Digital surveillance and cyber attacks are part of the modern day reality for civil society, and one that most of us in the south do not have resources or skills to manage adequately. Even though JA staff had benefitted from some basic training and we made several decisions in order to improve security and decrease virus attacks (such as changing to linux based operating system more than 15 years ago), the cyber world moves at a fast pace, making training, software and systems outdated quickly.

This weakness was recently exposed at JA in early January when we were hacked. Our web page was taken over and passwords changed, so we lost access to it. A ransom was demanded under the threat of deleting all the information. We first wondered if it was just a scam or bluff, but even if not, we do not entertain the option of ransom and do not reply or even attempt interacting with such threats. So we started the process of regaining access to our page. Unfortunately, while we were focused on recovering our web page, we hadn’t realize that the administrator’s laptop and JA’s main backup drive had also been hacked, only realizing this when the laptop stopped working and the backup drive deleted. This attack exceeded previous hacks or virus attacks, and exposed the effect of the smaller and regular cyber attacks in decreasing our alertness and urgency around the issue.

Luckily, we had a recent recovery drive for the laptop and we had received training on recovering deleted drives in the past. Unfortunately we didn’t manage to even get our linux based systems to identify the backup hard drive. After trying to recover the backup hard drive with other systems we gave up and had to take our backup drive to a specialist company that does data recovery at a high cost.

It took 3 weeks before we received the first batch of recovered data (almost 4TB), but the remaining data has been more complicated and we are still waiting for it, as well as the technical report from the company. However, we have been warned that the second batch of data has a lot of damaged files and is not organized in our original file system, it consists of thousands of files in dated folders that we will need to go through and reorganize.

The IT specialist also gave us some helpful information based on his findings. There was a common virus in the startup files and a concerning backdoor, similar to a well known old windows-based backdoor called “Banito”, but one that works on Linux systems. We also learnt that hackers had gained access to our accounts without needing to use passwords through the use of something called ‘session tokens’, that help you log in and out of your accounts without having to write the password. These tokens are stored on your computer cache and can be easily hacked through a redline stealer malware kit, in our case through a .scr screen saver file.

There were a few other odd/concerning threats found that were more complicated to understand, especially for us with our low IT IQ. Besides, the focus of the IT specialist was data recovery, they had not done a thorough analysis. Unfortunately, the cost to do a forensic analysis was too high and the most important part to analyse would be the hacked laptop, but by then we had already reformatted the laptop (with cycles of full hard drive rewrite and delete), and we could not hand it over for a forensic analysis due to it being in urgent use by the administrator.

Amidst such eventful weeks – with Cyclone Freddy, the flooding, the death of Mozambican rapper Azagaia and then the police violence at the march to honor him – we ended up delaying the publication of this post. Coincidentally, before we were about to post this, we found out that our Say No to Gas campaign site was also attacked by hackers, but given that the site was developed last year using more up to date software, and the developer was still doing the maintenance, he managed to block the attack.

We fear that these types of events may become more regular both from criminals and our governments, that have drastically increased investments in digital surveillance. Some countries, like Israel, have expanded their military oppression to digital surveillance and this has become a major business, with programs like Pegasus being exported to other regions such as Africa. This has contributed to African governments’ increased control and monitoring of civil society and oppression of critical voices. Digital surveillance has become central to these plans. Countries like Rwanda have shown the path forward for other African countries on how oppressive governments can control and suppress dissent, while not only getting a pat on the back from developed northern countries, but even turning their military and security sector into an economically productive sector servicing the northern countries dirty work. Digital surveillance and cyber attacks have become central to this model of oppression and human rights violations.