Security researchers on Thursday detailed an ongoing hacking campaign against Egyptian human rights activists and journalists, showing how the attackers have planted their own malware in the Google Play Store to track their victims.
An analysis of the hacking campaign by Check Point Software Technologies highlights how the hackers have not only used third-party apps to gain access to victim emails but also employed stealthy mobile apps that log the date and duration of calls, or the location of the caller.
Evidence suggests the Egyptian government could be behind the activity, which dates back to 2016 and is more multifaceted than previously documented. If definitively tied to Egyptian authorities, it would be just the latest example of an autocratic regime aiming software tools at activists and critics. Under President Abdel Fattah al-Sisi, the Egyptian government has cracked down further on dissent, jailing activists and, NGOs say, abusing human rights.
“We saw [the hackers] using all kinds of tools and improving them over time,” said Lotem Finkelshtein, threat intelligence group manager at Check Point. His team analyzed data on the hacking activity released by Amnesty International in March. Check Point researchers came across a database used by the hackers that included phishing links containing the email addresses of their targets, along with some other telling artifacts.
Coordinates embedded in one of the HTML phishing pages pointed to a government building in Cairo. The registrant of a domain used by the attackers is listed as MCIT, which the researchers said could be Egypt’s Ministry of Communications and Information Technology (MCIT).
“As far as we can tell, the fingerprints [on the activity] look like the Egyptian government,” Finkelshtein told CyberScoop. But the researchers could not make that attribution definitively. They could not rule out the possibility, however unlikely, of someone posing as Egyptian authorities in a false flag.
A spokesperson for Egypt’s foreign ministry could not be reached for comment, nor could a spokesperson for the MCIT.
The New York Times, which was first to report on the research, identified a political scientist, former journalist, and a surgeon and opposition activist as among the targets of the hacking. All have either been arrested or detained.
There were at least 33 victims in total, according to Check Point, an Israel-based company. “We believe that they were determined to reach [those specific] victims,” Finkelshtein said.
But there likely are more victims. One of the malicious Android applications has been downloaded over 5,000 times from the Google Play Store. Finkelshtein said his company worked with Google and Microsoft to dismantle some of the infrastructure used by the attackers. Since then, however, the hackers are likely at work on new tools, according to Finkelshtein.
In February 2017, the University of Toronto’s Citizen Lab, a digital rights and research organization, reported on a large-scale phishing campaign in Egypt. That campaign, Citizen Lab’s John Scott-Railton told CyberScoop, appeared to be carried out by a group that is “very similar,” if not the same, as the one documented by Check Point.
“This threat actor is one of the many government-linked operators around the world that use technologically simple attacks, some cunning, and a lot of persistence, to target civil society,” said Scott-Railton, a senior security researcher at Citizen Lab.
“At the end of the day, zero-day [vulnerabilities] can be patched, but human behavior is the forever day,” he added. “As long as you can still get phishing messages into users inboxes, clicking is just a numbers game.”