Cyber Incident Victim: International Trade Union Confederation
Date:
Dec 2016
Location:
Qatar
Summary
A phishing campaign dubbed Operation Kingphish targeted civil society members, including trade unions, journalists, and labor rights activists focused on migrant workers' issues in Qatar and Nepal. Attackers impersonated a fictitious human rights advocate named "Safeena Malik" through social media and emails, deploying fraudulent Google login pages to steal credentials and compromise victims' accounts. The campaign aimed to infiltrate sensitive communications, potentially exposing networks, sources, and operational details. While no conclusive attribution was established, suspected state-affiliated actors were implicated due to the focus on Qatar-related activism and the use of an IP address linked to a Qatari telecommunications provider. The attacks exploited concerns over migrant labor abuses but showed no direct ties to a separate earlier campaign using similar themes.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 2 motives | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
Throughout 2016, particularly intensifying toward the end of the year, a coordinated phishing campaign targeted civil society figures focused on migrant workers' rights in Qatar and Nepal. Attackers created a persistent fake online persona named "Safeena Malik," posing as a human rights activist with demonstrated interest in Middle Eastern journalism, trade unions, and migrant rights campaigns. This persona engaged targets—primarily journalists, human rights defenders, and labor union members, many Nepali nationals—via email and social media platforms including Facebook and LinkedIn. The operation, dubbed "Kingphish" by investigators, used tailored phishing emails containing links to counterfeit Google login pages designed to harvest Gmail credentials. After victims entered their credentials, attackers redirected them to legitimate documents to avoid suspicion. Forensic analysis revealed attackers reused predictable filename patterns for profile pictures across accounts, enabling identification of nearly 30 confirmed targets, though the actual scope likely extended further.
The campaign specifically exploited concerns around Qatar’s migrant labor system, where over 90% of the workforce comprised South Asian migrants vulnerable to exploitation under the sponsorship system. Compromised email accounts risked exposing sensitive communications, activist networks, and confidential sources, potentially endangering individuals documenting labor abuses ahead of the 2022 World Cup. Investigators linked post-phishing logins to an IP address associated with Ooredoo, a telecommunications provider based in Doha, though no conclusive evidence tied the attacks to Qatari state entities. Amnesty International documented parallels with a separate December 2016 social engineering campaign by the fictitious "Voiceless Victims" group targeting similar labor rights organizations but found no direct operational connection. The Qatari government denied involvement, and attempts to contact the "Safeena Malik" accounts yielded no response. Amnesty’s investigation focused on reconstructing attack patterns and victimology rather than technical containment measures.