A prominent opposition figure in Egypt, preparing to challenge President Abdel Fatah El-Sisi in the upcoming early elections, became the target of a sophisticated cyber-attack. This previously unknown “zero-day” attack aimed to infect the politician’s phone with Predator spyware, as revealed by recent research from Google and the University of Toronto’s Citizen Lab.
This significant discovery of the zero-day exploit, intended to install Predator on iPhones regardless of their up-to-date operating systems, led Apple to swiftly release a security update for its users on Thursday.
Citizen Lab stated with a high degree of confidence that the Egyptian government was behind this hacking attempt, which was unsuccessful. The target of the attack was Ahmed Eltantawy, a journalist and former member of parliament. The incident was first reported by Mada Masr, an independent Egyptian news organization. Eltantawy had temporarily resided in Lebanon but relocated back to Egypt in May.
Zero-day exploits pose a significant threat due to their ability to exploit security vulnerabilities that haven’t been previously identified. In this instance, Eltantawy could have been infected without needing to interact with any elements.
Predator Spyware Exploit and its Global Ramifications
Bill Marczak, a senior research fellow at Citizen Lab, said, “A full zero-day exploit chain like this, that’s capable of installing spyware on the latest and greatest iPhones — there’s not many of those that get caught, a few a year. These things are very expensive to develop. If you look at brokers that buy and sell and publish price lists online, this would go for several million dollars.”
In July, the Biden administration imposed restrictions on Cytrox, the developer of the Predator spyware, and Intellexa, Cytrox’s affiliated business alliance, by including them in the Commerce Department’s “entity list.” These actions led to stringent trade and licensing restrictions due to their involvement in cyber exploits targeting information systems, posing a threat to individuals’ and organizations’ privacy and security globally.
Predator, once installed on a smartphone, has the capability to pilfer passwords, capture keystrokes, access data from various applications, duplicate chat messages, and record calls, even those within encrypted applications, as reported by Marczak.
Similar to other high-end spyware vendors, Cytrox claims to sell its products to government agencies exclusively. The identification of Egypt as a known customer of Predator stems from an infection attempt originating from a device physically situated within the country, as highlighted by Citizen Lab.
Eltantawy, a vocal critic of the Egyptian government and former leader of the left-wing Karama Party, had expressed his concerns regarding phone security in mid-September. He received suspicious messages containing links, prompting him to seek assistance from Citizen Lab for a thorough analysis of his phone.
When contacted for comments, representatives of the Egyptian government either declined or did not respond immediately.
Sophisticated Espionage Campaign Targeting Eltantawy’s Phone
According to Citizen Lab, the attempts to infiltrate Eltantawy’s phone involved the utilization of PacketLogic, a product developed by Sandvine, a networking equipment company based in Canada. Sandvine was acquired by Francisco Partners in 2017, a private equity firm that, until 2019, had ownership of NSO Group, the manufacturer of Pegasus spyware. Governments have notoriously used Pegasus to surveil journalists, activists, political opponents, and various other individuals. Sandvine did not provide any comments upon request.
“This latest campaign underscores the harms arising from the widespread presence of commercial surveillance vendors, posing a significant threat to the online users’ safety,” stated Google’s Threat Analysis Group in a recent blog post.
Between May and September, attempts were made to install Predator on Eltantawy’s phone after he declared his candidacy, as per Citizen Lab’s investigation. Initially, Eltantawy received text and WhatsApp messages containing links to potentially harmful web pages. However, he wisely refrained from clicking on them, as noted by the researchers.
Subsequently, in August and September, Citizen Lab reported a more serious form of attack on Eltantawy, known as a network injection. Remarkably, this attack didn’t necessitate any action from him, such as clicking on a link. Google’s Threat Analysis Group characterized this as a “man-in-the-middle” attack. Whenever Eltantawy attempted to access a webpage with the “http” prefix, the attacker redirected him to an Intellexa website and then to a server that executed the exploit on his phone.
Citizen Lab expressed “high confidence” that the perpetrator utilized Sandvine’s PacketLogic software to reroute Eltantawy’s browser, marking the initial instance of witnessing a zero-day exploit employed in this manner. Their analysis revealed the attempted hack was thwarted because Eltantawy had activated Apple’s “lockdown mode,” a safeguard introduced in 2022 that restricts a phone’s capabilities while thwarting numerous attack avenues.
Security Flaw in Android and Prompt Patch Release
According to Google, Android users would have faced a distinct exploit. The security flaw for Android had been identified and reported by another individual, prompting Google to release a patch on September 5.
The assault on Eltantawy necessitated the presence of PacketLogic within the network of Eltantawy’s service provider, Vodafone Egypt. Although Citizen Lab did not accuse Vodafone of complicity in the attack, Marczak remarked that the most “straightforward” method of installing PacketLogic in the Vodafone network would involve Vodafone’s cooperation.
“Egypt is not known for being the most democratic government,” he noted. “You can imagine the government would be able to exert pressure on companies to cooperate.”
During their investigations, Citizen Lab uncovered that a previous phone belonging to Eltantawy had been successfully compromised by Predator in November 2021 through a text message containing a link.
Predator Spyware Targets Egyptian Dissidents and Activists
Eltantawy refrained from directly accusing the Egyptian government of the attack but stated his belief that he was targeted due to his political engagements. He speculated that the hacking attempt aimed to unearth materials to tarnish his reputation.
He stated firmly, “In simple terms, there’s nothing that can be used to disgrace me, even after enduring two years of hacking.”
However, what deeply troubled Eltantawy was the Egyptian government’s apprehension of individuals close to him. The Egyptian Initiative for Personal Rights confirmed that since August, at least 35 volunteers associated with Eltantawy’s campaign had been arrested throughout the country. Additionally, in the months of April and May, a dozen of Eltantawy’s relatives, including his uncles, were detained. The Egyptian Interior Ministry denied making any arrests related to involvement in a presidential campaign.
Citizen Lab’s tech experts, while investigating the assault on Eltantawy, managed to replicate the infection on a test device. This involved a complex process that cybersecurity researcher Marczak likened to a “giant cat and mouse game.” They tricked the booby-trapped website, customized to target a specific victim only once, into triggering the exploit again. By comparing the malicious software to a previous Predator sample, they identified sufficient similarities to confirm a match. In response, Apple acknowledged both Citizen Lab and Google’s Threat Analysis Group in the emergency patch released on Thursday.
In 2021, Citizen Lab disclosed that two exiled Egyptians, including opposition politician Ayman Nour, had fallen victim to the Pegasus spyware through an exploit that required a click.