HUMAN RIGHTS GROUPS and individual activists in Egypt have been targeted by a large and sophisticated phishing campaign, according to a joint investigation by the Egyptian Initiative for Personal Rights and Citizen Lab.
The campaign, which the reports call Nile Phish, coincides with an unprecedented crackdown on civil society in Egypt over the past few years, with non-governmental organizations and their staff being subjected to interrogations, arrests, travel bans, asset freezes, forced closures and a long-running trial over accusations of receiving foreign funding to destabilize the country.
The targets of the phishing attacks include seven of Egypt’s most prominent human rights groups (including EIPR), all of which are also defendants in the foreign funding case. The groups include Cairo Institute for Human Rights Studies, Egyptian Commission for Rights and Freedoms, and Nazra for Feminist Studies. The campaign also targeted a small number of individuals, including lawyers, journalists and political activists, EIPR and Citizen Lab stated.
The nature and complexity of the attacks, which occurred over the past few months, suggest the campaign is being directly coordinated by an Egyptian intelligence agency, EIPR researchers say. Although the investigation turned up no conclusive proof that the government was behind the campaign, EIPR says a combination of the sophisticated timing of the attacks, the choice of NGOs targeted, prior evidence of electronic surveillance by the state, and the wider context of the crackdown on civil society strongly point to involvement by one of the country’s intelligence agencies.
“I have no doubt that this is either a state agency or a stage agency-sanctioned campaign,” said Gasser Abdel Razek, the executive director of EIPR. “Who else would be interested and willing to invest the time and effort into this kind of coordinated social engineering except the state?”
The researchers from Citizen Lab did not reach the same conclusion, as their analysis was limited only to what they could demonstrate from a technical perspective.
In its simplest form, phishing is an attempt to trick a target into providing personal information, such as an account password, by sending a deceptive email. The investigation identified over 90 such attacks between November 24, 2016 and January 31, 2017.
In the first phase of the campaign, NGO workers received emails crafted as document shares from legitimate providers, such as Google or Dropbox, containing timely and sensitive information related to the ongoing government crackdown.
“The sophistication was in the deception rather than in the technology,” said John Scott-Railton, one of the authors of the report from Citizen Lab, which goes by the full name of The Citizen Lab at the Munk School of Global Affairs at the University of Toronto. “What differentiates this campaign was the extent to which it was tied to things that were going on on a day-to-day, hour-to-hour basis in Egypt.”
A prime example took place on December 7th, when Azza Soliman, a prominent lawyer and women’s rights advocate, was unexpectedly arrested at her home. Just a few hours after she was taken into custody, staff at several NGOs received an email disguised as being from Dropbox with a PDF file purporting to be the police report on Soliman’s arrest. To view the file, the target would have to enter their Dropbox password into a form that was actually controlled by the operator of the attack.
“The timing points to strong government coordination,” said Ramy Raoof, the senior research technologist at EIPR who worked on the investigation. “No one would have been able to deploy this kind of attack using Azza Soliman’s arrest warrant that quickly unless they knew ahead of time that the arrest was going to happen.”
The second phase of the phishing campaign deployed more generic messages that appeared to be personalized emails from Gmail, for example, about account security, such as warnings about suspicious login attempts and prompting the user for their login information.
Google eventually sent several NGO staff members a warning that they “may have detected government-backed attackers trying to steal your password.”
The phishing campaign gels with an ongoing effort by the Egyptian government to boost its electronic surveillance capabilities. State intelligence agencies have purchased powerful surveillance technologies from European companies in recent years, including Remote Control System software built by the Italian spyware manufacturer Hacking Team. Egyptian authorities are also continually trying to block access to the encrypted messaging app Signal while Open Whisper Systems, the company behind the app, develops ways to circumvent the censorship.
“I don’t think it will stop,” said Abdel Razek of EIPR. “Egypt’s been moving very much towards a literal police state over the past three and a half years and in a police state that’s what you do in a time where technology is one of the main mediums people are using to mobilize and to exchange ideas.”
The phishing attacks come as Egyptian president Abdel Fattah al-Sisi appears to be building close ties to President Donald Trump, who has called for heavier surveillance of mosques in the United States. Trump called Sisi a “fantastic guy” after their first meeting in September, and the Egyptian president was the first world leader to congratulate Trump after he won the election in November. Following Trump’s inauguration, Sisi was the second world leader Trump spoke to, after Israeli Prime Minister Benjamin Netanyahu. The two primarily discussed combating “terrorism and extremism,” according to a statement by the Egyptian president’s office, as well as a possible visit by Sisi to Washington.