,” we learned that at the time of Nisman’s death this domain pointed to 50.62.133.49. This IP address is owned by GoDaddy and used for dedicated hosting. The domain moved to 192.169.243.65 (also a GoDaddy address) on March 2, 2015. The domain daynews.sytes.net appears to have been created on March 1, 2015 and was using the address 192.169.243.65 at the same time it was being used by deyrep24.ddns.net. We later see both hosts move to 46.246.89.246, which is used by Portlane Networks, a Swedish hosting provider.
AlienSpy Configuration
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
<properties>
<comment>AlienSpy</comment>
<entry key="pluginfolder">cOzdAJCuee</entry>
<entry key="reconnetion_time">3000</entry>
<entry key="ps_hacker">false</entry>
<entry key="restore_system">false</entry>
<entry key="pluginfoldername">cOzdAJCuee</entry>
<entry key="dns">deyrep24.ddns.net</entry>
<entry key="install_time">3000</entry>
<entry key="port2">1040</entry>
<entry key="port1">1030</entry>
<entry key="taskmgr">false</entry>
<entry key="vmware">true</entry>
<entry key="jarname">documentos</entry>
<entry key="msconfig">false</entry>
<entry key="mutex">wMiSl1X1o423a2hh45Uifk8duasdf2S</entry>
<entry key="install">true</entry>
<entry key="instalar">true</entry>
<entry key="vbox">true</entry>
<entry key="password">ca19d6a81d35685b87547898c5e000a5fc9be554</entry>
<entry key="NAME">Localhost</entry>
<entry key="extensionname">jHs</entry>
<entry key="prefix">officce</entry>
<entry key="jarfoldername">0o86gb96</entry>
<entry key="uac">false</entry>
<entry key="win_defender">false</entry>
<entry key="connetion_time">3000</entry>
<entry key="folder">0o86gb96</entry>
<entry key="jar">documentos</entry>
<entry key="pluginextension">jHs</entry>
<entry key="registry">389032</entry>
<entry key="ps_explorer">false</entry>
<entry key="p2">1040</entry>
<entry key="p1">1030</entry>
<entry key="registryname">389032</entry>
<entry key="wireshark">false</entry>
<entry key="desktop">true</entry>
<entry key="nickname">officce</entry>
</properties>
Adzok Configuration
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!DOCTYPE properties SYSTEM "http://java.sun.com/dtd/properties.dtd">
<properties>
<comment>Adzok Free</comment>
<entry key="dir">Java</entry>
<entry key="reg">Java</entry>
<entry key="pass">7854</entry>
<entry key="hidden">true</entry>
<entry key="puerto">7777</entry>
<entry key="ip">deyrep24.ddns.net</entry>
<entry key="inicio">true</entry>
</properties>
Email Targeting of Jorge Lanata
The full email can be found here.
Received: by 10.43.144.69 with HTTP; Wed, 3 Dec 2014 09:03:28 -0800 (PST)
Date: Wed, 3 Dec 2014 15:03:28 -0200
Message-ID: <CAFP1fxRwjW1xb4xfQo-kV0UDkDm9s5YuysEym3Am4SZGhgN34A@mail.gmail.com>
Subject: Expediente BONADIO
From: Claudio Bonadio <cfed.bonadio@gmail.com>
To: jorgel....@gmail.com
Content-Type: application/java-archive;
name="Estrictamente Secreto y Confidencial.pdf.jar"
Thanks to Nico Waisman of Immunity for additional technical research and analysis. Additional thanks to Adam Meyers of Crowdstrike.
Suppose you suspect spyware has been installed on your cell phone, what do you do?
You want to prove spyware is on your phone and you also want to identify they type of spyware because that will help you identify who is responsible:
Is it common, readily available spyware sold on the Internet?
Is your cellphone infected with a sophisticated program used by government agencies?
(This means you CANNOT just wipe the infected cellphone and install a mobile antivirus program.)
What do you do? Where do you go for help? We searched our favorite technical publications and found that NONE of THEM had dealt with this question:
The Intercept – NO
PLEASE write an article for your loyal fans describing how to deal with cellphone spyware! MANY THANKS!!!
http://www.reportingwrongdoing.com/2015/09/wanted-cell-phone-spyware-detection-protection-advice.html
EXCELLENT – intriguing storytelling that teaches and informs!!! Many thanks.
Where does an activist go for help with cellphone spyware? See my cellphone malware symptoms on http://ReportingWrongdoing.com
Are their professional certifications to search for?
Private investigators use products like Cellibrite which focus on recovery, not malware.
How do I find competent, professional help? Any lists of Citizen Lab alums? Does Citizen Labs help activists? I have money to pay for their services.
MANY THANKS!!!!
So instead of investigating all this tsunami deluge of data and detail without knowledge or proof of anything, why not explore the quite more fantastic question of why such an esteemed barrister took TWENTY-ONE YEARS aka 21 YEARS.com.pfj.jar TO INVESTIGATE THE BOMBING?!
And WHY spend taxpayers’ pesos for 21 years of — what did this guy DO FOR 21 YEARS — ?!
And what about the presidents Menem and De La Rua and Duhalde which ALL preceeded the various and sundry KIRCHNER governments and presumably also had phones. And what about the split Argentine intelligence agencies and THEIR phones?
And why is the last actual white European colonist state anywhere on the planet, i.e. Israel, so doggoned INTERESTED in THIS bombing and in IRAN and in DEALINGS between soverign nations, i.e., Argentina and, say, Iran? Might there be any hocus-pocus involved here with the CIA and antidemocratic NGOs trying to destabilize Yet Another Leftist Government Somewhere On The Planet? And stuff?
Bottom line: It doesn’t matter who fired the shots, and whether they came from the grass knoll, the book depository or a rain gutter along Elm street or from the top of the records building. Kennedy is STILL dead. And, like Iceland and others, Argentina STILL told the IMF and international bankers to Go To Hell.
So WHY did such an esteemed barrister took TWENTY-ONE YEARS aka 21 YEARS.com.pfj.jar TO INVESTIGATE THE BOMBING?!
And WHY spend taxpayers’ pesos for 21 years of — what did this guy DO FOR 21 YEARS — ?!
Thanks for including the technical appendix!
Why Morgan you ERASE my comments? This is a really FAKE information, the virus is a 20 usd dollars virus from 2010, that it is PUBLIC called adwin. It is not supersecret NSA virus, just a normal KIDS virus that it is email to many users. If this is your research, really start learning computer skills. The virus has more than 1000 variants and the serverip you post, has more than 100 different variants from 2010 onwards. I am a Securty Expert with 20 years in virus research. So, Morgan better start learning coding again
It would be interesting to see the details on who paid for the hosting accounts.
Great article Morgan Marquis-Boire. This deserves to be on the front page of The New York Times!
Well, sorry…when I commented yesterday I did the exact thing I’m always wishing the distracted and “uninterested” wouldn’t do, ignore Wikipedia. Interesting paragraph [under the “Alberto Nisman” entry] that begins with “Santiago O’Donnell” in red font. At this site I suppose I should at least be caught up with germane leaks cited in Wikipedia. Anyone know anything about the “Syrian clues”? Argentina decides against the nuclear tech transfer, and then Hezbollah assumes Jews are responsible…gets t’d about it, and decides to plant a bomb? It doesn’t sound like Iran. It’s a business deal, and the disappointed party decides to blow up a community center in retaliation? I don’t get the collusion in this theory of gov officials working with Hezbollah to pull off a terror strike.
Evidence of letter in trash that Niman was supposedly going to send sounds like typical Israeli “false flag” operation. Another Lavon affair?
If someone murdered Niman he would have scoured the place for incriminating evidence.
The letter was placed in the trash on purpose to support the government’s tale that the prosecutor changed his mind at the last minute and decided not incriminate them as he held no evidence for his accusations, and ended up committing suicide for making a fool of himself.
Gareth Porter has uncovered the facts that support your “false flag” theory:
http://www.thenation.com/article/bushs-iranargentina-terror-frame/
https://consortiumnews.com/2015/02/07/a-rush-to-judgment-in-argentine-bomb-case/
It’s an important story which began with the murder of over 80 innocent people at a Jewish Community Center in Argentina. While there is no definitive proof, Iran and Hezbollah likely carried out the attack which targeted Jewish people for murder. There are a number of potential suspects for the murder of Nisman who vigorously pursued the case against the Iranian government and Hezbollah. Recently, he threatened to expose a cover-up by the Argentina government at the highest level. There are a lot of powerful government interests at stake. This was a story about abuse of state power, murder of innocent people and a courageous prosecutor. The story is far from complete.
https://consortiumnews.com/2015/02/07/a-rush-to-judgment-in-argentine-bomb-case/
I cover this:
“AlienSpy was born as the free “Frutas” RAT and was detected in a campaign in Mexico. It was redeveloped for sale as a “Premium RAT” known as “Adwind.” Prices ranged from $75 for a single license to $250 for multiple licenses (for more details see Appendix: Technical Investigation Details at the bottom of the document).”
If you’d like to read my analysis of malware I think is actually good, I invite you to see here:
https://firstlook.org/theintercept/2014/11/24/secret-regin-malware-belgacom-nsa-gchq/
You suggests the Argentinian government is involved in the title.
Anybody could be behind the Argentina malware, you can’t conclude anything from the information you present here on TI. The anybody could even be you or me and some Falklands troll for some reason, maybe it did not happen at all.
In South America the media is running around with their own agenda’s all over the place. Gossip and wild speculation is the norm. It is a very bad idea to contribute to it.
It amazes me how people in general talk as if politicians were their parents and they were expecting some sort of moral behavior from them. Also they talk as if they can’t do anything about being spied on, when there are very simple, better yet, totally free ways to defend yourself against such things.
What about writing your important findings and notes as short hand on a piece of paper? Also, they can’t install sh!t in a live DVD for physical reasons, why do people use Windows?!? and then as if it were not stupid enough they say their computers are being spied on! Well, you are using a spy station! What the eff do you expect?!?
* recording the victim’s keystrokes:
1.1) get laptop with *Gb of RAM
1.2) use knoppix (or any of the other live DVD) with the “toram” option. You could even physically remove your drives or encrypt it and your computer will work just fine
* eavesdropping via a digital device’s built-in microphone:
2.1) block the mic with a little piece of plastic bag (not totally hardened) then cover the whole spot with chew gum
2.2) use random sounds (voice + music) in the background whenever you need to talk on the phone (don’t you like music anyway?)
2.3) never say anything critical on the phone. Always assume to be spied on. Remember you pay the bill, but they (NSA/USG/police/…) own it …
* remote viewing of the desktop:
3.1) block the cam of whatever device you use
3.2) when you need to use your cam use it with another live O.S.
Disconnect yourself from the Internet when you are not using it
Of course, this will work very well, with silly stuff as it is described in this article, not with gov spies, like the FBI, NSA; but those simple measures will make them stand up their comfy chairs and sweat their butts with some back bag operation, which they don’t like a bit.
I use knoppix and in my case (using the tohd/fromhd option) they are able to corrupt the partition I boot from, so when I need to do something “important”, I boot it off the DVD
I really don’t care. As they say: “I have nothing to hide”, but I will not do their work and I am learning quite a bit from their kind of stupidity, while they are at it ;-)
RCL
Hi RCL –
“As they say: “I have nothing to hide”, but I will not do their work…” I LIKE that. More people need to hear that.
There’s basically two possible motives for individualized attacks like these, to control the individuals (through blackmail over real or invented, via the control of the computer/phone, indiscretions/malfeasance), or damage control over things they discover (letting one know what has to be covered up or explained away). And the motive can be different by individual. That’s why you can’t prove who and why for these acts, but only produce lists of suspects (those who have interests in controlling or damage control for all the individuals). But one can effectively rule out, as suspects, those who would only be interested in one or two of the people.
It appears I’m real uninformed by standards of the article and the comments. I would have thought there would have been some relating of some events prior to the bombing. What I seem to remember is a proposed deal regarding importing oil. Do I have that right? It struck me as unusual (at the time I was reading about whatever antecedents) that a bombing by Hezbollah would be the upshot. What if it was right wingers? If Nisman had kept on, what if in the course of events the Hezbollah theory was demonstrated as inadequate? In that case, killing Nisman would prevent such…plus add another accusation against K?
Oh, Morgan…THIS is the kind of reveal that gets my judgement blood pumping. Forget Ashley’s sloppy secret keeping, I enjoy a good whack at this kind of peephole creeping. Sounds like Sweden can’t stop humping folks to buy their BS airplanes. Like THEY invented the crookie jar, FCPA. We held that territory for thirty years, Star Fighter’s.
See, pipers, someone’s backing up your rain spout. Like I would trust those who run this protection racket to find them out.
That was an incredibly unsophisticated, and even crude, attack, which was facilitated by the flawed products of at least one software behemoth.
But did they go through all that trouble for only one target, or could the payloads have landed elsewhere?
A contradiction: it seems that this article narrowly focuses only on the technicalities of the spyware part of this much larger and complex story – while its title implies reference and synthesis of the whole story. And this leaves me as a reader very disappointed – especially after reading comments from Argentinians. By definition an article should provide a synthesis of an investigation by shedding new light into the specific context, and not just show a long list of technical details and methods used…in isolation from e entire context.
Given the complexity of cultural and political history of each country, it would be wise for Intercept to understand its huge limitations in the international scene, and to instead focus on what it does best – report and investigate on national issues. Which in return do have a significant impact on the international scene. I think this is the strength that Intercept has and the void that needs to be filled. My 2c.
I’m sorry,
but after I was about 1/4th of the way into this article
it became inescapably clear
that if any part of the beginning of this article is even remotely accurate
that there is NOTHING in this article which can be taken
as proof of ANYTHING –
except
that the author has an amazing ability to stay focused
while unraveling what can only be described as virtual spaghetti.
There is no real nutrition in swallowing a version of MAD magazine.
Let me guess. You are hardcore K supporter…lol
It is the same soundbite everywhere. Could you please come up with something better than Magnetto, Clarin, La nacion? Every time new details about Nisman’s case are reported, same exact response from bloggers all over the web. Being so defensive doesn’t help with knowing the truth…
Hey, no emails from Nigerian princesses? They seem to be emailing a lot, these rich girls.
Morgan-
Thanks so much for this investigation. I don’t get all the technical stuff, but you have done your homework on that regard for sure.
Politics and rhetoric aside, you’re exposing that folks ARE being targeted for surveillance for reasons way different from anything resembling counterterrorism. Wish everyone would wake up to that!
Hear! Hear! See my comment way down below.
Hi WUP
(I’m not a great typist – that’s why I abbreviate…)
Thanks! I had to go reread your comment and found: “One of the main criticisms of the SI had been a lack of control of its funding.
If only U.S. lawmakers would recognize the same!”
Good point. Many have argued that due to things like black budgets, lack of accountability, and clearly unconstitutional abuses, the NSA should be defunded – and we start over from the beginning. Not sure that will ever happen, and even so there ARE other spy agencies, unfortunately…
Still, I like to dream of the data on innocent folks being shredded and that place in Utah doing nothing but gathering dust.
Es simple a nisman lo usaron y lo mataron ; no debía hablar
government §§ STAS I §§ murders.
FBI God bless ameriscum!
Great Work Morgan, please, continue with your excellent research keeping you apart from any political influence . Such tools have already been used politically in other states, so everything would point to a new chapter in this regard. Let us hope that the mystery can be revealed for the benefit of the whole country
Cyber-k everywhere.
Thank you very much Morgan for your work on this topic. It’s really sad to read the comments that reflect the backwards side-minded way politics is thought and understood here. Please keep up reporting facts and reasonable thoughts for the open eyes and minds of Argentina and the world.
“…open eyes and minds of Argentina and the world.”
Lol. Ben here means the right-wing opposition in Argentina and their disgusting supporters. Such open eyes and minds, those corporate shills who, in collusion with the U.S., attempt coups to overthrow that country’s democratically elected & majority-supported government.
Nisman’s sad case reads like a real life version of Borges’s short story ‘Death and the Compass.’
There are so many important omissions, and half truths in this article: First, Nisman -according to several WikiLeaks cables- reported all his “findings” to the US embassy in Buenos Aires. See Santiago O’Donnell’s investigation. However, the author has not mentioned this important fact. Second, Jorge Lanata, is not an “important Argentine journalist”: he is leading the right wing opposition, as a propagandist of the Corporate Media -under the payroll of the powerful Grupo Clarin. Clarín together with La Nación, were allies of the Dictatorship, covering up for the 30,000 missing, and thousands of political dissidents killed during that time… What a great disappointment to see this article in The Intercept!
This investigation is perfect, on the technical point of view, but there is so many thing to say about this story on the political/fact point of view, first of all: “He was called to testify before Congress.” in our country that is different that in the US, he was not called to testify, he was invited to explain his accusation to a small group of congressmen (most of them opposition members), but then the congressmen who supports the government announced that they will question him too, he, according to Patricia Bullrich (who invited him), started to having second thoughts about accepting the invitation, after he received that information.
“A document requesting the arrest of Kirchner and Timerman was found in Nisman’s trash”: little detail, no lawyer in this country will write such thing, because the members of the gov have immunity so they have to be, first, dismissed of their role, so its believed that someone else wrote that and Nisman disposed it and re-writed it, excluding that part.
And there is new details about why he wold kill him self, like the fact that he has misuse the money of his office in travels and personal expenses, also that he use to hire good looking girls with no experience in law to work in his office (a prosecutor office) and travel with them, at his office expenses, also that he has undeclared accounts in US banks with money he cant explain and that he used to ask for licence and travel around the world even when having a lot of vacation time he didn’t use … What it mean is that all of this will came out to light as soon as the journalist start digging (as it happend) and he knew that it will destroy his reputation, so maybe he was not able to handle that … just adding some facts. hopefully no one will be offended by this.
Hello Morgan,
Have you checked deyrep.com?
Hosts an AlienSpy plugin named Chrome Form Grabber: https://jsocket.org/page/023/
The same IP has these domains:
pancaliente.info
login-office365.com (phishing?)
logon-outlook.com (phishing?)
mgoogle.us (phishing?)
soporte-gmail.com (phishing?)
soporte-yahoo.com (phishing?)
lavozamericana.info -> same IP
Check this:
https://twitter.com/DarkLocojose/status/573326427237580800
1 pancaliente.info — pedro luis // reterg // enripintos123@outlook.es // http://wa-com.com/pancaliente.info
2 deyrep.com — walteradmarquez@hotmail.com // ma*****@hotmail.com
3 login-office365.com — wilmer ruperti // reterg // reterg
4 logon-outlook.com — pedro luis // enripintos123@outlook.es
5 mgoogle.us — pedro luis // reterg – teredotr – enripintos123@outlook.es
6 soporte-gmail.com — pedro luis // reterg
7 soporte-yahoo.com — pedro luis // reterg
8 lavozamericana.info — enripintos123@outlook.es // wilmer ruperti // reterg
There seems to be a lot of fairly recent activity around political hacking in Ecuador. I think it’s all part of the “soft coup” that’s being tried there. Not so long ago, I understand the Twitter account of the National Assembly’s speaker was hacked, and the Facebook account of one of Correa’s daughters was also hacked.
It’s disappointing to see The Intercept follow The New Yorker in trafficking partisan conspiracy theories about Nisman’s death. Counting on Jorge Lanata and Clarín to investigate Nisman’s death is like counting on Rush Limbaugh and Fox News to investigate Vince Foster’s. Like The New Yorker’s Dexter Filkins, Morgan Marquis-Boire seems unaware of Página/12, including the excellent investigative pieces on Nisman’s death by Raúl Kollmann and Horacio Veritsky. Thus, there’s no mention of Antonio Jaime Stiuso, the intelligence officer who was fired by Cristina Kirchner in December 2014, even though Stiuso sent threatening emails to Nisman and is believed to have spied on everyone important in Argentina, including Nisman, Lanata, and Máximo Kirchner. Only by casting doubt on the Buenos Herald report that Máximo was one of the spyware’s targets is Marquis-Boire able to frame the story as being about “troublemakers” for Cristina.
Please keep up the good work, Intercept, but don’t lower your standards when reporting on events in countries outside of the US and Europe.
Interesting. At is turns out, Antonio Jaime Stiuso has a close relationship with the CIA and Mossad, and now the whole thing is starting to make more sense to me.
Well, citing Pagina12 as an unbiased source of daily news is not accurate either. Have you found one instance where this paper was critical of the Kirchner’s, if so please let me know. Also comparing Jorge Lanata to Rush Limbaugh doesn’t make sense at all. Not even on an ideological level.
pagina 12? really ? bro, you have no idea who’s horacio verbitsky (“el perro”). A killer, mercenary, member of Montoneros organization who killed people. Regards
No kidding. It sounds like there’s some spyware that is sent around in email in South America, sometimes to well known journalists, and sometimes even to heads of state like Rafael Correa. It’s somewhat interesting that the 3 countries mentioned in the article (Argentina, Ecuador and Bolivia) — leaving Venezuela aside — are the 3 most anti-imperialistic of the continent. That said, we could simply be talking about political actors trying to engage in cyber-espionage of one another. The connection to Nisman’s death seems speculative at best.
Harboring? What is this, The Guardian? Can’t you use the actual words that honestly describe his political asylum situation?
Mildly interesting, but again, it doesn’t necessarily mean anything.
Página/12 is one of the govt’s numerous media mouthpieces. Verbitsky is a sinister figure who played for both sides during the 76-83 dictatorship and is an influential figure behind the scenes in the present government. Kollman is a pitiable individual who runs stories provided for him by the intelligence services.
You’re responding to the wrong comment.
Be that as it may, and I’m not an expert on Argentina, is it true or not that the Argentinian government basically had no control of its intelligence services, which will now be replaced?
http://www.bbc.com/news/world-latin-america-31633782
The intelligence services basically had the same structure they had during the military dictatorship — that is, during Operation Condor.
What “tomatis” says about Verbitsky are lies, you will never found any trace that link his to out last dictatorship, but what he is forgetting to tell about out last dictatorship is that the owners of the TV/JOURNAL/MEDIA COMPLEX where Jorge Lanata “works” (CLARIN) obtained their monopoly thanks to the dictators, they stole the only paper plan in country by kidnapping the owners and killing/threatening them and the dictatorship looked the other way about this crimes, but please don’t believe me, look it up yourself, search for “papel prensa” (press paper) and the whereabouts of the “Graiver” family.
Thanks for that link, Jose. A few gems from the article:
Ms Fernandez had argued a reform of Argentina’s intelligence services was overdue.
She said that the agency…needed to become more accountable.
“We need to make the intelligence services more transparent because they have not served the interests of the country.”
Governing party lawmaker Diana Conti described the vote as “a fight for the democratization of the country’s intelligence services”.
She said it was time to put an end “to the perverse links between the intelligence services, the judiciary and some political sectors”.
One of the main criticisms of the SI had been a lack of control of its funding.
If only U.S. lawmakers would recognize the same!
Yeah! As if people didn’t know who Assange is and what is really going on
RCL